Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.

In this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT <=3) but with interesting bypass techniques.

Our goal is to share indicators that help the AV community and others improve their detection coverage.

  • So far, only samples found in VT with the following file types were included in this study:
  • Win32 binaries
  • Office documents (including Open XML format)
  • RTF documents
  • Hangul Word Processor (HWP)[1] documents

The study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix).  


The following samples were identified in our research:

Suspected APT malware:

  1. GOODTIMES backdoor: Suspected APT; MS Office with Embedded Hacking Team Flash Exploit
  2. UPS backdoor: Suspected APT3
  3. VBA Macro + Metasploit Shellcode Loader: Suspected Middle Eastern-based APT
  4. Hancom Office HWP Exploit: Possible APT targeting of South Korea.

Malware without attribution:

  1. OccultAgent: (New) Code hidden in Excel spreadsheet
  2. Spy-Net RAT: Targeting Brazilian victims
  3. VBA Macros + PowerShell scripts: Netcat Backdoor
  4. VBA Macros + Python scripts: Metasploit Shellcode Loader
  5. Office Downloader
Detailed Sample Analysis

Malware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.

1. 4b3858c8b35e964a5eb0e291ff69ced6 - 201507.xlsx

Type: XLSX
Description: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak)
Attribution: Suspected APT threat group targeting Taiwan
Current detection: 0/53
First Submission: July 13, 2015
Last Submission: January 27, 2016
Time undetected in VT: At least 6 months       

This Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:

Figure 1: Structure of XLSX document

When the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.

Figure 2: Excel document content and prompt

When the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.

Figure 3: Content of activeX1.xml file

The embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]

A look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message “can’t cause UaF” as shown in Figure 4.

Figure 4: Flash exploit code

The combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.

Figure 5: Flash Action Script classes from malicious Excel file

The exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses and on ports 8080 and 443 via HTTP.

While this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.

Potential AV bypassing reason

1.     New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the delivery mechanism by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).

2.     In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.

Figure 6: Embedded Flash object

·      The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.

2. 22da029dd4e018b7c7135a03d0ba9b99

Type: Win32 binary
Description: A variant of the UPS backdoor
Attribution: suspected APT3
Current detection: 0/57
First Submission: August 6, 2015
Last Submission: February 2, 2016
Time undetected in VT: At least 6 months

UPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.

While this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.

Potential AV bypassing reason

1.     Junk code insertion: Examining this UPS sample, we see a significant amount of “junk code” potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.

In Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the “jump if greater than” comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.

Figure 7: Decompiled UPS sample showing junk code

3. aedd5d8446cc12ddfdc426cca3ed8bf0 - S-old.xlsb

Type: XLSB
Description: VBA Macro + Metasploit Shellcode Loader Backdoor
Attribution: Suspected Middle Eastern-based APT
Current detection: 1/52    
First Submission: September 28, 2015
Last Submission: January 28, 2016
Time undetected in VT: At least 4 months

This particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.

When the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:

Figure 8: Malicious Excel file showing calendar data

When the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number “MZ”.

Figure 9: Macro concatenating bytes to form a Windows binary

The binary is written to the file system with the file name NTUSER.dat{GUID}.exe as shown in Figure 10.

Figure 10: Creating the Windows binary

In this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5  6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.

Finally, the executable comes with an embedded Metasploit Shellcode loader that connects to on port TCP 13661.

While this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as “Rocket Kitten”, primarily targeting Middle Eastern and European organizations.

Potential AV bypassing reason

1.     The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.

4. 4e51143b01e99afc3bd908794d81d3cb
Type: HWP
Description: Hancom Office HWP Exploit
Attribution: None
Current detection: 3/53    
First Submission: July 31, 2015
Last Submission: February 2, 2016
Time undetected in VT: At least 6 months with 3 generic detections

This sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.

When opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.

Figure 11: Content of malicious HWP document

Internally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.

Figure 12: Section0 malformed paragraph

A similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.

Section 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).

Figure 13: Start of shellcode

The shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-> SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.

This particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.

Potential AV bypassing reason

1.     Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.

2.     Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format  (HWP extension).

