Last week, one of our clients has been the victim of a large number of attacks through emails. Those messages contained a word file as attachment. In this article, we will quickly describe how to set up a safe environment to control the behavior of a suspect file. I do not mean to perform a comprehensive nor deep analysis of this attack.
According to our information, at the time we are publishing this article (JUNE 2015), a few companies in different fields including Oil & Gas are under attack with similar files.
Everything started as an email received by the financial service of our client. The message was entitled “URGENT INVOICE” and was composed of a short text explaining that the attached file was an invoice that had to be paid as soon as possible. Shortly after a large amount of similar messages were received with different subjects.
It is a common method for hackers to use social engineering in order to get people allowing malware on their computers. In this case, the message aims at creating a feeling of emergency and fear for the people who will receive it.
The client did not take any risk and he did not open any of the attached files. He sent them to us.
Our first actions where to prepare a safe environment for the analysis of the files. As a result we created:
The Ubuntu machine ip address was configured as gateway for the Windows machine. The DNS server IP address was set to an address outside of the local IP range.
These two virtual machines have been isolated from the outside world and their only network connection was with each other. As a result, all network activities from the Windows machine was visible on the Linux computer. From this point we were ready to start the analysis.
First of all, we opened all emails one by one in the Windows virtual machine and took a look at the headers of the messages.
Some of these messages had been forwarded without the SMTP headers from the client.
However, one of them was provided as it had been received. Thanks to that, we could identify the origin server of the message. We queried the RIPE base to identify the owner of the IP address of the server that sent the email. As a result we established that an engineering partner of our client had been infected and its servers are used to propagate malware. Some workstations have been compromised and the address books of the users have been used to propagate malicious files.
We first opened the attachment with an hexadecimal editor to identify a MIME file. The last block of this file was a base64 text containing a MSO element.
A MIME file with a .doc extension
It was time for opening the suspicious doc files with MS Word.
Without any surprise, upon opening, the file requests the permission to run a macro. Also, the file is displayed as an empty page.
An empty file with disabled macros
We allowed the execution of the macro. This resulted in an error message regarding a missing resource. A quick check on the Ubuntu machine let us know that a DNS request to Pastebin.com had been made. The missing resource was likely to be downloaded from the Internet.
Windows machine tries to access pastebin.com
A resource is missing in the macro execution
When we tried to switch to developer view, we encountered an obstacle: the VBA project was password protected.
The VBA project is password protected
We saved the file with Word as a legacy doc file. This operation keeps the VBA macros and allows to reset the password protecting them:
The file has been converted to a proper doc format
A new password can be set
From this point, we reopened the file and were able to access the macros.
As we expected, we found obfuscated code, however, some parts of it were immediately understandable, especially the creation of the HTTP request to Pastebin.com. The macro downloads a script and creates a vb-script file in a temporary folder before executing it.
The URL is reversed and cut in different variables
Sadly, this is where it ends. We got two different links to Pastebin.com but both of them were deleted when we tried to access them.
This attack uses different ways to find its way to the target machine:
This is a typical attack method that used to be very popular in the 90’s. It is cheap to put in place, but also cheap to fight.
As in most cyber-security related case, people training is essential. If the people in your organization are taught how to identify a suspicious message, they will be able to report it to IT services.
Ensure that all machines and MS Office software are up to date with all latest patches.
I assume you already automatically virus scan all email attachments coming to your servers.
You should also ensure that no-one in the organization has changed the default behavior of MS Office products regarding macros:
With MS Office 2013 for Windows 7 and newer, the Microsoft provided Administrative templates allow to set the following options:
Another solution would be to implement a signature strategy for macros inside your organization and to set the setting “VBA Macro Notification Settings” to “Disable all except digitally signed macros”. In this situation, the users will not be warned when a macro coming from a trusted source is executed but only when a macro from the outside of the environment is met. In this case, running an unsigned macro becomes an unusual task for users, raising their awareness level.
Other code execution settings (such as ActiveX) can be configured through GPO.
If Pastebin.com is not used by your organization, you can consider forbidding access to this site from your networks.
Maybe we should consider getting back to the 90’s for real and get rid of emails to use a fax instead (and I would go back to playing Pokemon on my black and white huge Gameboy©)
At the time I am writing this article, according to virustotal, 18 over 57 tested antivirus are able to detect this particular file as dangerous. It is mostly detected in the generic class W97M.Downloader.
Alright! This attack method is nothing new. It is like a 90’s pop star coming back. Sadly it seems that it can still be very effective.
To be actually evil these files need:
People training is, once again, the key element of the defense strategy against this attack.
There are a few things we do not know:
Also our analysis was limited because we did not have access to the proxy logs of our clients. Some useful information regarding a possible infection might be found there.