Dissecting Macro Malware - Use CMD Path Traversal Hijacking Technique (PING!)

In past few days, one interesting research about cmd path traversal hijacking where an attacker can use ping.exe as a mean of execution tactics. if you want to read more on this topic this is the link:

https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/

Below is technical walk through of this interesting Macro code.

Close ActiveWorkBook using Timer:

Interestingly, upon enabling and running the macro code of this malicious .xlsm file, it will suddenly close the active workbook sheet that makes you having hard time to see the actual macro code in the “Macro” menu of this excel file. But thanks to oledump.py tool because I was able to extract the macro code.

The macro code is really small and at first look you will not see any malicious intent out of that, but having a further analysis which will be shown later will reveal how it tries to execute its malicious code. Also I found out that it has a function name as chess() that are responsible for closing the active workbook  using VBA timer command (4 secs delay)

figure 1: delay timer before closing the active workbook

Constructing the Hidden Payload:

The technique it use to hide its payload is by using scattered constant data within the cell of the active workbook and then parse it using the “Private Sub info_Layout”. The constant can be seen by changing its font color aside from white, example “red” color. This function will initialize 4950 byte Array “N” where the parse payload byte will be place. Second it will iterate in all Cell of the ActiveSheet of the Active Workbook with “xlCellTypeConstant” Type.

figure 2: Hidden Constant after changing its Font Color


The constant within the cell contains 2 part to generate the payload. the first part is the index of the array N and second is the payload accompanied with it that will be place to that array index. this 2 part was separated by “.” character.

so for example  in cell C5 there is a constant data 1100.51. the 1100 is the array index and the 51 is the paylaod byte.

figure 3: the array index and the payload byte in hidden cell constant.
figure 4: function that generate the payload

Executing the Payload:

As we can see earlier that “noise” string variable holds the decoded payload  which is also interesting because it use the latest cmd path traversal hijack technique using ping.exe. the cmd command will execute payload with obfuscated powershell script like the screenshot below. The execution of payload will happen as soon as the excel application was minimized.


figure 5: powershell payload
This will decode and decompress a base64 encoded string which is the next layer of obfuscation of the payload that will try to download , enumerate some information to the machine and clear windows powershell eventlogs.

figure 6: 2nd layer of obfuscation

figure 7: note worthy part of the payload

IOC:

filename: INV_308790_Inc._04649.xlsm
md5: 338134ac1fa2d4b8267bb9161b216982
sha1: 65ed7f38009cc636152162fb15dba84805f0d08a
sha256: 2ef3e8aea682f2cf85c4f8df03eb4066ad33335116f2ae6b75e3fad0ac49818a
 
https://app.any.run/tasks/83b5b407-dfbe-49c9-872d-f5879f4c240d/

Article Link: https://tccontre.blogspot.com/2020/06/dissecting-macro-malware-use-cmd-path.html