PCode Pushing AveMaria

Posted on 2021-06-16 by Dmitry Melikov

A few days ago, we found an interesting document in the wild that aims to download spyware applications. The sample in question shows low detection rates across multiple antivirus engines, which rouses our suspicion. The email containing the attachment document was allegedly sent from a logistics campaign.

Image 1: Email containing a malicious document.
Image 2. Contents of the malicious document.

File Type: Microsoft Word Document.
SHA256: 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247 
       

During verification, the document showed a very low detection rate. The first boot is very important because it shows how efficiently antivirus engines can identify this object.

Image 2 InQuest Labs Analysis. Shallow detections. 2\ 61 

Analysts use a variety of tools and techniques to analyze malicious macros. My favorite is the pi-code disassembler. This is not very widely known, but when the macro is executed for the second or third time, the VBA interpreter does not execute the macro itself, but the pi-code; which can save a lot of time and effort.

Typically, an analyst needs to look inside a document for a malicious executable file or a piece of  code that is decrypted at runtime and launched or simply launched. Or look for addresses connected to servers from which the doc file could download and run malicious code.

image 3. Disassembled pi-code.

Disassembling the PI code immediately shows what we are looking for. We see the URL and how are the strings collected “urlmon” and “UrlDownloadToFile”. 

Using the found and deobfuscated data, we were able to obtain the payload. The downloaded file is an executable file for Windows. 

File Type : PE 32 Borland Delphi 4.0
SHA 256: 24ae2615ce979dad904bee63f84bd32c65a9332a3d9f9698252c709f966c6717

                Image 4: GetKeyState

The primary threat from this sample are its spyware functions. Capable of collecting keystrokes as well as clipboard data including screenshots.

Then the program creates 3 batch files.

Image 5 uko.bat

One of the batch files contains a fairly old technique for elevating privileges on the system to bypass User Account Control (UAC). The main function of UAC is to ensure that applications are limited to standard/low privileges on the system.  Using the following URL, the program downloads an encrypted file that is decrypted in the process and runs as executable.

hxxps://cdn.discordapp[.]com/attachments/767069235708428323/848186121690546186/Zneiuhgzlunxwnqskjxrwjcxfjvbyhg 

Image 5: Encrypted download file.

It is easy to recognize that the uploaded file is a Portable Executable (PE) as there is an outline of the DOS header. The program decrypts the file in the process and we get the following executable library.

File Type : PE 32 dll
SHA 256: 5311d8137a2ce177cd09f5470997bf2aa0ac89ecfd1c26fb7a85d72d02f65c8b

The main function of the executable library is to load and run subsequent executable files

Image 6: Load functions for further executable files
Carrier Rate confirmation.doc7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247 
Zneiuh.exe 24ae2615ce979dad904bee63f84bd32c65a9332a3d9f9698252c709f966c6717
DLL payload5311d8137a2ce177cd09f5470997bf2aa0ac89ecfd1c26fb7a85d72d02f65c8b
URLhxxps://bit[.]do/fQUfB 
hxxps://cdn.discordapp[.]com/attachments/767069235708428323/848186121690546186/Zneiuhgzlunxwnqskjxrwjcxfjvbyhg 

Using this as well as similar attack vectors for installing malware on victims' computers, cybercriminals open up many opportunities such as downloading files, encrypting files in the system (Ransomware), and stealing personal data depending on their goals.

Tags
labs threat-hunting malware-analysis