The check against available memory is done through a CIM (Common Information Model) server instance. Powershell code embedded into “errors.bat” file The script shows another evasion technique by checking the memory amount available on the system: if it is less than 1 GB the malware terminates its execution and removes all the infection evidences.įigure 7. The “errors.bat” file contains a Base64 encoded powershell script which will close the initial Word document by killing its process and definitively delete it from the file system. Instead of using the Workbook_Open or Auto_Open functions, it exploits the Word InkEdit object to use the InkEdit1_GotFocus function, which will be launched as soon as the InkEdit1 is displayed.įigure 6. ![]() The screen above shows the instruction used to pop up the fake error window (Figure 2), which is a simple Visual Basic MsgBox. Unlike most malwares, this one uses a different technique to automatically start the macro code at the document opening time. The next actions to performed are contained into “%temp%\errors.bat” script, which is executed by a copy of “cmd.exe” stored into %appdata% folder, named “msutil.exe”. Obfuscated macro codeĪfter a deobfuscation phase, the malware behavior emerges. This trick is able to bypass all the major sandboxing services, like Any.run and Hybrid Analysis. In fact, it checks if the machine’s domain name is equal to the computer name and if this condition holds the previous “ Kplkaaaaaaaz” variable is set to “ This document contains VBA.”, causing the infection chain to stop. This technique, include part of the payload into a Word Label object or cells, allows to hide and embed more code directly into the attack vector, lowering the chances of detection.Īlso, the malware adopts an evasion technique to determine if it is execute in a sandboxed environment. ![]() ![]() It will be used to fill the next-stage bat file. The box named “ Kplkaaaaaaaz”contains a base64 encoded payload, subsequently extracted by macro execution and assigned to the “dopzekaoooooooo” variable. Analyzing the document view with more attention it possible to notice a suspicious chunk of strings in the smallest box in the left of the document: Fake pop-up errorĪfter a few seconds, a pop-up window is shown, reporting an error related to the decryption of the document, and then the Word document is automatically closed.Īt this time, the unaware victim may think there is a problem with the document and nothing malicious happened, but actually the malware already proceeded with its operation in stealthy way. The initial document invites the user to enable MACRO execution to display the real content, silently starting the infection chain in background while other decoy components are shown to the victim.įigure 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |