BSidesIA 2017 Track1: Still Penetrating Your Perimeter – Josh Stroschein & Matt Miller

we uh didn't know we had that nice spel so we put our bios here so this is Josh's does awesome stuff right we got m I do some stuff too right good stuff all right so today we're going to talk about mware in um Word documents and we've had a couple presentations that are sort of related to this so we had one talking about ransomware we had one talking about the use of exploit kits and we're going to talk here a little bit about the fact that it looks like exploit kits are sort of waning um in the past few years so we don't have as many people using exploit kits part of this might be as you saw the

talk on exploit kits they talk about this very complex structure that they have to use in order to get their exploit to run on somebody's machine and they're having to use a a variety of streams of either zero days which are not very often or basically unpatched um vulnerabilities that they can use so you have to keep getting new ones because as systems get uh identified right they're going to get patched and so then they're no longer going to have those um vulnerabilities in them so you got to keep finding new ones so you can keep infecting clients so you have to keep that up to date and you're going to go after all of the the big popular setups

so you're going to go after flash silver light and Java but if we've looked at in recent years we have less flash right we have if you look at Chrome which we talked about right Chrome has its own built-in version of flash right it has we've got silver light which is going away and we've got Java which has been deprecated by all the different major browsers so we see those sort of going away as being useful and so um we also they have to use domain generate domain generation algorithms um and they have to keep modifying these right because every time all of you out there that are going to have boxes that are going to get threat

intelligence you're going to say okay these are the bad domains that you need to not go to so they have to generate more domain so they can keep um attacking people and then we've got Ur redirects or the um gateways that people go through DNS and then they're also U utilizing a whole bunch of compromise hosts so if you want to deliver this malware you've got to compromise some host in order to give that malware to people right so they would connect to you know Bob's you know Diner or something and that would have be hosting the malware so that you the person being infected would would download it so those are also going to get patched

because people are going to notify them hey we see there there's malware on your site and so they're going to try and get them to be fixed so what we've seen is that they've moved from using exploit kits to using social engineering and macros so more and more we're getting emails that have this information in them that says oh here's a Word document that you need to open and it has information that is relevant to you right so trying to trick the user and training is hard we have a really hard time getting users to not click them I mean it's it's hard for me and Josh to imagine somebody seeing an email and saying oh that's got macros I should

really enable that right and clicking the button to say yeah let's let's run that macro right I do it all the time though you're on a Mac it doesn't matter right so and and the other thing is that users have jobs right unlike us right they have jobs where they need to get stuff done and to get stuff done a lot of times they have document ments that have macros that they need to run right office is this standard that everybody uses if you go to a corporation they're going to use office and so people are going to use office and then office has Visual Basic built into it right so you can run VB script within that and macros

just work so there are a lot of applications where people are actually doing work using Excel or using word and they're using macros within that so they can get their jobs done and you know so people are just used to this and if they're used to hitting that enable macros button right and it stuff works then they're just going to keep doing that so then what happens is you're going to have somebody who clicks on a macro and now you've got an attacker on your network and you have to deal with that and we've seen some of the things they can deliver right they can do um clickjacking or they can do um uh the

delivery of um ransomware on on people's computers so we've got a lot of problems to deal with and so Josh is going to talk about more of the details on on that yes so my role today is to go through some of the more uh technical techniques that they're using uh to try to walk through those in PowerPoint the best I can um I don't have a lot of demos I have one video we'll see how well we can actually see that uh before we get into it though I did want to just make sure that I I frame exactly what portion of this scenario we're talking about we're starting with and really focusing on the

