Detecting Ursnif Infected Word Documents through metadata.

Good Afternoon,

I have recently been working on methods to detect an Information Stealer/Trojan known as Ursnif. The difficulty in detection relies on the use of encrypted Word documents. These documents use an additional encryption pack that comes by default with Office 2007 SP2 or higher. The encryption pack is known as the “High Encryption Pack”. It is used to encrypt the documents in something other than RC6 so simple and automated decryption is more difficult. It also has the added benefit of being extremely fast and not practical to brute force for each variant as the password changes on every email.

The threat actor’s opted to use AES256 for encryption and SHA512 for hashing to make document modifications harder to accomplish without being detected. These are effectively some of the highest settings for encryption and hashing that is available in Microsoft Word. Finally, they purposely implant fake random document summary and summary information into the document to make it appear more legitimate even though it’s malicious. I will go over how I utilized all of these clues in order to detect and block waves of this campaign. As well as an example Yara rule you can implement that targets the specific characteristics of those documents. It should be noted that while the Yara rule is as targeted as possible there is still the potential for false positives in the rare case an end user matches the same exact settings. As such the result should be implemented with caution and approval from your upper management.

This first screenshot shows how the start of the file looks with the magic bytes highlighted. That is the first check the Yara Rule performs. This is also very useful for reducing total number of false positives.

This second screenshot shows the next set of highlighted fields that the Yara rule searches for in order to determine if the document is encrypted. The fields being selected here are also to help target the documents further.

This is the third screenshot it shows additional highlighted fields that are searched for by the Yara rule. If you notice this and the previous screenshot show that the Yara rule’s focus is mainly on the document is encrypted and then secondly verifying the settings preferred by the Ursnif campaign are matched.

This final screenshot shows the varying sizes which demonstrates why the final check for the documents is based on file size. It is set to be less than 200KB in order to reduce the total number of potential false positives. It should also lower the documents needing to be scanned further to make this rule slightly more efficient.

Analysis of my Thought Process:
The document’s when analyzed in their still encrypted state did not have much data to key off of to detect the documents as potentially malicious. As such when analyzing the files I had to key off of the few things I could that when combined were enough to build a valid and effective signature. For every variant I have had a chance to run this rule against it has detected the sample without issues 100% of the time. Unless the threat actor’s were to change their techniques, which is unlikely since thats the least likely thing to change in campaigns. Then this rule should continue to work without fail. Again the only down side of analyzing the encrypted versus decrypted documents is the potential for false positives.

Final Thoughts:
If your environment is able to detect the passwords in the emails proactively and decrypt the files then there is way more metadata that can be key’d off of. And that data would be much more accurate for detection with even lower possibilities of false positives. As such I would recommend if at all possible to analyze the decrypted version of the documents when possible.

Link to Yara Rule:
https://pastebin.com/W2umDWNF

New PowerPoint Mouseover Based Downloader – Analysis Results

First,

I would like to thank “Marry Trame” at peerlyst.com for posting about this new method that was discovered for a malware downloader. A link to the original post can be found at the bottom of this analysis. I would like to note that I edited the domain to my own in the PowerPoint so it wouldn’t actually successfully reach to the C&C server for the Malicious .jse file.

Analysis Summary:
This PowerPoint Document was interesting to analyze. First of all this document was interesting as it did not rely on Macros, Javascript or VBA for the execution method. Which means this document does not conform to the normal exploitation methods. When the user opens the document they are presented with the text “Loading…Please wait” which is displayed as a blue hyperlink to the user. When the user mouses over the text(which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. In the resources definition of slide1 “rID2” is defined as a hyperlink where the target is a PowerShell command. Due to its length it can be seen in the step by step screenshot explanations below.

When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder. That gets executed in wscript.exe and then that drops a file named “168.gop” which the JavaScript then executes certutil.exe with the -decode parameter. certutil.exe then supplies 168.gop as the file to decode and saves it in the temp folder as “484.exe”. Then “484.exe” is executed and it spawns mstsc.exe to allow RDP access to the system. After this 484.exe was observed being renamed and saved to AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe by mstsc.exe and then it gets re-executed from the new location. A .bat file was observed being written to disk then executed in cmd.exe. The purpose of this bat file appears to have been to change the attributes of the sectcms.exe program to be hidden, marked as a system file and set as read only. It also deletes any of the files with the following extensions in the temp folder .txt/.exe/.gop/.log/.jse . I sandboxed the payload for 8 hours but no threat actors connected to the system. So I was unable to see what other purpose the backdoor might have if the threat actors had taken specific interest in the system.

