In the previous post (Dissecting VBA Macros – 1 of 2) we talked about how we can use publicly available tools to perform static analysis on VBA macros, which was concluded by discovering the native binaries that were written to disk and executed. This blog post will look at using dynamic analysis techniques to study the behavior of the dropped binaries. In this instance, we have used a customized instance of Cuckoo Sandbox (https://cuckoosandbox.org/).
Upon execution of the dropped binary (k.exe), it launches itself using the CREATE_SUSPENDED option in order to use process hollowing to inject code into itself in memory:
It then allocates memory inside that process with PAGE_EXECUTE_READWRITE permission:
A full executable is then written directly into the memory space of the suspended process using NtWriteVirtualMemory():
The main thread is then resumed to allow execution of the overwritten code and thus the process hollowing step is complete.
Once the injected code executes, the binary creates a directory in %LOCALAPPDATA%. The original binary is then copied to this location using a different name and a shortcut file is created in the Startup folder to achieve persistence. The newly copied version of the malware is then executed.
The newly renamed version then repeats the same process hollowing technique to inject code into a copy of itself as before:
This time the behavior differs and we see it begin to gather information about the target system, including the computer name and a list of active processes on the system:
It then encrypts the collected information and exports the encryption key that was used to do so:
It then attempts to connect to a publicly routable IP address using HTTP in order to send the encrypted data back encoded in the HTTP headers as a cookie:
If the initial beacon failed, it will repeat the process enumeration functionality again, using CreateToolhelp32Snapshot, and then encrypt the list of active processes it retrieves. It then attempts to connect to a different IP address:
The malware will keep attempting to connect to a different C2 server when the previous beacon fails. It does this by repeating the CreateToolhelp32Snapshot function and trying a different C2 remote address until all servers have been exhausted. In this particular instance, the following C2 server addresses could be retrieved from the dynamic analysis by forcing the HTTP communications to fail:
Phishing attacks are on the rise and are generally the easiest and preferred method to deliver malicious files to victims. It is also proven that attackers can easily bypass AV with this type of techniques to lure the end-user to open and execute malicious documents. Once the stager is executed in this example, it will download second stage payloads which then set up a connection to a command and control server, allowing the attacker a foothold on the network the machine is connected to.
For those investigating phishing attacks against organizations, static analysis is one technique that can be used to understand the operation of payloads that are delivered. Analyzing OLE containers is one such method that is useful when dealing with office documents containing malicious macros and the first part of this blog post showed some of the basics using publicly available analysis tools.
Additionally, in this post, we then showed the use of dynamic analysis to analyze the malicious binary dropped by the macro payload with the Cuckoo Sandbox malware analysis system.