On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X and Microsoft Windows systems. We then analyzed the sample, and in this blog we are going to explain how it works, step by step.
When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed.
Malicious Word File is Opened
Figure 1. Asks victim to enable Macro security option
Use the Visual Studio debugger to quickly find and fix bugs across languages. The Visual Studio for Mac debugger lets you step inside your code by setting Breakpoints, Step Over statements, Step Into and Out of functions, and inspect the current state of the code stack through powerful visualizations. The Visual Basic button opens the Visual Basic Editor, where you create and edit VBA code. Another button on the Developer tab in Word and Excel is the Record Macro button, which automatically generates VBA code that can reproduce the actions that you perform in the application.
Once the malicious VBA code is executed, the AutoOpen() function is automatically called. The first thing it does is read the data from the “Comments” property of the Word file.
Figure 2. The property “Comment” of the Word file
The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:
After it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below.
Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. You can see this in the the flow chart in Figure 3.
Figure 3. Calling different route according to OS type
We have found that this malicious VBA code uses slightly modified code taken from a metasploit framework which you can find at hxxps://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/office_word_macro/macro.vba
How it Works for Apple Mac OS X
As you probably know, Mac OS X comes with Python pre-installed by Apple. This allows it to execute python scripts by default. As you can see above, the base64-decoded python script is passed to the ExecuteForOSX function that is going to execute it at the bottom of the function (see Figure 3).
The python script is easy to understand. It extracts the code from a base64-encoded string, and then executes it. It is decoded below, and as you can see, it is a very clear python script.
When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework. The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.
The major changes between the downloaded file (HA1QE) and the original file are the following:
Figure 4. Differences between HA1QE and meterpreter.py
The HTTP_CONNECTION_URL constant (hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/) is set to the Metasploit end-point that the script will be connecting to.
The PAYLOAD_UUID constant is used as an identifier for the client, which we believe is also being used by the attackers for campaign-tracking purposes.
Once the script is executed, it attempts to connect to the host “sushi.vvlxpress.com” on port 443. But at the time the request was made during our analysis, the listener (server) was not answering client requests.
Figure 5. Wireshark showing TCP retransmission error while connecting to the server
The python process remains active on the system while trying to connect to a reachable server.
Figure 6. Python script attempting connection to listener
How it Works for Microsoft Windows
Although the argument of the ExecuteForWindows function is as same as the ExecuteForOSX function, it does not use it. What it does instead is making a DOS-style command string starting with cmd.exe. When it is executed, powershell.exe is started without window (-w hidden), and it executes the base64-encoded code (-e base64-encoded code.) For more details, see the following screenshot.
Figure 7. Dos-style command
It’s base64 again. This malware’s author likes using base64 to encode the sensitive code. We will see more base64 encoded data in the rest of the analysis.
Decoding the base64-encoded data, we get the following powershell script:
The main job of the above powershell script is to decompress a piece of gzip data, which is in base64-encoded code, to get another powershell script (by calling FromBase64String() and GzipStream()) and execute it (by calling Start($s)).
Next, let’s move on to see the decompressed powershell code. To improve understanding, I modified some of the function and variable names.
Here is the code snippet:
From the above powershell code we can see that it first decodes the base64-encoded data. In fact, it is 64-bit binary code that is going to be executed later. Then, it allocates a buffer in the current process (powershell.exe) and copies the 64-bit code into the buffer by calling the VirtualAlloc and Copy functions. Finally, it calls the CreateThread function, whose thread function points to the new buffer. That means that the 64 bit code is the thread function and is executed. Based on our analysis, this malware only affects 64-bit Windows.
Figure 8. 64-bit ASM code
We analyzed the 64-bit code in IDA Pro, as shown in the above screenshot. Once it starts, it downloads a file from “hxxps://pizza.vvlxpress.com:443/kH-G5” into a newly allocated buffer. The downloaded file is actually a 64-bit DLL file. Before the thread function finishes, its stack return address is set to the newly allocated buffer that holds the downloaded 64-bit DLL. That means that the 64-bit DLL gets executed when the thread function is returned.
Next, we see that the DLL can communicate with its server, such as “hxxps:// pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/”. We can see it in the debugger, as shown below.
Figure 9. Communication with its server
At this point, we are still working on analyzing the downloaded DLL and trying to gather more information from it. We’ll share more details about this malware later as we uncover more interesting details.
Mitigation
The original Word sample file has been detected as “WM/Agent.7F67!tr” by FortiGuard AntiVirus service.
IoCs
Word Visual Basic For Applications Macro
URL:
hxxps://sushi.vvlxpress.com:443/HA1QE
hxxps://pizza.vvlxpress.com:443/kH-G5
hxxps://pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/
Sample SHA256:
Sample.doc 06A134A63CCAE0F5654C15601D818EF44FBA578D0FDF325CADFA9B089CF48A74
HA1QE.py 3A0924D55FB3BF3C5F40ADCE0BD281D75E62D0A52D8ADFA05F2084BA37D212C8
kH-G5.dll C36021A2D80077C2118628ED6DB330FEF57D76810FF447EF80D2AB35B95099BC
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.
Applies to all versions except Word 2008. Word 2008 does not support VBA.
If someone on a newsgroup gave you a macro or some VBA to fix a problem, this is what you do with that text. Macros in Word are written in a coding language called VBA, or Visual Basic for Applications. This article explains how to install a macro step by step. It assumes no prior knowledge, but does presume that you have the text of the macro ready to copy.
Go to Tools>Macro>Macros…. You will get a dialog box that lists all existing macros, if you have any. In the box for Macro Name, type a name for your macro—the name must not contain spaces. Click Create.
