360 Security Guard · 2016/05/09 11:53
Author: 360 Eye Lab
0 x00 probe,
Man is doing, god is watching.
Ransomware floats in an increasingly dark cloud over the Internet, out of which lightning can strike the average user at any moment. The anonymity of the bitcoin-based support system allows ransomware to easily close the loop, and the Locky ransomware family is perhaps the most voracious of the digital kidnappings, casting a wide net to make as much money as possible.
Locky is naturally closely monitored and continuously tracked by 360 Visualize LABS. Based on data from 360 Threat Intelligence Center, the following thermal map shows Locky sample size submissions since November 2015. As you can see, there were two large waves of action in March and April of 2016, and the early May even saw a higher number of submissions than April. In fact, the May 3, 2016, operation may have been the largest wave of attacks in history.
In the last two days, 360 Dayeye lab captured a batch of the latest Locky ransomware transmission vector. Like most of the samples, this batch of samples also used the macro code download in Word to execute the Locky ransomware:
- Malicious macro code was inserted into Word documents
- The victim opens the Word document and allows the macro code to execute
- The malicious macro uses the microsoft.xmlHTTP object to download ransomware from the specified URL and save it as hendibe.exe
- Finally, Shell.Application is called to execute the malware
It is worth noting that the macro code in this series of samples is a large number of macro code with normal functions, while the attacker inserts malicious code into the normal macro code in a scattered manner. Without careful observation, it is difficult to detect that the normal macro code contains malicious code. And the malicious code will need to operate the object name confused encoding hidden in the control UserForm2.Image1 ControlTipText property, download URL is also saved by encryption, so it has a better kill free effect, VirusTotal only 6 kill software can be checked to prove this point!
Interesting is the Chinese version of Office, and most of the west of the Chinese version of Office software series samples of natural “immune” (not trigger malicious macro code), the goal of this batch of samples should not against China, but the customized version may be on his way, then we carry on some simple analysis for this series of sample.
0x01 Sample analysis
The samples captured by 360 Eye lab were in doc and DOCM file formats, which were used by attackers to ensure that users of Office 2003, Office 2007 and higher versions could execute the corresponding macro code. However, the internal functions of all samples were consistent. So we use the malicious documents of.docm as the analysis case.
Avoid killing effect
Here is a screenshot of VirusTotal, and you can see that most of the killing software failed to correctly identify the VirusTotal malware in these samples:
Normal macro code
Looking at the macro code in the documentation, we can find that the macro code is basically some mathematical formula code, and there are related comments such as function description, which looks normal. As shown in figure:
Data hidden in ControlTipText
However, one piece of code caught our attention, showing that it reads some data from the properties of the Image1 control and does something like this:
The sOvet_FATSO function is Replace:
By analyzing this code, you can understand that the general function is like this:
Read the ControlTipText property of the UserForm2.Image1 control to get a string, then use sOvet_FATSO to replace 00 with e and D! Replace with M and BRI with S. Finally, the string is separated with 10 and the array is generated with split.
Extract the following strings from userForm2.image1.controlTIPText:
D! icrobrioft.XD! LHTTP10)Adodb.britr00aD! 10)brih00ll.Application10)Wbricript.brih00ll10)Proc00bribri10)G00T10)T00D! P10) Typ0010 op00n10) writ0010 r00briponbri00Body10) briav00tofil0010) \ hendib00.00 x00
Using the previous substitution method, the string looks like this:
Microsoft.XMLHTTP10)Adodb.streaM10)shell.Application10)Wscript.shell10)Process10)GeT10)TeMP10)Type10)open10)write10)resp onseBody10)savetofile10)\hendibe.exe
As you can see, some of the key object and method names commonly used in malicious macros are present in the string, and this seemingly normal macro code may not be so “normal.”
Malicious macro code execution flow
1 Through further analysis of macro code, we understand that this is a malicious Word document that inserts malicious macro code into the normal macro code, confuses the key string, and encrypts and stores the downloaded URL to avoid soft detection.
