Hacking Macro Malware – The Hunter becomes the prey

In *, Hacking, Malware, Penetration Testing, Research, Tutorial by [email protected]0 Comments

I have noticed that attackers often still use MS Office Macros in spear phishing attacks. They send out emails like a request for payment on an invoice and attach a word document to the email called invoice.doc. When a user opens the document and enables macros the malware is executed and the system is owned. However, the attackers are smart enough to password protect the macro so that people like me, who are interested in the methods they use will be unable to see the macro. I did some research using a malicious Doc file that was used in an actual phishing attack this week and found out how to bypass this. Here is what I did.
First and foremost never open malware unless it is on Live OS or Virtual machine that is not connected to any network. The last thing you need is the attacker to be successful in compromising your system. I am using a snapshotted OS X and Windows Virtual Machine.
Method #1
This first method may work for you. In my case it did not but I am including this as it seems to work for some.
1. Open the document in MS Office and don’t enable Macro
2. Go to Tools -> Macro -> Visual Basic Editor
3. Double click the sheet, in this case “ThisDocument”
4. Copy the code provided below into the box

Sub PasswordBreaker()

‘Breaks worksheet password protection.

Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
MsgBox “One usable password is ” & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub

 
5. Run the Macro, in this case by clicking the blue triangle
BOOM! POW!  SHAZAM!
Usable password is shown! Except in my case this password did not work to unlock the Macro. So on to method 2.
Method #2
Reference: http://davidbugden.com/?p=16
1. Using your favorite hex editor open the .doc file. Search for string “DPB” and replace with “DPx”.

2. Save the file and open in Word (I had to use Windows version of Word, OS X does not work). Click Yes and OK to any errors that pop up.


3. Press Alt F11 to open the Visual Basic editor. Select project properties. Uncheck Lock project for viewing and enter a new password. Save the project and then save the document.
 

4. Reopen the document, Alt F11 again, and we are in. See the macro source code goodness.

5. Unfortunately our attacker did not provide much help here. The code is pretty obsfucated. So in order to figure out what it does we have to dig in more.
 
6. First, I noticed that changing the visible to True made a second document open up when the macro runs.
 

Now document 422 pops up visible

7. To figure out what the TCA, TCB, and TEX variables are I added a msgbox to each one that prints the variable value to the screen when the macro runs.

8. So now we know that the Macro creates 3 files in the user’s temp folder.

9. Opening either the 422 or 433 file executes the st3.exe file. I am not sure exactly how an executable is launched by opening an rtf file but each time it is opened another st3.exe file is generated and executed. Along with a .tmp.cvr file that contains no data.

10. Using a Hex editor to view st3.exe there is some useful information and a lot of gibberish that may be there to trick AV or to throw off an investigator.

 

11. Uploading this file to VirusTotal tells us that it is flagged as malware by 25 our of 54 AV vendors. However, st3.exe was already uploaded to virus total the day before I did this investigation. So whenever the email was first sent out on the 17th it probably would not have been detected as virus by this many or even any AV vendors.
12. Doing some more digging we can find st3.exe and how it was embedded into the word document. By opening the original macro enabled document you in a text editor you can see that it has the tag {EMBED Package }.

13. A quick search on this reviels that pressing Alt F9 will make the Embedded package visible in Word.

 
14. By going to the properties of this package we can see that the embedded file is st3.exe and it is the same size as the st3.exe that was copied to the user’s temp folder when the macro executed.
 
Takeaways – Macros are still a very effective method for spear phishing attacks. Understanding how the bad guys do this can help penetration testers to step their game up. Additionally, since Office documents can contain executables it makes sense to treat them like executables in policy. If EXEs are blocked as email attachments so should Office documents.
P.S. This document does not contain macros… J 

Source: New feed