When my friend first told me that he was phished with a Word document, two infection methods came to mind: either it was a macro enabled in the document, or it was the recent MS14-064 vulnerability for Office. So let’s take a look! Here is what the offending document looks like when opened:
Macros are the winner! What do they do? In Word go to View > Macros > View Macro.
Looks simple enough. Let’s step through it.
The macro obfuscates the URLDownloadToFileA method from Visual Basic naming it MKw5X. On opening, it creates two variables: bu4Cd (the $ indicates that the variable is a string) and I46hDj, one is the URL for the executable to download and the other is the location to save it. AVG tells us that this URL has potential malware. It then calls the obfuscated URLDownloadToFileA with the URL and file path variables and saves it. We can see that the file is going to be saved as putty.exe, a common, benign program. Finally it uses the CreateObject to create a WshShell object which allows it to run the file it originally downloaded! Not bad. In the next part of this series we will take a look at the executable file and see what information we can get from it. Before that, let’s take a look at a couple of ways to mitigate the issue with what we know so far.
Macros, though very dangerous, can be very useful. Depending on a user’s need, it is possible to disable them completely, disable them until enabled by the user, or allow them to run automatically (which we can see is not a good idea). Macros are disabled by default, but in the case that they are not, here are a couple of steps you can take to mitigate the risk.
In Group Policy, you can disable all macros completely by enabling the Group Policy setting name: “Disable VBA for Office Applications”. This will disable it across all of Office, so if they are needed in just Excel, you would not be able to use this. At the very least, the “VBA Macro Notification Settings” Group Policy setting should be set to “Disable all with notification” as this will alert the user that there is a macro and it will not run unless they enable it. This is where user training will go a long way in protecting an organization.
For individual use in each of the Office products under Option > Trust Center > Macro Settings you can set it to disable all macros with notification.
We could also block this specific domain, although that would only prevent this individual case and can be avoided, but it’s a start!
A note about phishing emails: Phishing emails rarely look like spam anymore and often have a good pretext. In this case, the email came as a response to a job posting. If the user doesn’t know about macro’s and enables them the attacker is in. The combination of user training and secure settings are key to reducing the risk of this type of attack.
In the next segment of this series, we will take the malware that the macro downloaded and do some basic static analysis. Stay tuned!