Office documents have been a favorite method of distribution for malware authors for several years. While most malware authors go to great lengths to hide the intention of their macros through obfuscation, it is seldom that we encounter macros that also exhibit anti-analysis techniques. We recently examined an office document that contained such capabilities. This document was used in a spear phishing campaign to target an executive at a well-known publicly traded company.
What first stood out about this document was that when it was opened in a virtual environment, no malicious activity was observed. The content of the document used social engineering to get the user to enable macros.
The macros were obfuscated as can be seen in the Document_Open() function, which will execute when the document is opened.
Ransomware is a very hot topic right now. In fact, some are saying this will be the year of the ransom (LA Times). That is, ransomware is the single biggest (but not the only) threat to individuals and corporations this year. The FBI has even been meeting with organizations both publicly and privately to help raise awareness (FBI).
Yes. Blackmail has always been in the physical world. But it’s finding new legs on the Internet right now. Malware could do anything. From sabotage to spying. But stealing money is the cybercrime favorite. In the past, stealing bank numbers and credit cards was the path toward evil riches. However, banks have established more anti-fraud measures, making this technique difficult.
Attackers lock an organization or individual’s files, and agree to unlock them only if they pay a ransom. Getting paid with crypto-currency (bit coins) is the new fastest and safest way for bad guys to monetize a victim. The ransom for mass victims tends to be reasonable: ~$300USD is the average ask (CNET). Other times, the bad guys get directly involved to get a big fish on the hook, and ask for much more.
Ransomware doubled in 2015. The number of ransomware families has increased 600 percent from ~2 in 2013 to ~12 in 2015 (Bromium 2015 Threat Report). Here’s another way to visualize that data from a recent threat report (Symantec):
As with any success, copycats will always want to jump on the bandwagon. Expect to see many new variants of crypto-ransomware coming in the next year or two. Jigsaw (ComputerWorld) begins deleting files as you delay, almost like killing hostages one-by-one. Targeting backup files is effective against organization data (ABC News). And of course, the “best” ransomware includes good “customer service” helps victims pay (Reuters).
Hard to stop?
Yes. For most anyway. Typical security products are detectors. They require a constantly updated set of rules to try and block/detect infections. The problem: Angler is the crafty exploit kit of choice, and is currently managing to infect computers anyway. Angler is tending to drop ransomware, which is constantly re-encoded to bypass file analysis techniques. Thus, the only reliable way to stop ransomware is via security through isolation (what Bromium does). To read more about exploit kits, see: https://labs.bromium.com/2016/03/08/angler-ek-a-bromium-discussion/
The FBI recommends not clicking on suspicious links and backing up data (FBI). That’s good advice. But there are problems with both. First, people need to be able to click links and open documents to do their job. Imagine an HR employee who is told not to open PDFs? That’s how resumes come! Second, when backups are done, they’re not always stored offline. The real threat to organizations when a ransomware hits, is that their network shares (which might be where backups are stored) are encrypted.
Are you ready?
No. Many individuals and even companies do not have sufficient backups of critical data. Also, they do not have protections that can fully stop malware infections from getting in. That’s because detection is always a step behind. And while detection can help organizations hunt for unknown infections, there’s not as much need to find ransomware. You’ll know when you get hit. When you hear your system administration screaming; that might be the first clue.
Should I pay?
Of course not. Criminals will use the money to conduct R&D for more crime. There is also no certainty they’ll leave the system once (if) you get your files back. However, typically they do return the files, and most sources admit, there are cases where paying makes sense. For example, the hospital that couldn’t treat patients until their network returned paid the $17,000USD because risking any more time was not an option (LA Times).
This video provides a live walkthrough of a real ransomware sample. That’s what we really wanted to provide in this blog. We want to show how straightforward Ransomware is, and how easy it is for us to block and report.
Ransomware is going to hit your organization at some point. Will you be isolating those events, or dealing with the aftermath? Because ransomware has been so effective, more complicated strands are defiantly coming to a computer near you.
ABC News. Researchers: Newer Type of Ransomware Is Harbinger of Danger. http://abcnews.go.com/Technology/wireStory/researchers-newer-type-ransomware-harbinger-danger-38305258.
CNET. Ransomware is the hot hacking trend of 2016. http://www.cnet.com/news/pay-up-or-else-ransomware-is-the-hot-hacking-trend-of-2016/.