Screenshots of Analysis:
Screenshot of Slideshow user is presented after opening PowerPoint:

Warning Message Displayed When User Mouses Over the “Loading…Please wait” text:

If User Enables the Content then they are presented with the following Powershell prompt which quickly hides itself:

Here is a modified callout I did just to test if the powershell was proxy aware – I did this by editing the XML in the PowerPoint Slide:

This is the Slide1 Element Definition for the “rID2” element – It is easy to see that a PowerShell command is set as the target for the Hyperlink:

This is the Slide1 XML for the slide itself. It is easily visible in the red highlighted section how the hoveraction is defined in Slide1:

——————————————————————————————-

Sysmon Screenshots:

Sysmon Logging of PowerPoint initially opening:

Sysmon Logged the Execution of the Powershell Command Aswell in its decoded form:

Sysmon Logged the initial Process Creation of the Malicious Payload:

Followed By the Process Creation of the mstsc.exe process which is used for RDP access to an exploited system:

Then the Original Payload process is logged as being Terminated:

Sysmon then logged the file creation of a copy of the original payload. It was named sectcms.exe and hidden under the App Data folder:

Sysmon then captured the re-execution of the newly moved payload:

Sysmon then Logged a bat file being created in the Temp Folder:

Sysmon Then logged the execution of the .bat file through cmd.exe. The source program of the execution was mstsc.exe:

One of the functions of the .bat file were to add the hide, system and read only flags to the payload under AppData:

Sysmon then logged the process creation of a second instance of the sectcms.exe payload:

Finally, Sysmon then logged the termination of one of the two instances of the payload which is named sectcms.exe:

Indicators of Compromise:
File: order.ppsx
MD5: 823c408af2d2b19088935a07c03b4222
SHA1: df99061e8ad75929af5ac1a11b29f4122a84edaf
SHA256: f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0
SHA512: 2cc9e87e0d46fdd705ed429abb837015757744783bf1e904f9f22d56288b9554a1bc450142e2b1644a4912c12a522391b354d97956e4cb94890744266249b7f9

File: C:\Users\Current User\AppData\Local\Temp\168.gop
MD5: 9B5AC6C4FD5355700407962F7F51666C
SHA: 9FDB4CD70BBFB058D450AC9A6985BF3C71840906
SHA-256: E97B266D0B5AF843E49579C65838CEC113562A053B5F87A69E8135A0A82564E5
SHA-512: AB85132D845437A7900E03C2F3FA773433815A4893E16F7716A5F800558B5F01827F25463EAFF619F804C484A1D23CDD5F2BCCC0F91B4B4D0C117E87D830B1B3

File: C:\Users\Current User\AppData\Local\Temp\484.exe
File: C:\Users\Current User\AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe
MD5: 13CDBD8C31155610B628423DC2720419
SHA: 7633A023852D5A0B625423BFFC3BBB14B81C6A0C
SHA-256: 55C69D2B82ADDD7A0CD3BEBE910CD42B7343BD3FAA7593356BCDCA13DD73A0EF
SHA-512: 19139DAE43751368E19C4963C4E087C6295CC757B215A32CB95E12BDD82BB168DB91EA3385E1D08B9A5D829549DFBB34C17CA29BFCC669C7EAE51456FCD7CA49

File: C:\Users\Current User\AppData\Local\Temp\ii.jse
MD5: F5B3D1128731CAC04B2DC955C1A41114
SHA: 104919078A6D688E5848FF01B667B4D672B9B447
SHA-256: 55821B2BE825629D6674884D93006440D131F77BED216D36EA20E4930A280302
SHA-512: 65D8A4CB792E4865A216D25068274CA853165A17E2154F773D367876DCC36E7A7330B7488F05F4EE899E40BCAA5F3D827E1E1DF4915C9693A8EF9CAEBD6D4BFB

C2 Communications:
hxxp://cccn.nl/c.php
hxxp://cccn.nl/2.2

IP Address of C2/Payload Domain:
46.21.169.110

References:
https://www.peerlyst.com/posts/microsoft-office-malware-now-being-delivered-without-macros-but-using-pps-url-mouse-hover-marry-tramp?trk=search_page_search_result
https://www.joesecurity.org/reports/report-823c408af2d2b19088935a07c03b4222.html
https://www.hybrid-analysis.com/sample/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921?environmentId=100
https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/

Emotet/Geodo Updated Analysis

Good Morning Everyone,

I have created a passivetotal project for tracking of the Downloader and payload domains. Information can be found in the link below as to 214 different domains that we have observed thus far over the last 3 days. We are estimating 128 unique domains per day but are still encountering various variants. Basic Regex detection of the file names would be [0-9]{4}[.]exe and a generic partial detection which could improved upon [a-zA-Z0-9]+[\_\ ]+[a-zA-Z0-9]+[\_\ ]+[a-zA-Z0-9]+[\_\ ]+(2017|[0-9]{10,11})[.](js|exe|zip).

