Macro-less Document and Fileless Malware: the perfect cloaking mechanism for new threats
At the onset of the discovery of DDE command execution attacks in October, Juniper Threat Labs discovered a series of spam messages using this technique. The Dynamic Data Exchange (DDE) is a protocol or feature in MSWord and MSExcel for sharing data between applications. Security researchers discovered that this feature can be abused to gain command execution. Below are some of the spam campaigns that Cyphort has detected that arose from this discovery.
IRS Spam campaign. Sha256 of doc: 0cfab9a3365f4aabaabca4f31206d1c2d8cf82608c46af9b39d37a0936923987
In one example, a malicious file launches several stages of powershell scripts in memory. The attack is fileless (aside from the doc) as it did not need to write anything on the disk and it involves only powershell scripts running in the memory. The communication to the C2 server is also through SSL, which makes this threat harder to detect. The final payload is an open source powershell backdoor called “Empire”.
During our research, we identified the following malware.
The filename translates to Malaysian as “Strategic Plan PRU14 - 2.docx”.
Opening this file shows nothing (blank document) except for a message box to enable the “DDE”. We would need to click on the object to be able to trigger the DDE. Inside a docx file is “Document.xml” where we can find how the DDE will behave. We can easily spot the DDE with keywords “DDE” and “DDEAUTO,” although in some cases this can be obfuscated by padding xml tags in between letters. In this example, the DDEAUTO can be easily spotted.
The DDEAUTO command is invoking cmd.exe, which executes powershell to download and execute a powershell script (0.ps1) from a Dropbox storage.
Stage 2: 0.ps1
The downloaded powershell script is base64 encoded as shown by the following powershell process.
After decoding, it will resolve as follows:
The script will download the next stage of malware via SSL from “https://www(.)thestar(.)live:443/login/process(.)php”. The next stage is encrypted using AES-256. The first four bytes of the downloaded data, along with the constant “505dd62e251005fa796e32e9651b6310,” is used as a key to decrypt the rest of the data, from the 5th byte until the end of data. The “IEX” command at the end is indicative that it will download another powershell script. IEX is a shortcut for “Invoke-Expression” in powershell.
The next stage is also hosted on a site with HTTPS access, which likely has some untrusted certificate. It disables SSL certificate check using the following command to avoid displaying a warning popup:
The downloaded data is another powershell script. This script will download another script from the same C2 server via SSL. But this time from “/news.php”. The downloaded data is encrypted with AES-256.
The script will execute the Start-Negotiate function with these parameters:
It posts data to "https://www[.]thestar[.]live:443/news.php", which returns encrypted raw data.
The IEX command at the end of the function invokes the output of the call to “Decrypt-Bytes” function, which decrypts the raw data returned by the above network connection. The resulting decrypted data is the final payload, “Empire Backdoor”.
It will invoke the “Empire Backdoor” using the following command.
“Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent and a pure Python 2.6/2.7 Linux/OS X agent. It is the mergence of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptological and secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016.
This does not mean that the creators of the backdoor in GitHub are the same actors behind this attack. It’s almost certain that other malicious actors are using the backdoor and weaponizing it for their own gain.
Looking at the modules, this backdoor is pretty dangerous.
The DDE feature has since been disabled to mitigate malware attacks that involve it, but it took several weeks before Microsoft finally decided to disable it. During that span of time, we have seen several threat actors utilizing this technique for cybercrime activity. It is always important for people involved in security to stay on top of the current threat landscape.