ComputerWorld. Jigsaw ransomware deletes more files the longer you delay paying. http://www.computerworld.com/article/3054739/security/jigsaw-ransomware-deletes-more-files-the-longer-you-delay-paying.html.
FBI. Ransomware awareness. http://wtvr.com/2016/04/04/fbi-warning-of-ransomware-scam-where-criminals-hold-data-hostage-for-money/.
LA Times. 2016 is shaping up as the year of ransomware. http://www.latimes.com/business/hiltzik/la-fi-mh-2016-is-the-year-of-ransomware-20160308-column.html.
LA Times. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
Reuters. Ransomware: Extortionist hackers borrow customer-service tactics. http://www.reuters.com/article/us-usa-cyber-ransomware-idUSKCN0X917X?mod=djemCIO_h.
Symantec. Internet Security Threat Report . VOLUME 21, APRIL 2016 .
Just yesterday McAfee Labs reported macro malware hiding payload in text forms. That same day we found a sample fetching its payload from GitHub.
As usual the attack starts with a spam email with the attachment named:
<organization name>’s_Overdue Invoice_(007-153315).doc
Pretty nice name, some people may actually buy this as it isn’t any generic random name like invoice_confirmation.doc – it actually contains the organization’s name.
The document has the following structure: Read more…
Disruptive attacks against individuals and organizations are rapidly rising, as was noted in recent security reports (Mandiant, A Fireeye Company, 2016). As an example, ransomware has been a big problem. As we look at customer security alerts we note that ransomware could have been a problem for our clients as well. Thus, we decided to compare a typical approach to stopping evolving threats, to the Bromium approach.
Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then launch an executable from user’s temp folder. The interesting bit is that it did not explicitly drop or download the executable, it was just supposed to be there somehow. Turns out the malicious executable was embedded into the document as a package and dropped by MS Office itself. For the full details read on.
Dridex is a botnet with multiple features, it is most known for stealing people’s credentials on finance-related web sites. Despite the arrest of the gang behind the Dridex malware campaigns, the samples keep popping up on our customers’ machines. And other research groups noticed that as well.
Most of the Dridex attacks we see were triggered by malicious Microsoft Word or Excel in the result of spam disseminations. Microsoft Office allows its users to create macros – scripts in Visual Basic for Applications (VBA). This feature is used by many companies as a quick and easy way to automate certain parts of their business workflow. Naturally, malware writers take advantage of it. They can create a macro that downloads and executes malware on the victim’s machine, trick a user into opening the document, and trick them into allowing the macro to run. This part of the attack is more in the field of social engineering as attackers must convince a user to open a malicious email attachment and convince them to allow macros (macros won’t run by default).
Microsoft tried to raise awareness earlier this year, but little seems to have been done since then as the spam campaigns featuring macro malware have increased and evolved to become more effective.
On Windows systems, before Windows 8.1 update 3, C code calling a function pointer used to be compiled to just a simple “call register” instruction; for example, in a 32bit process:
Starting with Windows 8.1 update 3, in all system libraries, it is more complicated:
mov ecx, esi
Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we’ve found has been surprising. I’ve heard this situation called many things, and there’s one description that I can definitely agree with: it’s like Christmas for hackers.
“On the fifth day of Christmas Bromium sent to me a malware analysis B-L-O-G” – You
This is a very interesting situation we’ve found ourselves in. We have our hands on the code repositories of HackingTeam, and inside of them we’ve found the source code for a cross-platform, highly-featured, government-grade RAT (Remote Access Trojan). It’s rare that we get to do analysis of complex malware at the source-code level, so I couldn’t wait to write a blog about it!
For those paying attention to infosec news, it’s no secret that HackingTeam – a provider of exploits and malware to governments around the world – has been hacked. The hackers who hacked the hackers released a torrent with over 400GB of internal HackingTeam software, tools, write-ups, and, of course, 0-day exploits. One of the exploits we’ve come across was first exposed by the Twitter user @w3bd3vil, and is reminiscent of the “ActionScript-Spray” attack used in CVE-2014-0322 and first documented by Bromium researcher Vadim Kotov. In summary, CVE-2014-0322 used a UAF (user after free) vulnerability in Microsoft’s Internet Explorer to increase the size of an ActionScript Vector object, giving the attacker access to the heap of the process. HackingTeam’s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine.
Note: before diving in, let’s remember that this is not a weaponized 0day, but a PoC that HackingTeam provided to customers, so we don’t have any malicious payload to accompany it; only a simple calc.exe pop.