Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have witnessed a new variant of macro malware. This version uses the password given in the email to open the malicious Word document. Password protection makes it harder to extract and scan the attachment for malicious code.
McAfee Labs has previously blogged about macro malware using high-obfuscation algorithms and several other layers of evasion to avoid detection. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. The infection process follows this path:
Looking at the email body we can see that the attached document file is randomly named with a .dot extension and a document password is provided to open it. The email related to this spam looks like the following snippet:
Once the user provides the password to open the document, it prompts the user to “enable editing and enable content to read content.” If a user clicks “enable content,” macros will be enabled and will drop a malicious VBScript with a random name in %appdata%. We checked the hash on VirusTotal. This file has recently been submitted from several countries.
The macro and dropped VBScript both are highly obfuscated. Once deobfuscated, the VBScript downloads the encrypted payload with the file extension .jop. Next the payload is decrypted by a simple XOR operation. At first glance, it is difficult to guess the intentions of this VBScript. We further deobfuscated the code and found more readable strings. The obfuscated VBScript looks like this:
The obfuscation algorithm is not the same every time. For this variant we deobfuscated the content using a small Python script.
After deobfuscating, we found more readable strings—notably the malicious URLs that download the payloads. Different URLs may be present in different VBScripts. Currently these URLs are inactive.
Malware authors uses different techniques to delay the execution of any suspicious functionality for a certain time. Generally sandbox systems monitor execution for a limited time, and in the absence of malicious activity classify a program as legitimate. Attackers uses techniques such as onset delay, stalling code, and extended sleep calls to delay the execution in sandbox environments. This variant delays execution by running cmd.exe with the parameter “ping 8.8.8.8 -n 250 > nul,” which pings the Google DNS server 250 times and ignores the results.
The final payload is Cerber ransomware, which encrypts the victim’s machine. We saw a spike in Cerber during week 41 (early October):
Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products. McAfee advises all users to keep their antimalware products up to date. McAfee products detect the document file, VBScript, and final Payload as W97M/Downloader, VBS.Downloader, and Ransomware-FUN! [Partial hash].
Hashes
Document files:
- 7799b30cd33b7052701a2d8e91aeb99e (password: nOrCeBV)
- b7220f3455d92615f25b8d9eca94fefc (password: TfsMoS)
- 2552fb9ba6dfc97168bccde23763fb81 (password: 4nHTvIM1)
VBScript:
- 7F86D6E9C030630EACE4952F25DE9364
- 19C684BABFBEF9CA5C845492D5A0DE4F
Cerber:
- 4df4dfbcf17f2b1f5bcab6210c54c251
References
https://blog.knowbe4.com/manic-monday-the-massive-cerber-campaign-flooding-your-employees-inboxes