Sandbox Results – Payloads:
https://www.hybrid-analysis.com/sample/91c4df8e591d8c6abc439afac8c623981111b309514988fb27f6bef646ceb8fe?environmentId=100
https://www.hybrid-analysis.com/sample/dbafbb3c21a5c217da347bbf04a3a5ae0c5a8cb42972ae7f0eb200411b58a97e?environmentId=100
https://www.hybrid-analysis.com/sample/6055957d42e6b3e82061dd8cdaa81596e615fc046617f0cd89546690c3db70aa?environmentId=100
https://www.hybrid-analysis.com/sample/592eb3250d9e2cbdcd82cd1c4f6eeabd9fce25c2cbb6803347e3060436975861?environmentId=100

Sandbox Results – Downloader:
https://www.hybrid-analysis.com/sample/a15609ed0d096c7c044c431dc728e15b840caad6dba0b3aec9ec9c02d26f0c1f?environmentId=100
https://www.hybrid-analysis.com/sample/c70b3368f15affb758256cbe1a172f891ee74b9cd4104934b154024e395bdbcd?environmentId=100

Email Subjects:
DHL On Demand Delivery
DHL On Demand Delivery for your attention
DHL On Demand Delivery so far
DHL Urgent Delivery
Get Your Bill
Get Your Bill is Ready
Get Your Vodafone Bill is Ready
Have Your Bill is Ready
My O2 Business – Your O2 Bill is ready
Obecny stan przesylki DHL
On Demand DHL Delivery
Pls, have Your Bill is Ready
Sprawdź stan przesylki DHL
Vodafone Bill is Ready
Your Bill
Your Bill for Vodafone
Your Bill has been already Ready
Your Bill is Ready
Your Bill is already Ready
Your O2 bill hasa been ready
Your O2 bill is already ready
Your O2 bill is ready
Your O2 billing
Your O2 bill is ready
get DHL On Demand Delivery for your attention
get Your O2 bill is ready
get Your O2 bill ready
receive Your O2 bill is ready
DHL Intraship – Shipment notification