Office document we'll talk a lot of about word but that could be Excel and PowerPoint anything that could support macros which I believe is the entirety of the office suite and then what happens after those macros are executed and so as as you as you probably know in a lot of attack scenarios that involves malware um exploit kits office documents a variety of others there's usual SE usually several stages and so we're really just talking about this first stage whether that's Shell Code or executables or um VB script or Powershell or some other O2 object that's been embedded in the document um this is really the first two stages that we're talking about um this stuff that I

have right now in the bracket the job of that typically is to go to the cloud and to get another stage whether that's more Shell Code that's more Powershell or scripts or that's the actual malware itself uh and then it drops and executes that or detonates that so I'm not worried too much about that for this talk we're going to focus on the document the macros and some of those things that the macros are immediately doing um as I said focus is on the office suite Focus today is primarily on the macros themselves and some of the behaviors that I've observed in the last few months but it's not exclusive to so we have seen uh CV 201701 199 just

recently that came out uh required very little user interaction the user did have to click an okay dialogue in order to retrieve some content for a link and then once that link was brought in and I've got a little more details at the end of the the slide deck here if we have time uh then everything the scripts parsed and and everything was pretty much automated from there uh social engineering as we already talked about embedded objects if a user just has to extract and double click something then we're not really relying on Macros in that case so what are macros is everybody familiar with macros yeah VBA Visual Basic for applications um I guess I've had the

benefit of not having to write any macros for a living I just inspect the malicious ones um but everything that comes with macros is pretty well documented on msdn so if you look for VBA you'll find a lot of resources there on msdn the Microsoft developer Network um of course there are features that malare authors are going to use that aren't as uh necessarily documented and and one of those one that we're seeing very prevalent right now is the use of the windows API and we'll go through an example here so malware that uses inside of the macros maybe a call to Virtual alloc from Colonel 32 in order to allocate memory and Stage into that

memory some Shell Code so um there's probably one of the first things that I do when inspecting a malicious document and and even before I get into that just to help again kind of gauge the level of detail that I go into these um often times there are easier easier methods if I just want to see what an Office document is reaching out to or the files that it's dropping I can just execute it in a sandbox or a VM and collect those artifacts when it's done you if I want to find out actually what those macros are doing if there's new techniques that it's using then then I go a little bit deeper so one of the first things that I

do when I look at trying to determine an Office document if if it has macros or not because that usually then drives the direction that I go for the next step in my analysis uh the first thing is probably o dump and I'm assuming everybody's heard of has everybody heard of O dump from from Diddy or Stevens It's a python script it helps us to dump content and information about an Office document particularly to see the streams and the resources in that file we're going to go through all those here um just real brief in a moment another method is of course just to open the document and see what happens happens if it asks me to enable

content then I know that it's trying to execute macros and I can also use the IDE that's built into the office suite so anybody that develops macros whether for malicious or non-malicious purposes they can also open up basically like a visual studio type editor in order to build the project that that Associates those macros with that document edit them debug them and everything and so I can actually use those you can use those as well in order to help with your analysis so as I said probably the first one that I go to is O dump I had an opportunity to meet Didier last week it's very nice um this is what the output from the tool will look like

again it's a python script so are you're going to be running it from a command. exe or a terminal and you'll see that it lists a bunch of information the first bit is the index so that just helps us to get a frame of reference for the different streams that we're talking about probably one of the more important pieces of of information right now of all these indexes of all these resources in this office document what actually contains macros and the Little M will indicate that that stream contains macros so now I can usually narrow my search down my research down to just those streams so you can see in this screenshot um 810 and 12 have macros now

you'll also notice that there's an uppercase and a lowercase M and what that is discriminating against is streams that are macro definitions and streams that actually contain macro code so the ones with the uppercase M are the ones that actually contain code the other ones are just defining a class or a module and so typically we don't need to worry about those that's the size of the stream and I point that out because every once in a while uh you'll find maybe some embedded content in a stream and it'll have a very abnormally large size and so it might be worth taking some time and dumping that stream and inspecting that to see what's inside of it you'll see an

example today uh I guess I kind of got lucky and that you'll recognize some patterns and you can you can dump an executable from the stre stream from there and you'll see that in a moment my favorite macros are all called cowkeeper and Discord so you can see those are the stream names um another indication that we're dealing with something slightly off or maybe malicious is that the ausc efforts that the authors will go through will often times include the name of the stream so you'll get random looking stream names such as cowkeeper and Discord does anybody know what those streams represent the ones that I have highlighted in yellow it's not a trick question I