The execution flow of malicious macro code is as follows:
1, read UserForm2. Image1. ControlTipText the string and replace the specified characters
Microsoft.XMLHTTP10)Adodb.streaM10)shell.Application10)Wscript.shell10)Process10)GeT10)TeMP10)Type10)open10)write10)resp onseBody10)savetofile10)\hendibe.exe
2. Split the resulting string into an array of 10 and pass it to sOvet__57
sOvet__57 = Split(asOvet, "10)")
3. Refer to each member of the sOvet__57 array with CreateObject, etc
4. Divide each byte of the encrypted URL by 16 for decryption
5. Perform the download process
- Download the file using microsoft.xmlHTTP
- Save the write to TMP using the savetofile method of adodb. streaM and name it hendibe.exe
- Finally, use shell.application to execute the downloaded EXE
Decrypt the URL
Samples with “?” As a separator, use Split to generate an array, which is passed to the decryption function for decryption. However, during the debugging process, we found that the Split function in the macro code of the sample lacked the closing symbol at the end of the Split function, which resulted in the sample execution reporting an error:
Adding the “after Split” and decoding the URL is garbled:
In this case, we initially assumed that the attacker was still testing the sample’s immunity, because normally such code would be impossible to execute, and even if it did, the resulting URL would be wrong, making it impossible to download the malware.
0x02 Chinese Office naturally “Immune”
Extract raw encrypted data from binary
, as we are ready to end the paper draws a conclusion that the series of samples is an attacker to avoid killing the conclusion of testing samples, by the way we look at the sample of binary data encrypted URL, unexpectedly found encrypted URL of raw binary data and Word macro code shown in the data inconsistency, and binary encrypted URL in the separator is not “?” , but 0xA8:
The encrypted URL array displayed in the Word macro editor looks like this:
Split("1664? 856? 856? 792? 28? 52? 52? 840? 680? 728? 888? 616? 824? 728? 776? 824? 600? 840? 36? 552? 904? 552? 824? 600? 840? 792? 552? 584? 616? 36? 584? 776? 744? 52? 96? 12? 936? 648? 80? 568? 760? 744? 744? 776? 680 ", "?
You can see the corresponding “?” It is 0xA8, and the byte after 0xA8 is “devoured” by Word, rendering the displayed array undeciphered by the algorithm in the macro code!
VBA “BUG”
It turns out that VBA uses ANSI encoding, and the above code is fine in English Office. VBA correctly recognizes 0xA8 as the delimiter, but in Chinese Office or other non-Spanish Office environments, the bytes after 0xA8 are processed together.
After finding the cause, we successfully decrypt the URL by replacing 0xA8 with the visible character space 0x20 and using 0x20 as the delimiter:
Using this address, an EXE file can be downloaded successfully. After simple analysis, it is found that the EXE is a sample of ransomware Locky family.
Simple analysis of downloaded Locky
A simple analysis of the sample found that the execution process is consistent with most ransomware, so detailed analysis will not be carried out here. The sample’s general behavior is as follows:
1. After the execution of the sample, it communicates with the C&C server
109.73.234.241:80
185.22.67.108:80
2. Read the user’s machine environment information and generate the identity ID
3. POST user machine information to C&C server
4. Obtain the public key information and encrypt the corresponding file
5. Release vssadmin.exe and delete all duplicate files
vssadmin.exe Delete Shadows /All /Quiet
6, generate blackmail prompt file, change desktop
0 x03 conclusion
All the download addresses of such samples were valid when our article was completed. Based on the monitoring data of 360 Threat Intelligence Center, such samples were captured by monitoring for the first time on May 6th, and it is likely to usher in a round of growth in the future:
And domestic users cannot because the Chinese Office born “immune” this batch of samples and lightly attack, blackmail forms of malicious software can predict the future will be more used by black production team, to deal with this kind of attack is still only in prevention: install antivirus software, regular backup important files, open the strange email attachments must be more careful.
0x04 IOC
The following IOC data are for the reference of the security industry:
| type | value |
|---|---|
| C&C IP | 109.73.234.241:80 |
| C&C IP | 185.22.67.108:80 |