File Names:
1432.exe
1599.exe
6643.exe
7500.exe
DHL_Express_UK_invoice__0003121831_Apr_2017.js
DHL_Express_UK_invoice__1400508222_Apr_2017.js
DHL_Express_UK_invoice__1669588487_Apr_2017.js
DHL_Express_UK_invoice__1870896677_Apr_2017.js
DHL_Express_UK_invoice__2018751644_Apr_2017.js
DHL_Express_UK_invoice__2167843675_Apr_2017.js
DHL_Express_UK_invoice__2607877220_Apr_2017.js
DHL_Express_UK_invoice__2858654753_Apr_2017.js
DHL_Express_UK_invoice__3262548225_Apr_2017.js
DHL_Express_UK_invoice__3457166120_Apr_2017.js
DHL_Express_UK_invoice__3474397866_Apr_2017.js
DHL_Express_UK_invoice__4579786200_Apr_2017.js
DHL_Express_UK_invoice__4723982668_Apr_2017.js
DHL_Express_UK_invoice__5259509174_Apr_2017.js
DHL_Express_UK_invoice__5383265676_Apr_2017.js
DHL_Express_UK_invoice__6273908290_Apr_2017.js
DHL_Express_UK_invoice__6985065737_Apr_2017.js
DHL_Express_UK_invoice__6993396227_Apr_2017.js
DHL_Express_UK_invoice__7527953807_Apr_2017.js
DHL_Express_UK_invoice__8000285527_Apr_2017.js
DHL_Express_UK_invoice__8478795397_Apr_2017.js
DHL_Express_UK_invoice__9324426295_Apr_2017.js
DHL_Express_UK_invoice__9749267862_Apr_2017.js
DHL__Report__Apr___12___2017___number __5940856348.js
DHL__numer__zlecenia___0682475940_____kwi___12___2017.js
DHL__numer__zlecenia___1111396974_____kwi___13___2017.js
DHL__numer__zlecenia___5194539019_____kwi___13___2017.js
DHL__numer__zlecenia___6463577907_____kwi___13___2017.js
DHL__numer__zlecenia___7600745719_____kwi___13___2017.js
DHL__numer__zlecenia___7949488628_____kwi___13___2017.js
DHL__numer__zlecenia___8448116658_____kwi___13___2017.js
DHL__numer__zlecenia___8989102211_____kwi___13___2017.js
DHL__numer__zlecenia___9148260176_____kwi___13___2017.js
DHL__numer__zlecenia___9509679180_____kwi___13___2017.js
O2_Billing___1807805485__13__04__2017.js
O2_Billing___3194960136__12__04__2017.js
O2_Billing___5746763153__13__04__2017.js
O2_UK___3525115464__13__04__2017.js
O2___1375658777__13__04__2017.js
O2_bill___5724355051__13__04__2017.js
O2_bill___7084355827__13__04__2017.js
O2_payment___7919738042__13__04__2017.js
O2_team___4569939528__13__04__2017.js
O2_uk_limited___4723045152__13__04__2017.js
Telekom_2017_04rechnung_33412966373.js
Telekom_2017_04rechnung_37661958175.js
Telekom_2017_04rechnung_38715336846.js
Telekom_2017_04rechnung_41074092260.js
Telekom_2017_04rechnung_50349493965.js
Telekom_2017_04rechnung_83328011963.js
Telekom_2017_04rechnung_97347687805.js
Vodafone__bill__online__0482017585__Apr___2017.js
Vodafone__bill__online__0576772058__Apr___2017.js
Vodafone__bill__online__0704164140__Apr___2017.js
Vodafone__bill__online__0970624048__Apr___2017.js
Vodafone__bill__online__1332345313__Apr___2017.js
Vodafone__bill__online__1642490166_____Wed___Apr___12___2017.js
Vodafone__bill__online__2053572355__Apr___2017.js
Vodafone__bill__online__2911726819__Apr___2017.js
Vodafone__bill__online__3034645949__Apr___2017.js
Vodafone__bill__online__3050088648__Apr___2017.js
Vodafone__bill__online__3361207186__Apr___2017.js
Vodafone__bill__online__3380812186__Apr___2017.js
Vodafone__bill__online__3429886379__Apr___2017.js
Vodafone__bill__online__3849108266__Apr___2017.js
Vodafone__bill__online__4115908237__Apr___2017.js
Vodafone__bill__online__4593971037__Apr___2017.js
Vodafone__bill__online__5098250486__Apr___2017.js
Vodafone__bill__online__5445123480__Apr___2017.js
Vodafone__bill__online__5455459583__Apr___2017.js
Vodafone__bill__online__5619734794__Apr___2017.js
Vodafone__bill__online__5723014394__Apr___2017.js
Vodafone__bill__online__5736872769__Apr___2017.js
Vodafone__bill__online__6591503495__Apr___2017.js
Vodafone__bill__online__7067620892__Apr___2017.js
Vodafone__bill__online__7171423237__Apr___2017.js
Vodafone__bill__online__7390262697__Apr___2017.js
Vodafone__bill__online__7615037689__Apr___2017.js
Vodafone__bill__online__7690197077__Apr___2017.js
Vodafone__bill__online__8324450458__Apr___2017.js
Vodafone__bill__online__8423713847__Apr___2017.js
Vodafone__bill__online__8929576055__Apr___2017.js
Vodafone__bill__online__9860040521__Apr___2017.js
Vodafone__bill__online__9875069400__Apr___2017.js
bill_O2___2627549936__13__04__2017.js
bill_O2___3316747324__13__04__2017.js
bill_O2___4059163857__13__04__2017.js
bill_O2___7285705702__13__04__2017.js
dhl__com__status__8608239457_____Tue___Apr___11___2017.js
myO2Business___1242260842__13__04__2017.js
myO2___0214565102__13__04__2017.js
myO2___4168972254__13__04__2017.js
myO2___4362161783__12__04__2017.js
myO2___6354589952__13__04__2017.js
myO2___8034871221__13__04__2017.js
myO2___8170830131__13__04__2017.js
o2__co__uk__09__04__2017__O2_bill_5630735220.js

File Hashes:
19729fc0b31215863770f5f2df66b9ea
2d436b83915b1cc22d29109be240788a
3b8927da0cdca9e657e3d75fc9cb862a
530e76add228dada1850a8c639fb7a6f
5f2fd6aa05d897ad3498140fc97f5be8
64a7da1b25927894fd703e169345dbcf
71f5237e155aa47d1d0853168343091e
840110418d42b2c1750b73d42ed29b8c
8514f60d4f2d866670842534250b66c7
bcecf036e318d7d844448e4359928b56
cf996db848721b92a490927efcce2f47
d9cf26531b3f1a6c1bf9c79e72ff70c4
eea3e536645c2f55237be661c97aa756

Passivetotal:
https://www.passivetotal.org/projects/88ff6148-9220-b4c3-efb4-45540597797d

Emotet/Geodo Domains

Good Morning,

While researching a wave of what other analysts alerted as Emotet/Geodo I found 128 different domains that are hosting the javascript based downloader and the payloads.

The list of domains can be found at the following Pastebin, I dont want to link them here as Google will mark my blog malicious if I hotlink the malicious pages.

Pastebin Link:

https://pastebin.com/NQtg2TZc