5. 497eddab53c07f4be1dc4a8c169261a5 - Barclays_Q22015_IMS_excel_tables.xlsm

Type: XLSM
Description: VBA Macro + VBScript generated from spreadsheet
Attribution: None
Current detection: 1/54    
First Submission: Julio 08, 2015
Last Submission: January 27, 2016
Time undetected in VT: At least 7 months

This sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim’s computer. As we had not previously observed this backdoor, we named it OccultAgent.

When the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:

Figure 14: Prompt to enable macros

The macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\octemp001\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://, via the victim’s web browser.

Figure 15: Obfuscated script embedded in spreadsheet cell

The first stage Macro source code can be seen in Figure 16.

Figure 16: Embedded VBA macro

The dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at to register the victim’s computer and to obtain commands to run on the victim’s machine.

Potential AV bypassing reason

The following steps may be sufficient to bypass AV detection:

1.     Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.

2.     Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).

6. dc15336e7e4579c9c04c6e4e1f11d3dd - dedinho no cuzinho.rtf

Type: RTF
Description: RTF file with embedded executable
Attribution: None
Current detection: 0/54    
First Submission: October 22, 2015
Last Submission: January 15, 2016
Time undetected in VT: At least 3 months

In this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg<underscores>.exe (see Figure 17).

Figure 17: RTF document with embedded file

The embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.

Spy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server. 

A beacon to dennyhacker[.] on TCP port 81 prepended with an ASCII representation of the length of the payload  (33) and followed by a pipe and a new line character confirms Spy-Net activity:

00000000  33 33 7c 0a                                      33|.

The RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):

Configuracoesdoserver = Server settings
Listarjanelas = List windows
Finalizarconexao = End connection
Listarchaves = List keys

Potential AV bypassing reason

1.     Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.

7. b1f43ca11dcf9e60f230b9d6d332c479 – Book2 - Copy.xls

Type: XLSX
Description: VBA + Python Shellcode loader
Attribution: None
Current detection: 0/54    
First Submission: September 20, 2015
Last Submission: January 28, 2016
Time undetected in VT: At least 6 months

When opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.

Figure 18: VBA Macro with OLE Object

The macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:

  • python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) - a legitimate file
  • file.exe (md5 73f16dbf535042bc40e9c663fe01c720) - a binary created with py2exe[10]

Once file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.

The unpacked version of file.exe is obfuscated python that can be seen in Figure 19.

Figure 19: Python Shellcode

The following steps describe the process in greater detail:

  • File.exe spawns a copy of calc.exe.
  • Base64-decode and AES-decrypt embedded shellcode.
  • Via Python ctypes, the environment is set to run the shellcode loader in memory.
  • The shellcode loader, which has been encoded with the Metasploit Shikata encoder, [11] is configured to connect to the host on port 443.
  • The malware sleeps for 60 seconds and starts again.

Potential AV bypassing reason            

Multiple tricks to evade detection can be seen here:

  1. The file extension of the document is .xls. However, the file is actually an Open XML Format file (.xlsx). This simple trick may bypass extension-based parsers.
  2. The Embedded OLE object contains a legitimate binary (python27.dll) and a py2exe executable may appear to be a legitimate file.
  3. The malicious python script is packed using py2exe.
  4. The Embedded OLE object is extracted from a hidden Sheet3, so the VBA Macro may not appear malicious.
  5. The shellcode is Base64 encoded and AES encrypted.

8. 95e89fd65a63e8442dcf06d4e768e8f1 - Doc1.docm

Type: DOCM
Description: VBA + PowerShell + Netcat as Backdoor
Attribution: None
Current detection: 0/53    
First Submission: June 19, 2015
Last Submission: January 26, 2016
Time undetected in VT: At least 7 months

The word document comes with a simple message shown in Figure 20.

Figure 20: Message distractor

When the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document’s comments (see Figure 22):

Figure 21: Loading malicious code

Figure 22: Code embedded in the document comments

The PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP and port 3724. Once a connection is received, a PowerShell shell will be sent (via –e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.

Figure 23: Malicious code content

It is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].

The script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.

Potential AV bypassing reason

1.     Use of the .docm extension may evade extension-based parsers.

2.     Embedding the PowerShell script in the document’s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.

We identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims’ machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.

