Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners.

Overview

Both campaigns used an invoice theme and came from a wide variety of sending addresses, with messages being sent to more than 40 countries across all industries, as seen in Figure 1 and Figure 2. The following subject lines were used:

Invoice <xxxx> from Tip Top Delivery
Urgent: IMAGINiT invoice <xxxx> is Past due

Figure 1. Affected Countries

Figure 2. Affected Industries

What made these two campaigns interesting was the major shift in the downloader techniques used to evade signature-based detection. The following are some of the key techniques that were used:

  1. Disguising WordprocessingML as RTF file to evade type specific signatures.
  2. Keeping the main malicious macro clean to avoid macro-based detection. The malicious VBA code was instead stored in TextBox objects located within the Forms, as seen in Figure 4.
  3. Dropping a VBE based downloader that could not be seen without execution of the malicious RTF file. This downloader would then download and execute the malicious payload.
1.    Masquerading WordprocessingML as RTF file

While Dridex has traditionally been delivered using Excel, Word, or JavaScript files, these two large campaigns involved WordprocessingML (an XML format that is supported by Microsoft Word to describe a Word document) masquerading as RTF files. This seems to be a trend, as we saw a similar technique in previous campaigns where a DOCM file was disguised as RTF. Figure 3 shows a screenshot of the Tip Top campaign, set as high priority.

Figure 3. Designed Campaign

2.    Keeping the main macro clean

In the extracted macro, it is interesting to note that there is almost no malicious content that could trigger static detection. In fact, a majority of the key ingredients are stored in text boxes within created forms, shown in Figure 4.

Using this, it defeats signature-based scanning, which tries to detect known malicious macro based on past knowledge. At the time of discovery, most of the samples that were observed were detected by only one out of 56 vendors on VirusTotal, which indicates that modifications made to these malicious documents was likely an effort to avoid detection.

Figure 4. Secret Macro

3.    VBE Downloader

Once the malicious macro is launched, the Word document drops a malicious VB Encoded script in a temporary folder, as shown in Figure 5.

Figure 5. Location of the VBE

Based on our analysis, the VBE simply downloads Dridex from the malware server and installs it on infected machines, as shown in Figure 6.

Figure 6. Decoded VBE

Signatures

The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.

  • <wx:uiName wx:val="Основной шрифт абзаца"/> (translates to "The main text of the paragraph")
  • <wx:uiName wx:val="Обычная таблица"/> (translates to "table Normal")
  • <wx:uiName wx:val="Нет списка"/> (translates to "No List")
  • <o:LastAuthor>павуваыва</o:LastAuthor>
Conclusion

Cybercriminals continue to innovate, this time demonstrating a creative way of making threats harder to detect using static signatures. To remain secure, it is important to stay vigilant and proactive in three key areas: user awareness, policy and technology.

Indicators of Compromise

1.     IMAGINiT campaign

MD5
8840c20ac74281c0580e8637caf1edea
800f90f29d13716eb1f7059fb84089ed
7e74d5a3a20038fe0a66445eb76fa066
7a4b7762f8db2438b4ad3d991864431d
74f9da1ce1ff900113ae7cb28b3eb56f
6ccc678c3ec284fad015ed0eaa875733
3ea5c225132f0d7423417b3c7ce98c7d
33b2a2d98aca34b66de9a11b7ec2d951

Network Indicator
GET /michigan/map.php HTTP/1.1
house.nochildforgotten.org
IGINV51905.rtf

2.     Tip Top Delivery campaign

MD5
858451ad73050bda48e5470abd2643ac
aff54d68cbf6ac8611fe89cd9f0dc2de
876d081e8b474a3c1ac57cf435e330cb
d8eebe2a08fff86abd06ec94e8bdd165
8c07b9337deda3c589d50e4ff3aadcd6
73c7bf49caa0d1bd37053b99a986ebe8
770fede93cc4220a371569daed2a4bc1
5b7813105cf9ebccb46cf7e63a5a836d
8f787ddedbaa8af3f6a73d0c6cd4e33e

Network Indicator
GET /michigan/map.php HTTP/1.1
parts.woodwardcounselinginc.com
Invoice_GIINV02514_from_tip_top_delivery.rtf