guarantee you it took me forever to figure that out um th that actually means that on this document there's a user form and the reason that that's important is because I'm seeing right now a lot of Shell Code being stuffed into the user form so then that Shell Code will be pulled out dify skated put into memory and execute it so we'll go through a whole example here with that in just a minute so when I see F in zero I see those streams right there I know that if I look at this inside of an IDE or if I trace into this when I dump the macros likely there is a user form with some

sort of an object on it a text box or a label or a bunch of tabs or something that probably has some content stuff inside of it here's an example of if we ran the command or lead dump we tell it what stream we want so stream 8-s and then 8- V decodes the stream if you don't give it that argument and of course if you do the help file it will tell you all about this um then it doesn't decompress it or or deop uscate it there's Microsoft has some way of of storing those macros inside of the document without being it in plain text uh the name of the document you can say I used the hash so

it's a little bit long and then I just redirect that to a document a file on my file system so that I can go ahead and interact with that document maybe do some refactoring um or other things that help with my analysis once I'm done I have something like this and now again we can start digging through those macros and inspecting those to see what they're actually up to before we do that I said we can also enable the office ID I least I'll call it an ID um you'll have to navigate into the options you can go into where you customize the ribbon at least that's the way that I do it and I enable that

developer tab which isn't available by default and then once that's enabled you can see that we have the option on the on the very left hand side there to click Visual Basic and what that will do is that will open up your project so if the Mal contains macros and they're not password protected then you'll be able to see all of those streams just like we could with o dump the added benefit then to the IDE is that we'll also be able to see the user form and we can debug if we want to as well so we can actually set break points and step through this code and uh it can make analysis I think a

little bit easier there's our project there's one stream of macros this document that's like the default most mocs will have the this document macros a lot of them decide to stuff the auto open you can actually see that in the screenshot that's that function down at the bottom um so when the document is opened that's the function that originally triggers the execution of the macros so the entry point into the macro code um this document tends to have that but it's not it does not have to be defin inside of the this document macro stream there's another one so this has an additional stream uh solemnize again kind of a strange name but that's just

due to the way that these malare authors are ausca not only the code inside but also the names of the modules there's our form again another very strange name uh chinking I guess would be how I pronounce that um we can double click on that form and then you'll you'll see that and we'll you'll have I have a slide here in just a moment That'll Walk us through that um you won't see when we looked back at the O dump you didn't see information that directly correlates the user form to that object that user form object that we see in the IDE uh and I don't know if there's a way with o dump to get that information out I haven't

come across it so often times the only way I know is by seeing that F and that zero in those streams that there's a user form now when you're looking through the macros again you'll probably need to get into this actual user form and look at the different objects on it and see what those are called in order to tell when data in that user form is actually being directly referenced okay as I mentioned now you can debug so pretty standard Source level debugger I find the place in the code that I want to set a breakpoint i click in the margin it turns red and then I can go ahead and press play and from

there execution should begin now again just like any debugging scenario you have to make sure that your malware will actually get to whatever path you're trying to get you where you set that break point in this case I set it on auto open so I'm pretty confident that I'm going to start right there uh but if I'm further along in the macros I just have to make sure that the logic will in fact get me there otherwise of course your breakpoint will never be set once you're in debug mode you have all your standard debugging options step in step out step over stop debugging we can also do uh inspect the values of variables you know our memory

inspection and you can see here that uh what happened is I just got really tired of looking at all these Opus skated macros I wanted to see the value of a couple of strings so I set a break point and now I added watches as you can see in the dialogue below to see what the values of those strings were so instead of tracing through those backwards and figuring out how all of the opusc was done in order to build those strings uh I just set a break point and looked

here sometimes I encounter passwords sometimes I can get around them uh sometimes I haven't I've had luck with I think it was a spreadsheet was the last time that uh I was able to find a an offset or a key value pair in the file just using a hex editor and replace a value open it up and then actually replace the password uh and a newer word doc I haven't been able to find that same offset in the file and bypass that so I've had situations where I've had an Office document that not only requires a password to view but a password to view the macros they're not the same password and I couldn't figure

