Analyzing a Malicious Document

By Joshua Bugryn

Who is your daddy and what does he do?

Where technological advances happen, malicious uses for it are soon to follow. This is holds true for remote access software. In the late 1980s software that allowed for remote access of computer systems was developed. It sounded like a great advancement, troubleshooting, managing, even accessing files from a remote location across a network. The intentions of this type of software were good, but with anything good there is always bad. In the mid-1990s, bad actors began to experiment with the power that remote access provided. They began as pranks, modifying files or dropping funny images on each other’s computers.

A notable piece of software NetBus was used to place pornographic images on a professor’s computer causing him legal trouble and to lose his job and livelihood. These types of pranks began to grow into much more malicious behavior, with the intent of making money. While early RATs such as NetBus were simple remote access tools, as we entered the new millennium, RATs began to grow in complexity and functionality. They began to be used for espionage, which required more hidden modes of entering systems and obfuscation to avoid the growing defenses of corporate and government systems.

It is not as simple as accessing a port that is open and insecure by default anymore. Remote access requires infiltration into the system without detection and must allow for exfiltration of any collected information. Company secrets, user data, or personally identifiable information. The easiest way in is through the uneducated majority that works with these systems. Sending and receiving emails, taking phone calls, or even opening files and documents to review their contents.

You look like you could use some help!

There has been a monolith throughout most of the information age and its name is Microsoft. It is embedded into the office culture of both the corporate and government sectors. From data entry interns to CEOs, they probably use some device capable of running Microsoft’s Office suite of software, and further so they likely use it every single day. This ubiquitous and omnipresent suite of software makes it a perfect vector to attack. How can a simple Microsoft Word document or Microsoft Excel spreadsheet ever cause any harm, right?

If you believe that last sentence, you are wholly uninformed on the truth of the war that has been waging for decades now. A war against computer systems and their administrators and all those would be attackers just waiting for a chink in the armor. As technology advances companies tend to think solely about if they can do something without ever considering the ramifications of it. Enter Visual Basic for Applications.

Visually basic, functionally advanced.

Spiderman desk hd | Meme GeneratorAs you might expect, your typical everyday spreadsheet application user is not very technically versed. They know how to highlight a cell, sum a few columns, hide one column, and resize another. Programming languages are scary to these people, it might as well all be written in a lost language from thousands of years ago to them. Microsoft’s solution to this a similar vein to COBOL, was a programming language that tried to remain as English-like as possible. To make it less intimidating and more easily adopted. Automating tasks? Increased work efficiency? The ability to link documents and generate reports with the click of a button? Any manager would love the sound of these possibilities. Microsoft understood that and created a language that was simple enough to use, eventually even offering a GUI interface to generate code, and was powerful enough to do all of that and more.

But just how more… Visual Basic was given the ability to access low level functions of the Windows Operating System. While this may seem like a good feature on the surface, allowing for expert users to orchestrate and automate complicated functions all from within a Microsoft office document. Executable by any user that has Microsoft Office installed. Boring statistical reports could be turned into pretty graphs and sharp images full of color, uploaded to the company web server, with an email sent out to notify stakeholders that a new report is available. But these low-level functions are powerful enough to do serious damage if used properly, and with great power comes great responsibility.

Using your powers for evil.

App.any.run is a website that acts as a public repository for potential malicious threats. It allows the upload of suspected malicious files which can be analyzed using many different approaches. The primary tool is a sandbox. The sandbox environment is a virtualized environment that is entirely isolated from a host machine. It is typically on an isolated network with access to the internet.

The sandbox enables a safe place to allow the malicious file to perform all its activity without any danger of it affecting real host systems. Modern sandbox tools are marketed as ‘remote detonation’ software. Which will record a video of the actions being performed by an automated user or a real security analyst accessing the file and allowing it to execute all its functions and log them. Tracking system API calls which can register windows DLL files, make changes to the registry, modify files. As well as execution of scripts through PowerShell or JavaScript code via C-Script or W-Script.

The functions of most of these files is to make a request for some external resource that contains the true payload. The document serves as the entry point and some documents begin their functions simply upon opening the document. The macro embedded within the Microsoft office document file, uses an orchestration of system API calls to retrieve the payload and execute the payload in the background. Without any GUI or notification to the user.

The intent may be to set up a communication with a command-and-control server to await further commands. It may be an edit to the systems HOSTs file to redirect chase.com or gmail.com to a fake replica website to steal sensitive user credentials. With the ability to download and execute code at will, anything is possible.

Execute order 66

The image to the right depicts a malicious document (mal-doc) being opened in Microsoft Word. Typically, they will have a message notifying the user that they need to enable editing and enable content. This is to ensure that the Visual Basic macro script can execute, as some users may macro content disabled.

Below is part of the analysis performed by remote detonation software. The document is opened by WINWORD.EXE as shown on the left-hand side. On the right-hand side are all the unseen background events that the macro script is executing immediately upon opening.

The Visual Basic program embedded within the file copies binary data stored within its code onto the filesystem as ‘berd.b’ and ‘urip.dll’. Dynamically Linked Libraries can be executed to perform their services through ‘rundll32.exe’ in Windows Operating Systems.

The Visual Basic program uses its low-level API capabilities to do just that. Executing the ‘urip.dll’ and generating 4 HTTP requests. The first request is to api.ipify.org which upon further inspection of my own appears to simply return the public IP address of the machine accessing it (See figure on next page). The following request made to ‘http://nencivelf.com/8/forum.php’ is a POST request to send and store information about the host machine to the attacker. The final two requests are being made to retrieve the final payload .exe file, which will set up a persistent connection to a command-and-control server and complete the exfiltration of the host’s targeted data.

Here we investigate the actions being performed by the final payload. First another HTTP request is made to ipify.org to obtain the public IP address of the host machine. Second a persistent TCP connection is set up with the command-and-control server. A payload is sent to the server with a size of 514kb. But what is in the payload?

These are the file read events that the payload made. Notice anything interesting about them? They are all accessing files that might contain user credentials while using the Firefox Browser client. It also reads cookie data which can store valid session IDs or tokens to allow the attacker access to the sites they were created by.

The data contained in these files is the contents of the 514kb sent over the persistent TCP connection with the command-and-control server.

Without the use of network or system monitoring tools like those supplied by the remote detonation software at app.any.run, all of this would have occurred as a background process. Unseen by the user and could persist forever if it were never found. Constantly updating the command-and-control server with new user data to be sold or used for more malicious activity.

What can you do to protect yourself?

These documents usually come in waves, called campaigns. They are most dangerous before they have been identified as malicious and may have employed obfuscation and automated detection prevention capabilities. Some will even lie in wait on the host system for days or weeks before finally beginning its attack.

The main defense against these attacks is common sense. It requires some knowledge and skills that maybe a typical office worker does not come equipped with but should be taught and empowered to do so. Fishy document titles, weird domain names, misspelled words. Any little detail that makes you feel suspicious should be taken seriously and reported to the department or team that is designed to handle these threats. Many users simply mark it as spam if it seems obviously malicious but reporting it may be the best action. It allows the security professionals to analyze the potential threat, putting in place proactive measures such as IP blocks or Domain blocks on the network, or updating spam filters with new rules, even creating new rules in endpoint management software such as Tanium that can act as a last line of defense. Knowledge is the enemy of these attacks. In the ever-changing landscape of the internet, a perpetual war is being waged each day. Will you do your part to fight the good fight?

Works Cited

App.any.run Mal-Doc analysis: https://app.any.run/tasks/41f653a9-97a6-4185-9527-c5009c58c702/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s