Chuck
Principal Security Engineer
Blog

Ixia’s ATI Research Center Protects Customers from (Another) Zero-Day Ransomware

July 19, 2016 by Chuck McAuley

Ixia’s Application and Threat Intelligence (ATI) Research Center continues to lead in researching, understanding, and helping to protect customers from the newest, most dangerous malware. Just this week, Ixia researchers discovered a zero-day malware mutation that relies on very sophisticated, multi-layered obfuscation code to prevent discovery by intrusion prevention system (IPS) and anti-virus (AV) engines. Ixia’s customers, both for our BreakingPoint security test products and ThreatARMOR Threat Intelligence gateway, benefit from this discovery and ThreatARMOR customers were automatically protected.

A lot of recent news has been about the reappearance of macro-based malware in office documents. This used to be a fun party trick back in the early 2000’s and is having a bit of resurgence. We’ve been analyzing samples from disposable mail systems, and found a few fun ones that represent a good set of additions to our malware libraries. Below is the analysis of a macro that downloads a variant of Locky. In preparation for the annual migration to Vegas, I’m going to play this one “blind” and not use any interpreters or dynamic analysis. Just good ol’ fashion gray matter.

Just give me the SHAs/IP’s

We don’t like when people make us read a blog to find the necessary SHA’s attached to a PDF at the bottom. So here are the two relevant SHAs we will be working with:

table

Locky Dropper

The first SHA, advertised in a mass mailing as “Your Scanned Documents Are Ready,” had the easily forgettable filename 05-07-2016_85837753.docm. I wanted to flex some easy VBS reversing chops, so we cracked it open and started looking through it.

The first step to manually analyzing malware is to first identify what you have. The file command is indispensable:

image

It’s a Word 2007 Document! Or looks like one enough to fool us. Now we check to see if it has any macros embedded inside it using Didier Stevens excellent toolset. When we run oledump, we find there are several embedded macro objects:

image

The next step is to dump out the code and start de-obfuscating some vbscript. You can download each module separately, but in this instance I found it easier to dump everything in one large file and start attacking it in vim.

image

Your entry point for macros is typically going to be the autoopen() function, seen here at line 680.

image

We can see here that 5 functions are called sequentially with some strange parameters. I find it handy to add a remark to called functions with the parameters sent. Let’s first look at CheckFoReplacementStringPA_AlphaNumDashUnder “c”:

image

Really, the only true point of interest here is on line 517. The rest of this code just does what the function name advertises on the tin. It takes a list of characters and returns true if the character belongs to the list of [A-Z,a-z,0-9,_/-]. And since we know the parameter sent is a static value (“c”), the function is called once, and if the logic doesn’t change, we can eliminate that code and simply return true:

image

That’s more readable. We are left with a function containing an array of numbers assigned to the variable nsGadget followed by a Boolean assignment. Remember, we are reverse-engineering malware, not trying to make this document maintain its functional purpose.

On to the next function FoReplacementStringPA_Word:

image

Once again, it’s a lot easier to normalize.

pirognoe() is a remapping of the built-in function Replace:

image

So let’s replace that, and clean up some of the code like before.

image

What’s interesting above is you will see some string manipulation based off of some text from a tooltip. Also some clever Boolean logic in the iteration over the length of the string ddd. Let’s first focus on the text of UserForm1.TextBox1.ControlTipText. If we were doing dynamic analysis, we’d be able to tell from execution what the next steps were. The GUI elements aren’t exported from oledump, however you can use olebrowse to export the raw data. olebrowse is part of the python oletools package from decalage.info. olebrowse doesn’t understand compressed word docs, so you first have to unzip the document using unzip and locate the core object, then call olebrowse on it.

image

Our required string sits out like a sore thumb here. Here’s our string that needs to de-obfuscated:

D!icrobrioft.XD!LHTTP10)Adodb.britr11aD!10)brih11ll.Application10)Wbricript.brih11ll10)Proc11bribri10)G11T10)T11D!P10)Typ1110)op11n10)writ1110)r11briponbri11Body10)briav11tofil1110)\filarmon.11x11

To extract this string, the easiest way to pull it out was to use olebrowse to save the binary blob of this section of the word document. Then we can use a hexeditor, strings, or whatever we have available that can pull out the required string. Since it’s null terminated, you don’t need to worry too much about object framing, but there are some pretty good indicators that look like they match the length of the string (\xC4 in hexadecimal) if writing an extractor is in your future.

First off, let’s swap that out in our code simplification efforts so we don’t need to go looking for it:

image

and now clean up the strings, remove stuff that isn’t going to anything useful, the usual…

image

And we can see that this tooltip text is really just hiding the all too familiar XMLHTTP objects and friends. It then assigns some rather interestingly named object variables to the CreateObject() method of these functions.

We continue our cleanup onto the next function call FoReplacementStringPA_Email. Since the pattern is becoming a little familiar, I’m going to clean up more before showing:

image

I’ve added remarks to the variable and object assignment for my sanity. We will revisit that shortly. You then see our old friend nsGadget getting reintroduced to the party. When last we saw him, he was a random array of integers. But here we see an iteration over entire array to a concatenated string. Yes, in one place we are dissecting a string into an array of objects, and here we are building a string from arrays. Such is the life of a malware author. You’ll notice the use of the ampersand (&). In the land of vbscript, this means “concatenate”, not “logical and.” Also a seemingly innocuous function called RemoveSpecialChar.

image

RemoveSpecialChar is a mapping of division and type casting. So let’s replace and simplify that:

image

In essence this for loop divides each number in the array by 16, and then casts to a char. Once again, flying blind here and not using a vbscript interpretor, I turn to my trusty friend bash:

image

Tada! I wonder what is there? Oh what a surprise! It looks like it is yet another version of our friend Locky.

Let’s continue to dissect this, but we will move it along a little faster, since the intent of this malware is pretty clear at this point.

image

That’s a lot of obfuscation for code, which at the end of the day, could be written like this:

image

So in summary:

  1. User receives email stating “Your newly scanned documents are available.”
  2. They open the word document
  3. Microsoft warns about the use of macros in documents, which the user ignores
  4. Word document downloads secondary payload
  5. Writes file to %TEMP%
  6. Executes file
  7. File encrypts user’s documents and demands ransom

What’s the benefit for you as a customer of Ixia? We provide these malware samples on a monthly basis for testing network-based dynamic and static analysis engines. You will soon be able to download a sample BreakingPoint test from strikecenter that emulates both the delivery of stage 1 and stage 2 parts of the ransomware for this example. This allow you to see if you’re actively protected against such attacks.

But what of that malicious domain listed above? Well by now, its IP address has changed to another location. But that IP address has been listed in dynamic threat feeds for a long time and with ThreatARMOR, we’ve been blocking that IP since February for many reasons (phishing, malware hosting, etc.). ThreatARMOR blocks sites based on our knowledge of malicious activity by IP address, not by signature. So if you had deployed our ThreatARMOR appliance, even if this dropper managed to come through your email and was executed, the IP communication would have been blocked and you would have been protected from damage—even before any IPS in the world could detect it. The communicating server for this malware, at 79.170.44.88, has been host to numerous malicious activities since we’ve started monitoring it. However, when we first discovered this version of Locky it was only detected by three antivirus engines, and quickly ballooned to over 30 engines in the course of one day. That’s some pretty fast detection, but even better is preventing it from accessing your network in the first place. And because we’ve included this malware in our BreakingPoint ATI subscription, our IPS and next-gen firewall companies will be able to protect their customers as well.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.