out a way around it I didn't really want to take the time to figure that way out and so I just had to observe the document from the outside so using tools like proon or wi shark in order to see the artifacts that it leaves behind or the the communication that it's performing was touched on uh the presentation here earlier this afternoon macro protections by default are to disable but notify so of course we give by default our users the ability to still enable and execute those macros so uh still a bit of a problem social engineering abounds uh we could go through just social engineering examples all afternoon if we didn't get extremely bored uh but the gist of it is that

they're just trying to get the user to to enable that content so here you see something that's saying hey this is the latest version of Word and you're not up to date in order to see this content um you have to actually enable content content um we actually saw this example or very similar example to this earlier this afternoon as well and that this one was a slightly more targeted at least it appeared slightly more targeted and that it had the name of the individual recipient um it had an attached document and then it had a password so they had to once they open the document they had to provide that password to get into it

and then from there they had to enable content um in order to actually get the the macros to execute and this is one of my favorite it was part of a a UPS fishing campaign and that the email said that UPS had tried to deliver something to you they missed and I've attached conveniently your tracking number in a Word document that contained macros and so then once you open that word document you see that it's encrypted and the only way you can decrypt that is to enable that

content okay as I said forms so if we were to double click that form just so you can see it from the view of the IDE you can see it from the view of O dump the two my two primary tools when looking at maloc um that would be the form itself then so again you're not going to see the name directly in the dump from o dump um looking at the form itself it might seem unimpressive but often times all you have to do is adjust the size of the canvas or that window and then content might emerge in this case uh it was fairly obvious that something was out of place here when the content of that text

field started with the 45a um not quite that straightforward though because they the malware authors did do a little bit of ausc with that embedded executable um and we'll talk about that here in just a moment now when you select that that text box you can also look at the properties of it so you can see that I have uh two more screenshots there on the lower right and that top one is the name of that field transducer so when you're looking in the macros if all of a sudden you see reference to an object in this case transducer um that's how we're tying together the fact that it's using a form and more specifically it's using

the content from that form uh within the macro logic so if you're really trying to trace through it that's how you would eventually be able to tie those two

together so I left this slide in in order to talk it's very similar to the one that we just looked at except that when we look at dumping this Stream So the screenshot to the right um what we're doing there is actually it's stream 15 which you can see from the O dump in the center and what stood out from that initially not just the fact that it's part of a user form was also the size it was a very large size stream when I extracted the content looked at the content and again you can use that same basic command El dump DS in the Stream then these bites went flying by and I immediately recognized the 45a

you'll notice that there are some bites in front and there are some bites behind if we were to look at the stream its entirety and those are just bites that are related to how this is actually stored in the user form so there's some things that if I were to extract this if I wanted to get this executable out manually I'd have to trim those leading in trailing bytes um the other problem is that even though I've recognized that there is the 45a which is the magic number for a PE file MZ that's the the bite values for the asy characters MZ which stands for Mark Zuckerberg right no no he didn't create PE file oh shoot

um the problem is though that this is an asky dump and so if I'm looking at a PE file the asy representation of it I should be seeing MZ and not 4 d5a I should be seeing the Dos this program cannot be run in DOS mode and I'm not seeing that and so what the malare authors did for this particular example was they took the original bite value and then they wrote into that field the asy character for it so that's why you're seeing four and then D and then five and then a and when they eventually drop this to dis and execute they go through each asky character and then they write it again as a bite value so

they convert it back to Binary so if I was scanning this with a tool I probably wouldn't catch it because it wouldn't match the signatures the patterns here for a PE file um but it's just really easy to to dump to basically um swap those bites back dump an execute so it didn't take much logic within the macros to actually do that everybody loves ausc right I know I do um ausc comes in a variety of forms when we're dealing with source code uh we have you know Source level this is VBA so it has to at some point be executable um and it has to be valid syntax in the language so we see a

variety of things a variety of techniques that are are are somewhat trivial but they're nonetheless very they're very timec consuming to get past them so you can see with this one um the function names and the variable names are one they just use completely random and ambiguous names um such as is our our parakeet object another favorite and this is opusc that you see in more than just of course VBA is to use a lot of string concatenation so breaking up strings and then concatenating them later together um taking a string and doing a reverse of it or maybe doing a substring of it you see that a lot too moving past that string so down to lines