Naming Macros: It is conventional to express VBA names with each word capitalized and the spaces taken out. For example: 'ToggleWebToolbar.' If you do use capitalization as suggested, Word will expand the name into a tooltip (yellow balloon) when you place a button for the macro on the toolbar. For example, the tooltip will read 'Toggle Web Toolbar.'
After clicking Create, Word will dump you into the Visual Basic Editor (VBE, the environment where one can write and edit macros written in VBA). It may look very strange to you. Basically, it’s a three-pane layout, and the code you are about to work on should be in the right-hand (largest) pane.
You will see something like:
Sub MyMacroName()
'
' MyMacroName Macro
' Macro created 03/08/05 by Me
'
[cursor will be here]
End Sub
You can paste the provided macro code right where the cursor is.
Lines that begin with an apostrophe ' are comments. When you run the macro, the comment lines are ignored. All macros created by Word include these two lines of information. It’s a very good idea to update them or add more information so that in a few years time you will know where this macro came from and what it was supposed to do.
In most cases, the code you have been given will paste without any problems or any red text, and you can test it. However, you may need to make some trivial fixes.
Common Problems: All macros must start with a Sub statement and end with an End Sub. If the code someone gave you already had the Sub/End Sub in it, you will need to delete the extra Sub lines. It is conceivable that a sophisticated piece of code may also contain Function() and End Function statements: for the purposes of this article, treat them as equivalent.
Lines that show up in red have errors. This is most likely because there are line breaks in the wrong place, since newsgroups and email can force shorter line breaks. To fix these, place your cursor at the end of the first red line, and start tapping Delete. When you delete all the invisible spaces and carriage returns, the next line will move up and that may fix the problem. Do not delete any visible characters. Be aware that the statement in red may continue over three or four lines. You may need to re-enter a space that you delete.
Laptop users: the delete key usually behaves as a backspace key. You could also backspace from the beginning of the lines in red, to let the VBE wrap the lines naturally.
Also, if you copied the macro from a web browser and pasted directly into the VBA editor, you are likely to run into the 'non-breaking-space bug.' In the web browser, all the spaces were transposed into non-breaking spaces to preserve the layout, because HTML rules crunch multiple spaces into one. The cure is to replace all the spaces in front of the red lines with 'real' spaces, and the problem will go away. If you have to do a lot of them, paste the text first into a blank Word document, then use Find/Replace to replace the non-breaking spaces with ordinary spaces.
To Test the Macro: in the VBE, click on the W button or use Word>Close And Return To Microsoft Word to go back to Word. Go to Tools>Macro>Macros…, select the macro name in the list, and click Run.
If you expect to run the macro regularly, you can assign it to a keyboard shortcut, toolbar, or menu. See Useful Articles for explanations on how to do so. To learn more about the Visual Basic Editor and organizing Macros, click here.
More Complex Errors:
If the test run fails, return to Tools>Macro>Macros…, select the name of your macro, and click Edit. This will take you back to the Visual Basic Editor (VBE) and show you the code of your macro. Go to the Debug menu and choose Compile Normal (by default, the macro will have been saved in the Normal template).
It should appear as though nothing happened. If there is still a problem, Word will pop up an error and highlight the statement that contains it in yellow. You can look up the error messages in the VBA Help. However, for the purposes of this article, we can assume that there are only three causes:
- In your fixing of the code, you have damaged one of the statements.
- The macro you have been sent was created for WinWord and requires some changes to run on a Mac.
- The macro you have been sent is incomplete and never did work, even for the author!
Whatever the cause, unless you know VBA well, it will be much quicker to go back to the newsgroup or source of the code and ask. Suggest that the author send you the code again, and this time formats his/her message in HTML. HTML encoding is frowned upon in newsgroups, but it prevents these problems with broken line endings.
If the author of the code has created it in Windows, post the text of the code into the MacWord newsgroup and ask; the more sophisticated the macro, the more likely it is that it will require changes to run in MacWord. The person using Windows will not be able to help, because it is very difficult for even an experienced coder to tell what will work on the Mac and what won’t: the only reliable way is to compile the macro in MacWord and try it. In general, anything that will run in WinWord 97 will work on the Mac; anything that requires VBA6 will require tricky workarounds on the Mac.
If you suspect number 3, you might delicately ask if the author tested the code before sending it to you. Unfortunately, the Internet being what it is, there are people out there who for some reason sometimes send you code they haven’t tested that doesn’t work.
More Useful Articles About Macros
These articles were written with WinWord in mind, but all will work for MacWord. The exact location of menus might be a little different, but the terms will be the same and changes should be self-evident. Some of the articles give keyboard shortcuts to open dialogs, however, which will not work on the Mac; you will have to use the menus. If you have problems, post the article link and the exact text that confuses you on the Microsoft Answers site.
Attention Safari Users: These links will not work immediately—you will need to hit Reload a few times, or use a different browser.
Basics:
Creating a macro with no programming experience using the recorder
How to assign a macro to a toolbar
How to assign a macro to a keyboard shortcut
Understand that a macro and how you access it are separate items. When you record a macro, Word offers you the chance to assign it to a toolbar or keyboard shortcut. Nevertheless, that toolbar/keyboard assignment is not part of the macro. It is a separate setting in Word, layered on top of the macro. If you send the text of a macro to a friend, for instance, the toolbar/keyboard assignment will not travel with it.
Slightly More Advanced:
How to modify a recorded macro
Running a macro automatically when Word starts or quits
Word Visual Basic For Applications Macroeconomics
Running a macro automatically when a document is created, opened or closed