Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past October, our team analyzed a Word document using a sandbox evasion technique, the execution of shellcode via Dynamic Data Exchange, and NotPetya reborn as BadRabbit. Click the links below to jump to a specific report.
- Word Doc. Drops Context-Aware Payload
- EXE File, Executing an Obfuscated Script Written in AutoIt Gains Access to Passwords and Data
- Macro-less Word Doc. Uses DDE to Execute Powershell and Download DLL
- RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code
- Privileged kernel Code Executed from Fake Flash Installer Used in the BadRabbit Ransomware Attack
Report Name: Word Doc. Drops Context-Aware Payload
September 25, 2017
We’ve seen a number of social engineering techniques used to trick end-users into enabling macros in Office Documents. This analysis uses the same tactic, tricking an end-user to enable macros in order to view the content (Figure 1).
If macros are enabled a malicious executable is downloaded and executed (Figure 2).
In Figure 3, this sample attempts a sandbox evasion technique by detecting four different sandboxes.
Report Name: EXE File, Executing an Obfuscated Script Written in AutoIt Gains Access to Passwords and Data
October 4, 2017
Our analysis of a Self-Extracting Executable (SFX) hides commands in between French description of ‘Game of Thrones’ (most likely copied from Wikipedia, see Figure 3). Files are extracted to the temp. folder and starts an AutoIt interpreter called “cih.exe” containing an Autoit script “cvn-nhc”.
Without the Game of Thrones text, the SFX script boils down (Figure 4):
The AutoIt Script is obfuscated (Figure 5), injects processes and uses NirSoft software to extract passwords and browsing history from Internet Explorer (Figure 6).
October 11, 2017
First reported by Sensepost, a new attack method was discovered to execute shell code via Dynamic Data Exchange (DDE) without using macros. In this analysis, we see Microsoft Word prompting the user to allow execution of the DDE command (Figure 7).
Once the user clicks “Yes”, the DDE Command executes cmd and then proceeds to execute Powershell. The sample then uses Powershell to run a malicious DLL (Figure 8).
For more detail on this DDE technique, read our full analysis blog post.
Report Name: RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code
October 24, 2017
First reported by Twitter user @Jameswt_mht. Prior to this Word Document being opened, Microsoft Word prompts the user to update a set of linked files (Figure 9). This occurs because the RTF document was modified in a way that updates a specific object (Figure 10).
If the user allows the update of the RTF-Document in Word, Word then attempts to download a “picture”. This can be seen in the text-view with the command “INCLUDEPICTURE”. This “picture” raises suspicion because the link points only to a PHP-page. In the Network Behavior of the VMRay Analyzer report, we can the “picture” is really the payload retrieving malicious SOAP WSDL definition from an attacker-controlled server. This also starts the HTA Script File also from the attacker-controlled server.
The HTA Script starts then starts a series of PowerShell scripts. At this point, the attacker is in full control of the target machine.
Report Name: Privileged kernel Code Executed from Fake Flash Installer Used in the BadRabbit Ransomware Attack
October 25, 2017
NotPetya ransomware resurfaced at the end of October as BadRabbit. Essentially, this campaign is the equivalent of malware authors putting a new label on an old product.
In this analysis the malware appears as an Adobe Flash update, in reality, it is a dropper containing some payloads. In the first step, the Adobe Flash update executes the dropped “infpub.dat” which is the main controller of the ransomware (Figure 13).
The process “infpub.dat” schedules a reboot with an execution of “dispci.exe” on startup. “dispci.exe” is responsible for the modification of the master boot record.
Looking further into the analysis, the DiskCryptor is a resource of BadRabbit, which was dropped as “cscc.dat” on the target machine to encrypt the files (Figure 14).
The Network Behavior section of the report shows the similarities with NotPetya. Both NotPetya and BadRabbit search in the local network for other parties to execute itself with an SMB tool on other machines (Figure 15).
After encrypting files and spreading over the local network, the scheduled reboot takes effect as verified in the VTI Score (Figure 16).
The first reboot does not show the “Bad Rabbit” boot message because the scheduled “dispci.exe” starts to overwrite the master boot record. Then a second reboot is needed to show the “BadRabbit” boot message.
In summary, there wasn’t anything particularly new about BadRabbit. The malware authors pieced together parts from NotPetya, an open-source Diskcryptor, and some additional freeware to create a glued together piece of malware.