567 you can see there's a lot of very simple mathematical operations some addition some subtraction and there's even a for loop after that and again more than likely all of that is just junk instructions they're just there to slow us down as we're trying to analyze so the more you see the more you can pick that out the quicker then if you really want to spend time on these macros and any code that's Aus skated you could delete that and then just be left with the stuff that is actually important so you might get macros that are 500 lines of macro code but if you refactored it all down you might only have 50 lines or something because it's

just so full of bloat such as that okay I mentioned the use of the Windows API here you can see an example from the I believe the hanset Mal campaign and what they're doing is essentially declaring pointers to apis within whatever module they want to load so you'll see user 32 and Colonel 32 uh and a handful what they additionally do is they throw in some song lyrics so I chose this one because I um there's a lead Zeppelin line in there so I thought that was appropriate um for no other reason than I like Le Zeppelin um now because they use things like again names that mean absolutely nothing if we look at the last one for example because

we're actually going to follow this one because it's responsible for executing some Shell Code here um Cabriolet that's how I'm going to pronounce it anyway is an alias for enum date formats W so if I want to see where that API is now used in the in the actual macros I have to be able to follow that variable name or or refactor it so I know where it's being called um the other thing that might be surprising any guesses as to this one of these functions is going to be responsible for executing Shell Code anybody want to guess which one I was guess register class register class okay anybody want to bet with him or against

him all right we'll find out then in a minute n we find out right now we'll come back we're going to go through this one in detail um but there's the API call it's Cabriolet and this is actually the one responsible for executing shell Cod so we're going to step all through that here in just a moment so using a an API that's maybe not directly obvious as to the the purpose of it so a few of these slides I put the actual samples up so if you get copy of the slide deck or you want to follow along or something there's the sample that we're about to look at and just a brief snipp it on virus total because I

needed to fill the slide up with something so as promised we're back to cabriola if you remember that was uh format date string something we'll see it here again in just a moment and one of the things that I decided to do when analyzing this particular document was instead of tracing through the code I just set a breakpoint to see what was happening when these apis were being called in particular when I found that Cabriolet was being called I knew what API it was I was interested in how it was being used so I set a breakpoint if we look up that function on msdn we'll see that it is documented it's not one of those strange

undocumented apis that malware authors like to use and the first argument is actually a pointer to an application defined callback function so that's how it's obtaining the execution of Shell Code so you'll see in just a minute it's actually allocating a chunk of memory putting Shell Code there and then using this function with a pointer to that Shell Code in order to achieve execution so I to me it wasn't obvious if that's what they were going to do do until I stepped through it and figured out that that first argument was a call back and really a pointer to or a function address so we can inspect that first variable look at the value convert it to

hex we'll see that in this particular run right it was it was allocated through I believe virtual alloc um so that the address could change uh in this case though it was 70 d0 e5d if I use a tool I like to use process hacker in order to look at memory for the processes you'll see see that uh there happens to be the base of that allocation 70D 000000 and it also happens to be read WR and execute so a likely Target for Shell Code and what happens when that function is called well it's going to go right to here and I don't know about you but my favorite op code is 55 hex because

that's a push EBP so it looks like it's Landing in the function prologue um of some Shell Code so that's how it achieved that execution now the technique and again we'll talk about this right now is process hollowing and what this shell code is doing then is it is going to start a process in a suspended State um it's going to use an executable that's already on dis on the system so typically SVC host or explorer.exe it's going to suspend it so it's going to get loaded into memory but suspended kind of like when we load a program with a debugger right before we you know we let the debugger break in before it begins executing and then it

Hollows out the main code and replaces with with its code once it's done with that replacement then it resumes the thread resumes the process and the malicious code is now executing so it doesn't necessarily have to write anything to dis it extracts that Shell Code out of the document loads an executable already on disk replaces it and then um that shell code is is now executing yes is that ninja it is binary ninja yes um I'm trying to yes so I use I still use a lot of Ida uh that's my my go to my crutch um and I'm using binary ninja more and more uh to to just to get a feel for the tool especially as

they're developing it and and things are getting much better so use Viner ninja littleit a little bit okay yeah I have to admit I know Jordan the developer so I'm not going to push it too hard it's a great tool though um it looks pretty right and it looks pretty yeah yeah I don't I don't have it in the demo but you can do this thing on a keyboard where you do commands Z and it undoes errors instead of yeah I know it's amazing um oh anyway so here's the Shell Code so you know if we wanted to continue to trace the the behavior here we'd have to dump the Shell Code from memory and our analysis from the word

document into this this blob of memory that has the shell code is helpful because it tells us at what offset to start disassembling so if we just take a bunch of bites and we pull them out of memory um we can't always just tell a disassembler to start at bite one offset zero and begin to disassemble so we saw that address before that function called the Cabriolet so we could see here where to go and begin disassembly um this is actually a different Shell Code so you'll see the offset if you're if you're really paying attention the offset's just a little bit different but the concepts very similar um shell code is a whole another Beast we have uh a

lot more anti-analysis type tricks inside of here uh if we were to dig into those we'll see a lot of dynamic API resolution so it's going to load it's going to find a base ad for some module not through some exploitation but taking advantage of things like the process environment block and the the the link list structure that it has in order to um locate where those addresses are those those modules are in memory um get a base address find some apis and then load other modules like colel 32 or user 32 or others as it's needed um so you'll see a lot of things like a call and a dword and some um you know offset

relative to EBP or ESP or just some global dword address or something it's indirect and we don't know what what it is unless we step to the code or figure out how it's dynamically resolving so we might have to do quite a bit more reversing in the Shell Code if we want to continue to trace it what's that I used a tool called process hacker

process um you know I don't think I have a good this is this is the only screenshot I have for process hacker and so down no that was um when I when I when you get the properties of any process it'll come up with that that window that has all the tabs there's a memory Tab and the memory tab will have all the addresses for any memory that the process is using and then yep and then I expanded that so I saw the allocation at that address I expanded it right click and save I was in windy buug at this point in time as well so you could just dump from Windy buug supposedly I haven't gotten that to

work yet either right mem is supposed to work here's an example the Highlight on the bottom uh I renamed that variable so using tools like BN and Ida allows us to rename those labels which is very very helpful otherwise I just would have seen a call to a dword EBP minus some offset so I don't know what that call is but because I was able to figure that out and rename it I can see it's create process looking back then up that that call the the pushes setting up the call Stat the arguments for that function call um if we looked up create process on msdn we'd see the sixth argument is the process creation flags and Microsoft

defines what all those values can be and a value of four in HEX is suspended so that's one of the the tell Tails here that we're looking at the beginning of the process hollowing technique these are the other apis involved get thread contexts that gets information about a structure about the thread and ultimately what it's going to do you'll see set thread context there right before resume thread on that list of calls is it's going to be able to update where when that thread resumes what address of entry point essentially is there so it's going to know where when that thread resumes the CPO is going to know where to where to begin execution um unmap view a section we'll

take that section from SVC host or explore whatever process just got hollowed it actually take that code section unmap it out of memory and then write process memory in conjunction with something like a virtual alloc will then allow it you to allocate memory and then move your shell code or whatever you want to get executed into that space set the thread context and then resume the thread I don't know if this is going to come through all that well but kind of hard to see isn't it well anyways if you if you watch the process activity here you'll just see that once I enable the content we'll see an instance of SP SPC host start and begin execution

and that was the entire process hollowing technique in this document if we hover over or inspect that process you can see the path C Windows CIS 64 SVC host so it looks like it was started from that location when in fact it wasn't well it was it was loaded from there but the the code was hollowed out all right moving right along some Powershell uh I don't know about you guys but I always put my author block as Powershell Das window hidden Das encode and then some base 64 string whenever I whenever I author a an Office document um so this one has some Powershell and this is one of many ways I've seen Powershell utilized in an

