CarbonBlack’s ThreatSight recently discovered a phishing campaign that was leveraging MS Office Word documents with obfuscated VBScripts and the Powershell ConvertTo-SecureString cmdlet, which decrypted the C2 and associated logic. This represents an evolution of current macro attack techniques, which are leveraging cmdlets not typically associated with phishing campaigns. A sample using these techniques was analyzed in this post to describe how the attack works. The table below contains the metadata for the sample that was analyzed.
Oledump was used to extract the 4 streams in the MS Word document that contains compressed VBScript macros. The image below shows the different streams.
The functionality of the script is divided amongst the 4 different streams, which all contained hundreds of lines of junk code and obfuscation. The below image is an example of 1 of the decompressed streams.
The VBScript utilizes a function that will take a string and two integer values. The function will first replace characters in the string before using the integers as a starting point and length to extract a set of characters embedded in junk characters. These extracted strings will then be concatenated together to form commands. This is a fairly common tactic to obfuscate strings that are typically associated with malicious macros. The table below contains python code that can be used to extract the different strings. It should be noted that this python code is specific to this sample, regarding the strings that are replaced and that in the original sample additional characters were added (mostly the ^ character) in an attempt to bypass certain detection techniques.
def parse_data(string, start, size):
start = start - 1
string = re.sub('MtwBUu', '', string)
return string[start:start + size]
In this sample there were approximately 4,000 lines of junk and obfuscated VBS code, that only contained about 250 lines of legitimate code. Approximately 100 lines of strings were extracted, that when concatenated together produced the command visible in the image below.
The above command will use cmd.exe to execute powershell, which is obfuscated in lines 2 - 5. Those same lines are displayed below, which is a set of variable declarations to concatenate characters to form the string powershell.
The PowerShell command itself (pictured below) will Base64 decode and then zlib decompress a secondary payload which will be executed in memory. It should be noted that the text in the image below was cleaned up, to make it easier to read. The original was obfuscated with invoke-obfuscation.
The second stage code is listed below and contain an encrypted (and Base64 encoded) object and a string, which is converted to a secure string via a PowerShell cmdlet. It should be noted that the code below has been truncated.
The encrypted object can be converted to plaintext using PowerShell and the appropriate cmdlets. The table below shows the (truncated) data above being set as the $out variable, and then converted to plaintext.
The result is a third obfuscated layer that is executed in memory, which is displayed in the image below.
The command from above, was cleaned up for analysis and is displayed below. The variable were also renamed. The command will create a random value (between the integers of 10,000 and 282,133. An array of URLs are then created, however in this sample on 1 C2 is listed (highlighted in red). The full path for the download is then created, the second stage malware is then downloaded and executed (highlighted in green and blue respectively).