Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Another Maldoc? I'm Afraid So... - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another Maldoc? I'm Afraid So...

Guess what? Yep, there's yet another type of malicious document going around. Like last time, it's a MIME file with an MSO file containing an OLE file.

The sample (schro_193B11.xls 7F8C5E8B7157B04FA8E9CEEF13C28AB9) is an Excel spreadsheet saved as a MIME file:

But this time, the compressed data is at another position inside the MSO file:

So I updated my oledump tool (V0.0.16) to search for compressed data inside MSO files (in stead of looking at a fixed position 50).

The string encoding used in the VBA code is interesting. It is reminiscent of RC4:

I also updated my plugin plugin_dridex with this encoding:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

383 Posts
ISC Handler
So this is just one more attempt to fetch malware per download by a .VBS extracted from an MS office document.

Guess what: SAFER alias software restriction policies blocks both the execution of the .VBS and the downloaded malware!
Anonymous
Guess what: SRP and AppLocker are trivial to bypass, because Microsoft designed it like this.

"SANDBOX_INERT: If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies."

I reported this 4 years ago:
blog.didierstevens.com/2011/01/25/circumventing-srp-and-applocker-to-create-a-new-process-by-design/

As a result of my blogposts, Microsoft designed a hotfix to disable this bypass.
support.microsoft.com/en-us/kb/…

This hotfix is not installed by default.
DidierStevens

383 Posts
ISC Handler
Guess what: I expect every non-idiot using SRP or AppLocker to be aware of this optional update and install it.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!