attack um this is also kind of interesting because it has some airor handling for a Mac Shell and Matt will talk about that here in a moment we still had to have macros in order to get that content and execute it so you can see there are usually a handful of objects that you commonly see WS script. shell and adodb the right to the file system and XML HTTP to do stuff with the internet and HTTP um so there's our object it's created and then it used the content of that author field to execute as the script um that script was a base 64 encoded string and that's going to be the dasc is going to decode that and

then it's going to be executed uh this is a multip stage Powershell and so what it did was it took all of this first bit of content here I know it's really hard to read but it treated it as a string it Bas 64 encoded it and then it used Powershell another instance of Powershell to execute that the second stage is the more interesting one because we have in this stage a bunch of Shell Code at the beginning and then it used there's our Shell Code it used virtual aloc and then memet to copy the Shell Code in the memory and then it used create thread in order to execute that Shell Code so once it was

staged in memory then the address that we had from virtual iock from that allocation in that X variable was used as the uh the place to start when that thread was created so it used Powershell to eventually get get to the execution of the Shell Code uh at this time when I analyzed this it was dead I tried to make a request out to that IP for that resource and I got a 404 so I didn't I wasn't able to go any further he VB scripts one I just encountered um this one opened it up and it had this um these o objects embedded here at first glance they look like they're additional Word documents uh of

course they're not they're VB scripts all three objects are the same so if a user were to double click on them essentially what they're doing is they're asking for Windows to handle the execution of these VB scripts um all three are identical ran the hashes on them they were all the same so open them up and you'll see that uh again we're dealing with a ton of ausc so it's up to you I guess as to how you want to tackle that um I just did some Dynamic analysis because I really didn't feel like de offis skating all this VB um often times though if I wanted to start trying to digest all the sopus

skated code I look for things like this open property so I look for properties that they just can't Aus skate or it's very difficult to Aus skate on objects and a do open probably means that it's making a request that's using maybe an XML HTTP object to do that and so that if I'm interested in how it's you know the domains or something that it's using I might start there and uh and sifting through all that junk I didn't do that I said uh I used procmon and wire shark to just capture some basic information this thing dropped two files a RMS file and a JBC this was the RMS and guesses on what they did to this

file this was the initial file dropped from the VB script the 73 is what stood out to me they just did a simple exor so they exor the original executable with a hex value of 73 and that's what came across your network um once it was dropped on the file system then the VB script went through it bite by bite exord was 73 and then you you got the executable right so if you took maybe that first value 3E and exort it with 73 you get 4D um otherwise you see all the 73s it's because the exord zero is 73 which is 73 so uh that's how I picked up on that there's the file there it is on virus total so the

document itself wasn't on VT yet but um the the files that it drops are looks like it's a Trojan uh that one was kind of odd because when I tried to run it I got a bunch of Errors so I didn't have a lot of time to debug it but it just something seemed off with it uh the last sample that I'm going to talk about was one that I just thought was interesting it utilizes cert util in order to decode so again we're seeing a very common pattern and that we have some sort of usually trivial ausc or encoding scheme in order to get the actual payload across the network through the internet whatever um and then something that is

used on that's already on the host whether that's the scripts that have been dropped or the office document or in this case the CER utility that's within Microsoft within windows in order to do the Deus or the decoding so that's just a link to the CT util on msdn with this file um I can't remember now off hand if it drops the pfx or if it actually gets it from the internet uh but this is the first file that's actually written to disk in the unfolding of this Office document and this is what you'll see it do it uses the search u- decode and then the location of that pfx file so it's just base 64 encoded so it decodes it it

writes it as an executable in your temp directory and and then it executes

it yeah CV 2017 0199 I don't have much to say about that I don't if anybody has any questions it's patched now so uh it's much mitigated I think at this point shall I turn it over yeah all right all right so so some of us Josh and I included like to run on our OS 10 boxes so we're not uh alone although if you look at the market share for Mac right it's not very big in comparison to people running um windows so we don't we don't have as uh much Mau that is on there but again if you look at the Top Line on there you can see that it's that uh the way Microsoft built the VB right

