Docx Files Template-Injection

New APT malware samples have been found by Shadow Chaser Group researchers recently, that points to the same attacker group Gamaredon. Two different samples in separate incidents are being analyzed and presented in this post to show the techniques used by the attacker. Also there are interesting findings that have been extracted during dynamic analysis and not been found by sandbox engines. Will focus on the extracted information and techniques and skip the match results.

Sample One: Downloader

Figure -1- Tweet of sample 1

Host-Based IOCs

File NameMD5 hashFile Size
Мои данные.docxfbc037e68f5988df9190cdadf742475224.56 KB
dCiBlGD.dot7467DBBB6DBEA83256B13FB151A594EF 73 bytes
index.datC6DBAAA421E7CC2A51564EC14EE98372244 bytes
sell on office360-expert.onlineE382A34494F25B9F31F8A3745135970E62 bytes
TCD18CC.tmp\CleanGradient.thmxE9294DCC4C80544EFDDD8BCA7F1FFBE657.7 KB
Table -1- Sample one Files basic properties

This malware is a Docx file with (50 4B 03 04) signature that has an embedded xml when extracted (word\_rels\settings.xml.rels) (Figure -2-), it has a URL, which by the time writing this post the link is still active (Figure -3-) [2]

Netword-Based IOC

URLIPPort
hxxp://office360-expert[.]online/sell/dCiBlGD[.]dot195.161.114.13080
Table -2- Sample One Connections

Unlike other malware techniques used in similar procedures, when first running this Docx file it’s already too late. As an attack vector, it doesn’t require the victim to Enable Macro in order to serve its malicious purpose.

Since it’s a downloader it only makes sense to find out what is next when running this malware live and infect the computer. Four files been extracted as in (Table -1-) in: (C:\.\.\AppData\Roaming\Microsoft\Office\Recent), and (C:\.\.\AppData\Local\Temp\TCD18CC.tmp\),

There’re dozens of other xx.TMP directories but been created and deleted during the process. The DOT file dCiBlGD is nothing but a shortcut linked to the URL shortcut (sell on office360-expert.online) which links to the same URL. The current files are almost useless and there doesn’t appear to be a use for template file or any other files in that matter. However, presenting in the following section of this post another sample belongs to the same attacker group which has the use of dot file as a second stage dropper, but more on that in a little bit.

There’s persistent mechanism that might lead to download another files like dot file, or maybe other evasion techniques. What’s missing from VirusTotal behavior [3] is the registry below ‘At least by the time writing this post’. The sample been tested with both MS word 2010 and 2016.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\Server Cache\http://office360-expert.online/sell/

By the time of live analyzing this sample there’s no threat presented yet! However, as a first stage downloader, the attacker successfully made it to place foothold via temp files like dot or (Docs Template) which remains in the temp directory unnoticed, and also set the registry values linking to the suspicious URL.

Sample Two: Dropper

Figure -7- Tweet of sample 2

In what appears to be an older found sample discovered by the same researchers [1] linked to the same attacker group [4]. A dot file is been statically analyzed in this section, so there’s a chance to take a glance at what a dot file might be used for and what evasion and persistent techniques the attacker’s using.

Host-Based IOCs

File NameMD5 hashFile Size
KzGdWvmSq.dotddc38e9b53458ee58504a40fdc41df61216.00 KB
PrintDriver.exed1ab72db2bedd2f255d35da3da0d4b16138.50 KB
Table -3- Sample two Files basic properties

When the dot file KzGdWvmSq made it to victim machine it establishes connection with a C2 sever. And by the time analyzing this sample the C2 servers are not found [5].

URLIPPort
hxxp://sufflari[.]online/increase[.]php188.225.82.21680
hxxp://188.225.82.216/inspection[.]php188.225.82.21680
http://sufflari%5B.%5Donline/increase%5B.%5Dphp188.225.82.21680
http://188.225.82.216/inspection%5B.%5Dphp188.225.82.21680
Table -4- Sample Two Connections

This malware sample is a wrapper and dropper to a PE executable (printdrive.exe) that runs as process in victim machine. However, this analysis focus more on the code and interesting indicators. Using either oledump.py or olevba.py tools in a Remnux machine is a good way to identify VBA streams and extract macros. On this sample it’s clear the macro been detected at the 8th stream.

Figure -8- Oledump streams detected

The extracted macro seems to be decoded and almost every line and function has been obfuscated. With the help of olevba.py summary table, detection of base64 encoding is helpful.

The use of Document_Close function in this macro VBA is interesting. According to Microsoft documentation [6] the event only happen after closing the open document.

Figure -10- Document_Close Event

Even after decoding the code, there’s still heavy usage of swap functions, but at least the important parts are in clear text as in below IOC snaps. After closing the document, the below lines are executed and (PirntDrive.exe) is up and running in the process.

Couple of registry values been altered during runtime. however, the spotted hardcoded ones are as below and more with the same sample/registry section [7] as persistent mechanism.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\PrintSoftware

HKEY_CURRENT_USER\Software\Microsoft\Office\ & Application.Version & _”\Word\Security\

Compared to the rest of the dot file, the ‘Macros/VBA/ThisDocument‘ file is relatively small. Just in case to avoid missing any other hidden data back to Figure -8- above. Let’s try make use of pcodedmp.py tool and extracting a possible hidden p-code. There aren’t any hidden, just the fact that the 5th stream ‘Data’ that appears to be the image file in the template embedded in this section. What get the attention in the also is this little overhead as referral to image content.

Credits

Shadow Chaser Group for discovering both samples

Update (27 Jan 2021)

Contribution work from Nicko on Github

References

[1] Shadow Chaser Group, https://twitter.com/ShadowChasing1

[2] AnyRun – Sample One, https://app.any.run/tasks/17575220-f087-4baa-bc96-3d9bdb0f10ed/

[3] VirusTotal – Template Injection Malware Sample, https://www.virustotal.com/gui/file/499caf4558ca05440875a94d5e06663cc637f9c6acdaa7c1a89f889a025837f3/behavior

[4] Gamaredon Group by Mitre Att&ck definition, https://attack.mitre.org/groups/G0047/

[5] AnyRun – Sample Two, https://app.any.run/tasks/26e685f3-9a76-45fa-ad70-dd61cb64812c/

[6] Microsoft documentation, https://docs.microsoft.com/en-us/office/vba/api/word.document.close(even)

[7] AnyRun – Sample Two Registry Values, https://any.run/report/13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36/26e685f3-9a76-45fa-ad70-dd61cb64812c#registry