Tale of a Polished Carrier

Posted on 2020-07-27 by Josiah Smith
This blog is covering a rather interesting file that was uploaded to [VT](https://www.virustotal.com/gui/file/46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834/summary) with low detection(3/61) on 7/18/2020. Considering [InQuest Labs](https://labs.inquest.net/) drives many of our interesting finds, this particular sample was deemed malicious and had the following heuristic behaviors. * Macro with Startup Hook: Detected macro logic that will automatically execute on document open. Most malware contains some execution hook. * Macro Execution Coercion: Detected a document that appears to social engineer the user into activating embedded logic. Review the Heuristics, Semantic content, and embedded Logic here on [InQuest Labs](https://labs.inquest.net/dfi/sha256/46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834), but don't forget to experience pivoting to other related samples. The first impression a potential target will see is a coercive image stating that the document includes a "Digital Signature by GlobalSign". This is a common tactic used to social engineer the unsuspecting recipient to enable the active content. Of interest, InQuest has been busy collating the various graphical assets used in these attacks. Check out the collection of [Malware Lures!](https://inquest.net/malware-lures-gallery) Fig 1. Coercive Lure https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/coercive_lure_png The document contains content regarding the subject matter of sustainability and greenhouse gas emissions. Coupled with the [embedded text](https://labs.inquest.net/dfi/sha256/46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834#dfi-lite-semantic) found in the semantic layer section, the intent here is to instill a sense of legitimacy to the unsuspecting target. Fig 2. Topical Chart https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/image3_jpeg After doing some quick research on the embedded content by Googling the first sentence from the semantic layer, it's immediately apparent where the content was lifted from: Figure 3. Content lifted from bpaww.com After the content has been enabled, the embedded macro is the first piece of logic to execute. The following screenshot in Figure 4 is from the filtered contents on the embedded logic layer from the [original sample:](https://labs.inquest.net/dfi/sha256/46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834#dfi-lite-embedded+Y1J8bkxlbnxDcmVhdGVPYmplY3R8ZG9WZXJifEhlbHBEb2N8ZG9jdW1lbnRz) Figure 4. InQuest Labs highlight of initial macro logic. Line 41 is an interesting technique that is likely an anti-emulation pattern. ```CreateObject("Excel.Application").Wait (Now + TimeValue("00:00:01"))``` The embedded macro contains a .DoVerb 200 pivot, something you don't see very often. There is an encrypted documented embedded within the sample "HelpDocumented.docm", the password is the value of the nLen parameter ("1008744") found at line 70. This malicious document uses Windows built-in hh.exe (HTML Help) to extract the embedded content. The HTML Help technique was covered as far back as 2017 by [@Oddvarmoe](https://twitter.com/Oddvarmoe) and later [@xme](https://twitter.com/xme), see their relevant write-ups here: * [Bypassing Device guard UMCI using CHM – CVE-2017-8625](https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/) * [Malware Delivered via a Compiled HTML Help File - /dev/random](https://blog.rootshell.be/2017/12/19/malware-delivered-via-compiled-html-help-file/) Additional data is retrieved from: mailsigning.pythonanywhere[.]com A shared provider where users are able to host their Python code in the cloud. At the time of discovery, no references found among the feeds and folks we aggregate into [REPDB](https://labs.inquest.net/repdb/search/mailsigning.pythonanywhere.com) or [IOCDB](https://labs.inquest.net/iocdb/search/mailsigning.pythonanywhere.com). The lack of indicators instills confidence that we're looking at a previously uncovered campaign. Part of the embedded content is the licenseverification.vbs file. As previously mentioned in the Coercion Lure, GlobalSign is referenced within the banner of licenseverification.vbs, well obfuscated in both code and appearance. The script includes usage info containing an Xor encoded payload... depicted within Figures 5 and 6. Fig 5. licenseverification.vbs https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/licenseverification_vbs Figure 6. XOR'd Payload The above VBS is executed via another LOLBin tactic employed to bypass application whitelisting, [ieadvpack | LOLBAS](https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack/), seen here: ```rundll32.exe ieadvpack.dll, RegisterOCX "wscript.exe C:\ProgramData\Support\licenseverification.vbs fYBtqEucjehr84MW 6WYqk7CBgZAnxdzH pexe"``` Next, we have a heavily obfuscated Powershell script that extracts data from main.png (another embedded file), which is a picture of some peppers. Fig 7. Stego-pepper https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/main_png Special thanks to [@maciekkotowicz](https://twitter.com/maciekkotowicz) for his [Python script](https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/extract_ps_from_png.py) to extract the [Powershell](https://github.com/InQuest/malware-samples/blob/master/2020-07-GlobalSign/x_ps1) that was embedded within the pixels of the peppers. The extracted script is meant to look like [@geeky_ryan's](https://twitter.com/geeky_ryan) Reset-WindowsUpdates.ps1 [script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78), but only the header is consistent. The final IOC is allmedicalpro[.]com. Which was registered on July 6th of 2020. ### Indicators Note: There is a lot of interesting pivots that can be done from the Indicators All files can be downloaded from the [InQuest Malware-Samples repo](https://github.com/InQuest/malware-samples/tree/master/2020-07-GlobalSign). | Date | Type | Indicator | |----------|-------------|------| | 7/18/2020 | Maldoc |46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834| | 7/18/2020 | Main.Png |79d4849847aac55022d7b08ca43e00312f75c8e2d479a55c27e5ae01bf027915| | 7/18/2020 | Hostname |mailsigning.pythonanywhere[.]com | | 7/18/2020 | Hostname |allmedicalpro[.]com | table, th, td { border: 1px solid black; } th, td { padding: 10px; }

field-notes labs deep-file-inspection

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.