on the Mac it still can load binary libraries so this one is in libc Dynamic library in order to go ahead and run a bash shell there right and then it uses the uh you can use the system command um which is loaded um actually this one the newest version of the Mac um office update will not run this one anymore because they've changed it now to 64-bit and so if that one doesn't run then of course there's a new one right that runs so this is the um one that runs both right so it checks to see is it on a Mac or is it on window window so they can sort of hit both at the same

time and they either run the so we saw previously Josh showed you the author field as one of them oh I use Las there we go so we use the author field in order to uh get the Powershell code that was going to be executed so that's if you're on Windows and then if you're not on Windows then it goes ahead and is going to use um create a shell script that's using Python and it'll um this one basically creates a reverse shell on a system using /bin/sh and then using the Mac script Library we'll go ahead and run and execute that code so again we we have the full power of of what we had but you

know we're we're stuck within a uh sandbox on OS 10 so they do do that a little bit better so um you have to get basically get an escape you can open any application but writing to the dis is a lot more difficult on OS 10 on the the newest updates with Microsoft Word so I guess we got time for questions or comments yeah have you done Anis of these seeting are we talk like people talky of people I don't do any attribution no I'm usually just interested in in functionality um Consulting I work for bromium uh and it's usually just just what actually occurred here not necessarily where it came from and attribution is hard anyway

soed so I don't think I really want to even try and second question have you run across any of these that actually do detection to determine if they're in a sandx and then change their behavior based on that to hinder your analysis I I do I have a blog post post on the bromium website I should have included that I didn't um yes I don't remember all the details now off the top of my head but it was using I think wmi to query it was actually doing a variety of things but one of the ones that I remember uh was I think it was using wmi to get the process list and then look

for you know your Telltale processes that we running virtualization vbox and qmu and a couple others so off the top of your head how often you say run into those the that just EX um I don't look at these things in Mass so I'm not someone that looks at you know 50 work box a day uh and the last year though that was the only one that I've encountered that and then this one here that last Mac or that last uh one that we looked at that actually targeted both I I don't typically see that either yeah so I think a lot of these techniques right now are sort of in their infancy so they're not doing a lot

of checking but as people sort of get more aware they're going to right increase that and that's the he showed earlier the password one right so the entire reason you have a password on that document that the user has to type in is that autoanalysis isn't going to be able to run on that and determine oh yeah as soon as it enables macros right then we have something that runs so that stops that autoanalysis right off the bat so you you know have to have the analysis figure out what the password is and then fill that in in order to run it so we're in a c situation yeah as as usual right I mean it's just going to

escalate as we as we start stopping Powershell right they're going to they're going to try and use more Advanced Techniques after that

so uh I didn't with that script um I guess I I typically don't look at the metadata the author and and stuff if you run file usually you can see that kind of information uh there's some other tools um so that's do more it's actually parsing it's actually parsing those the word documents in their their binary format and figuring out all the different sections and then presenting that to you and letting you well it's the new docx formats are more complex than the old ones so they're it's it's fully parsing all of that information yeah so um are you Target for this you mention one out to download something are they typically seeking info are they typically like is this

going to be I guess what kind of attack Vector are they using after they have got run this is specific like typically this is some spring C around that's just trying to be part ofet or is this like fishing specific emails going to CEOs so they want info from networks this seems but like yeah what are you see like what they're actually try to get from this dryck seems to be a big one right now um I think the the process hollowing one we looked at earlier was dryex it was dropping dryex um you know just Trojans uh I don't know if I can say that there's a specific type I I don't see a

lot of ransomware coming out of office stocks right now but that just could be because of the ones I tend to look at that they tend to be more the Trojan the dryck the things that are trying to get a a stealthy persistence on that

host yeah that that was an actual maloc um that that was a little bit of I think some of your code but the yeah I modified it so I the document was that's that was really the actual code within that maloc that was distributed and again I don't remember exactly where I got that sample now um it looked to me like proof of concept code if you looked at even the comments it had they had comments in it like try your windshell and if this fails then we'll jump down here and we'll try the max shell and that that Max shell was was pretty simplistic in what it was trying to do so uh but it was distributed so I don't

know if the noware authors were it was a trial run or an oops or a they thought it was production ready I don't know

anything else all right well thank you very much I appreciate you guys' time