Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of “Targeting Attack”. Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.

Stage3_a

Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.

Stage3_b

This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)


Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b

Conclusion

Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

IoC:

Dropping:
http://it[.goodvibeskicking[.com/quit?esayz
http://tru[.cheersportacademy[.com/?need=jsi&vid=ex1&xeit
http://help[.goosecharger[.com/index[.php?need=js&
http://help[.goosecharger[.com/index[.php?need=body&

C2 (emotet)
https://erre[.effe-erre[.es/rpersist4/1421468593
https://filuetrama[.top/rpersist4/1421468593
https://tics[.cibariefoodconsulting[.com/rpersist4/1421468593
http://minor[.minorleaguepub[.com
http://koohy[.top

c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a (Original Excel)
0afdaddd9d7631142c7ab41d3fe498890f43f3a6845ba5caf3fab5a3dd79b8ce (quit.exe)

YARA:

/* Rule Set ----------------------------------------------------------------- */

import "pe"

rule drop_quit {
   meta:
      description = "drop - file quit.exe"
      date = "2019-06-13"
      hash1 = "0afdaddd9d7631142c7ab41d3fe498890f43f3a6845ba5caf3fab5a3dd79b8ce"
   strings:
      $s1 = "CERNEL32.dll" fullword ascii
      $s2 = "gwsjkislopkjunhytghbnfgtygh" fullword ascii
      $s3 = "stvparjuytnbelj" fullword ascii
      $s4 = "- (JF04B" fullword ascii
      $s5 = "mccc___ee_s__" fullword ascii
      $s6 = "rOsTA6E^h=" fullword ascii
      $s7 = "g5/paRRaw|" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 600KB and
      ( pe.imphash() == "8032d2bae90a9ea8d7d3e4651d48dd58" or all of them )
}

rule tru_cheersportacademy_com_deobfuscate {
   meta:
      description = "drop - file tru.cheersportacademy.com_deobfuscate.txt"
      date = "2019-06-13"
      hash1 = "a2e23bda2881aa04426516dc4034c7e0c32306eca741ce7585f2f1ca92eff35e"
   strings:
      $s1 = "a=\"wfvbivpowwjfuzerbvufzzhshevitvxdll \".replace(/(bvufzzh|vitvxd|wjfuz|wfvbiv)/gi,\"\") ;c=new ActiveXObject(\"vitvxdwvitvxdsw" ascii
      $s2 = "$dgxac;\",22256 - 7191 - 7788 - 7277);" fullword ascii
      $s3 = "6,95,107,88,107,50,1,23,23,116,90,88,107,90,95,114,116,50,1,116,1|%{$dgxac += [Char]([int](8283 - 92 - 6580 - 1602 + $_));};iex " ascii
      $s4 = "ivcrwfvbivipwfvbivt.shvitvxdelvitvxdl\".replace(/(bvufzzh|vitvxd|wjfuz|wfvbiv)/gi,\"\")) ;c.Run(a+\"$dgxac='';96,93,31,31,31,62," ascii
      $s5 = "a=\"wfvbivpowwjfuzerbvufzzhshevitvxdll \".replace(/(bvufzzh|vitvxd|wjfuz|wfvbiv)/gi,\"\") ;c=new ActiveXObject(\"vitvxdwvitvxdsw" ascii
   condition:
      uint16(0) == 0x2020 and filesize < 10KB and
      all of them
}

rule tru_cheersportacademy {
   meta:
      description = "drop - file tru.cheersportacademy.com"
      date = "2019-06-13"
      hash1 = "7a3c4ab9aa6c6849e4fc908a7618e6dada5477a6e52ba89e0f5557baf58a1e96"
   strings:
      $s1 = "ing.fromCharCode(91); A = function(A){ var a = \"\"; a = A.split(a); return a; } function bvufzzh(x,V){ if( x != d ){ a = x + 1 " ascii
      $s2 = "zczujd.push(\",E985a,\"); tzczujd.push(\"223E,B3A04,A5T85,66T98,w1Q1E5D,x7w3Q,D7a0V,A1x1E5z,z7a36,E726z,v1A135a,R7u6\"); tzczujd" ascii
      $s3 = "= 0; x < A.length; x++){ bvufzzh(a,x); } eval( b );" fullword ascii
      $s4 = "czhhyde = \" \"; tzczujd = new Array(); tzczujd.push(\" 3 4a3=R\\\"uwzfAv7bAiav\"); tzczujd.push(\"pTozwawWjEf5u\"); tzczujd.pus" ascii
      $s5 = "tzczujd.push(\";v}R;5i2evxu 8$\"); tzczujd.push(\"dwg4xRaVcz;R\\\"5,W2E2W2w5y6R 2-E S7x1B9B1R v-V 7777\"); tzczujd.push(\"858z v" ascii
      $s6 = "tzczujd.push(\"54,x9R22,t9Q1D,R9T2R,518031A,x1t0\"); tzczujd.push(\"7S,D996Q,v8E84,29t9R,25t8B,B8E8Q,w9905,49C5V,z9E2S,28C4u,x48" ascii
      $s7 = "zujd.push(\"8D83,T9u0z,\"); tzczujd.push(\"9W5u,S3T6x,T7a0v,7879A,w9574,z9T2V,y950w,u130v7y,E141z4V,z2v3A,92D75,S942t,6996V,59E5" ascii
      $s8 = "tzczujd.push(\",A283E,C2D7v,R8B9D,E9V4S,Q836v,86B2T,W19052y,81E0t2A,W9A1T,Q7u1x,t5T6V,B1D0R78,49B56,82Q3Q,\"); tzczujd.push(\"3R" ascii
      $s9 = "tzczujd.push(\"9R2\"); tzczujd.push(\",t1R161Q,z3E7T,B190B3D,v9E54,61v0E3S,w5Q4a,6150\"); tzczujd.push(\"1v,E9z2A,79T29,W9T1v,B5" ascii
      $s10 = "czujd.push(\"1B052E,7140z2T,t9E1a,R7\"); tzczujd.push(\"1a,w5u6B,21R0z7u,v9V5u,x2635,A3348,E2D3a,v255W,78v3\"); tzczujd.push(\"," ascii
      $s11 = "zujd.push(\"9D2R,29x38,62V3\"); tzczujd.push(\",\"); tzczujd.push(\"253u,92Q3A,92a3Q,R592V,y2y33,S2V74,68v98,S9a4w,R8963,Q6z2a," ascii
      $s12 = "czujd.push(\"2z54,95x09,\"); tzczujd.push(\"17,92B34,\"); tzczujd.push(\"2738,R2B7y,Q1y069E,t1S0V6\"); tzczujd.push(\",79609,79x" ascii
      $s13 = "tzczujd.push(\"2E3\"); 
   condition:
      uint16(0) == 0x7a63 and filesize < 40KB and
      4 of them
}

/* Super Rules ------------------------------------------------------------- */