Macro documents with XOR Encoded Payloads
When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.
Today’s sample is no different. While reviewing a Triage console, we came across an interesting phishing email that contained the following attachment. Here are the Yara rules that tripped:
While we’ve seen tons of word documents that contain macros, it’s typically more rare to see this triggering in conjunction with XOR exe’s. These types of payloads are usually used in conjunction with an exploit and later unpacked. By using xorsearch, we can confirm that there is a malicious payload inside. * Note that an XOR of 00 is just the data itself.
By opening the file, we can confirm the presence of a macro. Big surprise on this one.
However when we hit alt + f11 to try and bring up the macro code, it is password protected. Looks like it’s time to use our macro password breaker! (Figures 4, 5, and 6)
Once the macro code executes, a copy of the word document will be saved to %temp%/300.rtf and %temp$/301.rtf, our malicious payload will be saved to %temp%/q2.exe, then executed.
When looking at q2.exe, we can see the compile path of “T:mandatoryHenceoneDateeffort.pdb” for the file. This gives us some information that the malware could have been compiled from the T directory, lies in the “mandatory” directory, and is the project name of “Hence”. But what about that XORed payload?
By performing a single-byte XOR with the key of 0x66 (or “f”). We know this was successful, as we can start to see other strings and structures of an executable.
One thing to note is that the attackers really went the extra mile to make it hard to run, as it is missing the standard “MZ”. This is something that would be added at decoding time of this payload.
By scrolling down and looking at some of the strings, we can see that some of the data may be encoded with “aPlib”.
For stage two, by scrolling further into the encoded data, we can see the domains that will be used for calling out.
Or better yet, why not take a look at the user agent string that’s going to be used? And let’s not forget that “the malware is using HTTP/1.0 as well.
Or that it’s capable of grabbing a ton of credentials, mostly FTP.
PhishMe customers already have detection for this type of attack.
The following combination of Triage rules can be used to detect this:
- PM_xor_This_program_* (there are over 500 of these rules already in Triage)
The following PhishMe Targeted Phishing Intelligence reports have been available since the day this campaign started
- Threat ID: 4445
- Other related campaigns: Threat ID 4679 and 4696
In order to help protect others, we have provided the C2 and user agents identified within this malware on our github. You can download it here.