New APT malware samples have been found by Shadow Chaser Group researchers recently, that points to the same attacker group Gamaredon. Two different samples in separate incidents are being analyzed and presented in this post to show the techniques used by the attacker. Also there are interesting findings that have been extracted during dynamic analysis and not been found by sandbox engines. Will focus on the extracted information and techniques and skip the match results.
Sample One: Downloader
Host-Based IOCs
File Name | MD5 hash | File Size |
---|---|---|
Мои данные.docx | fbc037e68f5988df9190cdadf7424752 | 24.56 KB |
dCiBlGD.dot | 7467DBBB6DBEA83256B13FB151A594EF | 73 bytes |
index.dat | C6DBAAA421E7CC2A51564EC14EE98372 | 244 bytes |
sell on office360-expert.online | E382A34494F25B9F31F8A3745135970E | 62 bytes |
TCD18CC.tmp\CleanGradient.thmx | E9294DCC4C80544EFDDD8BCA7F1FFBE6 | 57.7 KB |
This malware is a Docx file with (50 4B 03 04) signature that has an embedded xml when extracted (word\_rels\settings.xml.rels) (Figure -2-), it has a URL, which by the time writing this post the link is still active (Figure -3-) [2]
Figure -3- Active links
Netword-Based IOC
URL | IP | Port |
---|---|---|
hxxp://office360-expert[.]online/sell/dCiBlGD[.]dot | 195.161.114.130 | 80 |
Unlike other malware techniques used in similar procedures, when first running this Docx file it’s already too late. As an attack vector, it doesn’t require the victim to Enable Macro in order to serve its malicious purpose.
Figure -4- Running the document
Since it’s a downloader it only makes sense to find out what is next when running this malware live and infect the computer. Four files been extracted as in (Table -1-) in: (C:\.\.\AppData\Roaming\Microsoft\Office\Recent), and (C:\.\.\AppData\Local\Temp\TCD18CC.tmp\),
There’re dozens of other xx.TMP directories but been created and deleted during the process. The DOT file dCiBlGD is nothing but a shortcut linked to the URL shortcut (sell on office360-expert.online) which links to the same URL. The current files are almost useless and there doesn’t appear to be a use for template file or any other files in that matter. However, presenting in the following section of this post another sample belongs to the same attacker group which has the use of dot file as a second stage dropper, but more on that in a little bit.
There’s persistent mechanism that might lead to download another files like dot file, or maybe other evasion techniques. What’s missing from VirusTotal behavior [3] is the registry below ‘At least by the time writing this post’. The sample been tested with both MS word 2010 and 2016.
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\Server Cache\http://office360-expert.online/sell/
Figure -5- RegValue: Office 2010
Figure -6- RegValue: Office 2016
By the time of live analyzing this sample there’s no threat presented yet! However, as a first stage downloader, the attacker successfully made it to place foothold via temp files like dot or (Docs Template) which remains in the temp directory unnoticed, and also set the registry values linking to the suspicious URL.
Sample Two: Dropper
In what appears to be an older found sample discovered by the same researchers [1] linked to the same attacker group [4]. A dot file is been statically analyzed in this section, so there’s a chance to take a glance at what a dot file might be used for and what evasion and persistent techniques the attacker’s using.
Host-Based IOCs
File Name | MD5 hash | File Size |
---|---|---|
KzGdWvmSq.dot | ddc38e9b53458ee58504a40fdc41df61 | 216.00 KB |
PrintDriver.exe | d1ab72db2bedd2f255d35da3da0d4b16 | 138.50 KB |
When the dot file KzGdWvmSq made it to victim machine it establishes connection with a C2 sever. And by the time analyzing this sample the C2 servers are not found [5].
URL | IP | Port |
---|---|---|
hxxp://sufflari[.]online/increase[.]php | 188.225.82.216 | 80 |
hxxp://188.225.82.216/inspection[.]php | 188.225.82.216 | 80 |
http://sufflari%5B.%5Donline/increase%5B.%5Dphp | 188.225.82.216 | 80 |
http://188.225.82.216/inspection%5B.%5Dphp | 188.225.82.216 | 80 |
This malware sample is a wrapper and dropper to a PE executable (printdrive.exe) that runs as process in victim machine. However, this analysis focus more on the code and interesting indicators. Using either oledump.py or olevba.py tools in a Remnux machine is a good way to identify VBA streams and extract macros. On this sample it’s clear the macro been detected at the 8th stream.
The extracted macro seems to be decoded and almost every line and function has been obfuscated. With the help of olevba.py summary table, detection of base64 encoding is helpful.
Figure -9- Olevba summary
The use of Document_Close function in this macro VBA is interesting. According to Microsoft documentation [6] the event only happen after closing the open document.
Even after decoding the code, there’s still heavy usage of swap functions, but at least the important parts are in clear text as in below IOC snaps. After closing the document, the below lines are executed and (PirntDrive.exe) is up and running in the process.
Figure -11- Host-Base IOCs
Figure -12- Network-Based IOCs
Couple of registry values been altered during runtime. however, the spotted hardcoded ones are as below and more with the same sample/registry section [7] as persistent mechanism.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\PrintSoftware
HKEY_CURRENT_USER\Software\Microsoft\Office\ & Application.Version & _”\Word\Security\
Compared to the rest of the dot file, the ‘Macros/VBA/ThisDocument‘ file is relatively small. Just in case to avoid missing any other hidden data back to Figure -8- above. Let’s try make use of pcodedmp.py tool and extracting a possible hidden p-code. There aren’t any hidden, just the fact that the 5th stream ‘Data’ that appears to be the image file in the template embedded in this section. What get the attention in the also is this little overhead as referral to image content.
Figure -13- Embedded Image file
Credits
Shadow Chaser Group for discovering both samples
Update (27 Jan 2021)
Contribution work from Nicko on Github
References
[1] Shadow Chaser Group, https://twitter.com/ShadowChasing1
[2] AnyRun – Sample One, https://app.any.run/tasks/17575220-f087-4baa-bc96-3d9bdb0f10ed/
[3] VirusTotal – Template Injection Malware Sample, https://www.virustotal.com/gui/file/499caf4558ca05440875a94d5e06663cc637f9c6acdaa7c1a89f889a025837f3/behavior
[4] Gamaredon Group by Mitre Att&ck definition, https://attack.mitre.org/groups/G0047/
[5] AnyRun – Sample Two, https://app.any.run/tasks/26e685f3-9a76-45fa-ad70-dd61cb64812c/
[6] Microsoft documentation, https://docs.microsoft.com/en-us/office/vba/api/word.document.close(even)
[7] AnyRun – Sample Two Registry Values, https://any.run/report/13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36/26e685f3-9a76-45fa-ad70-dd61cb64812c#registry