Dissecting VBA Macros - Part 2 of 2

The second in a two part series, we look at using static analysis to dissect malicious office macros

Posted on 7 June 2017

In the previous post (Dissecting VBA Macros - 1 of 2) we talked about how we can use publicly available tools to perform static analysis on VBA macros, which was concluded by discovering the native binaries that were written to disk and executed. This blog post will look at using dynamic analysis techniques to study the behavior of the dropped binaries. In this instance, we have used a customized instance of Cuckoo Sandbox (https://cuckoosandbox.org/).

 

Technical Analysis

Upon execution of the dropped binary (k.exe), it launches itself using the CREATE_SUSPENDED option in order to use process hollowing to inject code into itself in memory:

part 2 dissecting VBA1

It then allocates memory inside that process with PAGE_EXECUTE_READWRITE permission:

part 2 dissecting VBA2

A full executable is then written directly into the memory space of the suspended process using NtWriteVirtualMemory():

part 2 dissecting VBA3

The main thread is then resumed to allow execution of the overwritten code and thus the process hollowing step is complete.

part 2 dissecting VBA4

Once the injected code executes, the binary creates a directory in %LOCALAPPDATA%. The original binary is then copied to this location using a different name and a shortcut file is created in the Startup folder to achieve persistence. The newly copied version of the malware is then executed.

part 2 dissecting VBA5

part 2 dissecting VBA6

part 2 dissecting VBA7

part 2 dissecting VBA8

The newly renamed version then repeats the same process hollowing technique to inject code into a copy of itself as before:

part 2 dissecting VBA11part 2 dissecting VBA10part 2 dissecting VBA12

This time the behavior differs and we see it begin to gather information about the target system, including the computer name and a list of active processes on the system:

part 2 dissecting VBA13

part 2 dissecting VBA14

It then encrypts the collected information and exports the encryption key that was used to do so:

part 2 dissecting VBA15part 2 dissecting VBA16

It then attempts to connect to a publicly routable IP address using HTTP in order to send the encrypted data back encoded in the HTTP headers as a cookie:

part 2 dissecting VBA17part 2 dissecting VBA18

If the initial beacon failed, it will repeat the process enumeration functionality again, using CreateToolhelp32Snapshot, and then encrypt the list of active processes it retrieves. It then attempts to connect to a different IP address:

part 2 dissecting VBA19

part 2 dissecting VBA20

part 2 dissecting VBA21part 2 dissecting VBA23

The malware will keep attempting to connect to a different C2 server when the previous beacon fails. It does this by repeating the CreateToolhelp32Snapshot function and trying a different C2 remote address, until all servers have been exhausted. In this particular instance, the following C2 server addresses could be retrieved from the dynamic analysis by forcing the HTTP communications to fail:

part 2 dissecting VBA24

 

Summary

Phishing attacks are on the rise and are generally the easiest and preferred method to deliver malicious files to victims. It is also proven that attackers can easily bypass AV with these type of techniques to lure the end user to open and execute malicious documents. Once the stager is executed in this example, it will download second stage payloads which then setup a connection to a command and control server, allowing the attacker a foothold on the network the machine is connected to.

 

For those investigating phishing attacks against organizations, static analysis is one technique that can be used to understand the operation of payloads that are delivered. Analyzing OLE containers is one such method that is useful when dealing with office documents containing malicious macros and the first part of this blog post showed some of the basics using publicly available analysis tools.

 

Additionally, in this post, we then showed the use of dynamic analysis to analyze the malicious binary dropped by the macro payload with the Cuckoo Sandbox malware analysis system.