Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account . This past October, our team analyzed a Word document using a sandbox evasion technique , the execution of shellcode via Dynamic Data Exchange, and NotPetya reborn as BadRabbit. Click the links below to jump to a specific report.
Date Released:
September 25, 2017
SHA256:
2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca
We’ve seen a number of social engineering techniques used to trick end-users into enabling macros in Office Documents. This analysis uses the same tactic, tricking an end-user to enable macros in order to view the content (Figure 1).
Figure 1: Social engineering technique used to enable macros in Word Doc.
If macros are enabled a malicious executable is downloaded and executed (Figure 2).
Figure 2: Malicious executable downloaded and executed
In Figure 3, this sample attempts a sandbox evasion technique by detecting four different sandboxes.
Figure 3: Detecting four different sandboxes
Date Released:
October 4, 2017
SHA256:
9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d
Our analysis of a Self-Extracting Executable (SFX) hides commands in between French description of ‘Game of Thrones’ (most likely copied from Wikipedia, see Figure 3). Files are extracted to the temp. folder and starts an AutoIt interpreter called “cih.exe” containing an Autoit script “cvn-nhc”.
Without the Game of Thrones text, the SFX script boils down (Figure 4):
Figure 4: SFX Script
The AutoIt Script is obfuscated (Figure 5), injects processes and uses NirSoft software to extract passwords and browsing history from Internet Explorer (Figure 6).
Figure 5: Obfuscated AutoIt Script
Figure 6: Attempting to extract passwords and browsing history.
Date Released:
October 11, 2017
SHA256:
d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e
First reported by Sensepost , a new attack method was discovered to execute shell code via Dynamic Data Exchange (DDE) without using macros. In this analysis, we see Microsoft Word prompting the user to allow execution of the DDE command (Figure 7).
Figure 7: User prompt allowing execution of DDE Command
Once the user clicks “Yes”, the DDE Command executes cmd and then proceeds to execute Powershell. The sample then uses Powershell to run a malicious DLL (Figure 8).
Figure 8: Using Powershell to run a malicious DLL
For more detail on this DDE technique, read our full analysis blog post.
Date Released:
October 24, 2017
SHA256:
7a641c8fa1b7a428bfb66d235064407ab56d119411fbaca6268c8e69696e6729
First reported by Twitter user @Jameswt_mht . Prior to this Word Document being opened, Microsoft Word prompts the user to update a set of linked files (Figure 9). This occurs because the RTF document was modified in a way that updates a specific object (Figure 10).
Figure 9: Prompt to update links
Figure 10: Original update in a normal text editor
If the user allows the update of the RTF-Document in Word, Word then attempts to download a “picture”. This can be seen in the text-view with the command “INCLUDEPICTURE”. This “picture” raises suspicion because the link points only to a PHP-page. In the Network Behavior of the VMRay Analyzer report , we can the “picture” is really the payload retrieving malicious SOAP WSDL definition from an attacker-controlled server. This also starts the HTA Script File also from the attacker-controlled server.
Figure 11: HTTP Response #1
Figure 12: HTTP Response #2
The HTA Script starts then starts a series of PowerShell scripts. At this point, the attacker is in full control of the target machine.
Date Released:
October 25, 2017
SHA256:
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
NotPetya ransomware resurfaced at the end of October as BadRabbit. Essentially, this campaign is the equivalent of malware authors putting a new label on an old product.
In this analysis the malware appears as an Adobe Flash update, in reality, it is a dropper containing some payloads. In the first step, the Adobe Flash update executes the dropped “infpub.dat” which is the main controller of the ransomware (Figure 13).
Figure 13: Adobe Flash update executing the dropped “infpub.dat”
The process “infpub.dat” schedules a reboot with an execution of “dispci.exe” on startup. “dispci.exe” is responsible for the modification of the master boot record.
Looking further into the analysis, the DiskCryptor is a resource of BadRabbit, which was dropped as “cscc.dat” on the target machine to encrypt the files (Figure 14).
Figure 14: “cscc.dat” dropped on target machines to encrypt files
The Network Behavior section of the report shows the similarities with NotPetya. Both NotPetya and BadRabbit search in the local network for other parties to execute itself with an SMB tool on other machines (Figure 15).
Figure 15: BadRabbit searching in the local network
After encrypting files and spreading over the local network, the scheduled reboot takes effect as verified in the VTI Score (Figure 16).
Figure 16: Scheduled reboot taking effect after files are encrypted
The first reboot does not show the “Bad Rabbit” boot message because the scheduled “dispci.exe” starts to overwrite the master boot record. Then a second reboot is needed to show the “BadRabbit” boot message.
In summary, there wasn’t anything particularly new about BadRabbit. The malware authors pieced together parts from NotPetya, an open-source Diskcryptor, and some additional freeware to create a glued together piece of malware.