9. 8de1ebacb72f3b23a8235cc66a6b6f68 – Polnoe_raspisanie_igr.xlsm

Type: XLSM
Description: VBA Macro + PowerShell – Shellcode Loader
Attribution: None
Current detection: 2/54    
First Submission: October 14, 2015
Last Submission: January 28, 2016
Time undetected: 3.5 months with two generic detections

When the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).

Figure 24: Excel file with legitimate link

When the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).

Figure 25: PowerShell script being built on the fly via VB script

PowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.

The Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:

        $z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000

Where $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain spl[.]noip[.]me previously resolved to Russian IP

Most of the VBA Macro + PowerShell scripts we identified were created with the[13] and[14] scripts, often used for penetration testing.

Potential AV bypassing reason

1.     The .xlsm extension may bypass extension-based parsers

2.     Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection

3.     The PowerShell scripts are Base64 encoded and compressed

10. cda305a6a6c6ace02597881b01a116e3 - CVE-2013-1331-doc.docx

Type: DOCX
Description: Office Downloader
Attribution: None
Current detection: 0/55    
First Submission: January 12, 2015
Last Submission: January 16, 2016
Time undetected in VT: The whole year and counting!

In 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.

The malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].

This new sample uses a different option from the new XML Format called “Relationships” in order to download a resource from the Internet, as seen at Figure 26.

Figure 26: XML content loading the PNG image remotely

The same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.

Potential AV bypassing reason

1.     Use of the XML ‘Relationship’ instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.

2.     Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.


Threat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:

1.     Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.

2.     The use of a multi-stage infection approach in order to look unsuspicious at each stage:

    a.     A document downloading an image from the Internet that cannot be flagged as malicious at that stage
    b.     A VBA Macro script loading malicious content from spreadsheet cells

3.     Multiple techniques to load malicious content from Office documents:

    a.     Embedded as ActiveX
    b.     Embedded as OLE Binary
    c.      Embedded in the document’s comments
    d.     Embedded in the spreadsheet cell

4.     Standalone packed binaries containing malicious Python scripts.

5.     Multi-layer Packing: RLPack + Custom UPX.

6.     The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.

In several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.

For proper detection, it is essential to monitor an attack through its entire life cycle – not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.

It is much easier to stop an attack – including a multi-stage attack – when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.

This detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.


Indicators of Compromise - IOCs

Network Based:


POST /0000/a242550.asp
TCP Port: 8080 


GET /bbs/file/machinery/machine_body.jpg
PORT: 80


TCP Port: 80


TCP Port: 443


TCP Port: 13661


GET /ocagnt/gethooks.asp
TCP Port: 80
GET /ocagnt/enckeys
TCP Port: 80
GET /ocagnt/getstatus.asp
TCP Port: 80


TCP Port: 81



C:\Windows\System32\install\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146


Mutex created:



Figure 27 shows the MD5s with zero detection detailed on this report.

Figure 27: 2015 samples from VT with zero detections in 2016

Some exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).

Figure 28: Samples with low and / or generic detection

dc15336e7e4579c9c04c6e4e1f11d3dd – Brazilian RAT

Some interesting commands from the RAT in Portuguese language:

 0002A3A8: pingtest

 0002A3BC: tentarnovamente

 0002A3E0: mouseposition

 0002A3F8: keyboardkey

 0002A40C: webcaminactive

 0002A424: webcamgetbuffer

 0002A43C: webcam

 0002A44C: desktop

 0002A45C: stopsearch

 0002A470: listarvalores

 0002A488: maininfo

 0002A49C: configuracoesdoserver

 0002A4BC: disconnect

 0002A4D0: uninstall

 0002A4E4: renameservidor

 0002A4FC: enviarexecnormal

 0002A518: enviarexechidden

 0002A534: executarcomandos

 0002A550: openweb

 0002A560: downexec

 0002A574: resumetransfer

 0002A58C: listardrives

 0002A5A4: listararquivos

 0002A5BC: execnormal

 0002A5D0: execinv

 0002A5E0: deletardir


[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom.
[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster.  See
[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts.  See