analyzed an Office containing a payload that is able to bypass AppLocker and Anti-Malware Scan Interface (AMSI),


Few days ago, during intel sources monitoring operation, the Cybaze-Yoroi ZLAB team encountered an interesting Office document containing some peculiarities required a deeper analysis: its payload includes techniques suitable to bypass modern Microsoft security mechanisms such as AppLocker, the application whitelisting security feature in place in well-configured Windows OSes, and the newer Anti-Malware Scan Interface (AMSI), a vendor agnostic security interface enabling anti-virus controls on running scripts, macro code and even memory blocks, designed to tackle obfuscation and file-less threats.

For this reason, the sample has been further dissected and analyzed by Cybaze-Yoroi ZLAB.

Technical analysis

Sha256 127e9f68f0f97d6dafe55ad651f5b3c0f6a7b504b9b4b4d9aecc1f2141347447
Threat Gen.Dropper
Brief description Doc Document dropper
Ssdeep 1536:T1J7YxuapCK+9U87lMhldXxPtXjUkcAS8UNm:hJsxuaoL9U86xhVXQkcAS8

Table 1. Sample information

The initial document invites the user to enable MACRO execution to display the real content, silently starting the infection chain in background while other decoy components are shown to the victim.

- Screenshot 2019 03 19 100044 - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 1. Initial document view
- Screenshot 2019 03 19 100733 - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 2. Fake pop-up error

After a few seconds, a pop-up window is shown, reporting an error related to the decryption of the document, and then the Word document is automatically closed. 

At this time, the unaware victim may think there is a problem with the document and nothing malicious happened, but actually the malware already proceeded with its operation in stealthy way. Analyzing the document view with more attention it possible to notice a suspicious chunk of strings in the smallest box in the left of the document:

- CFCXmx ilVnzJ4BJ9k3zKZWyM2rceteE0HdR5343mZLOpWb4Umhl1bKR7tmzB8w gicVCwH5teZio GLZWmWLmdnN00No0z8SO9CS  fGfa5AVhCM yVwSH xBzkxTlvVzxL42o - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 3. Zoom on suspicious Word label

The box named “Kplkaaaaaaaz”contains a base64 encoded payload, subsequently extracted by macro execution and assigned to the “dopzekaoooooooo” variable. It will be used to fill the next-stage bat file. This technique, include part of the payload into a Word Label object or cells, allows to hide and embed more code directly into the vector, lowering the chances of detection. 

Also, the malware adopts an evasion technique to determine if it is execute in a sandboxed environment. In fact, it checks if the machine’s domain name is equal to the computer name and if this condition holds the previous “Kplkaaaaaaaz” variable is set to “This document contains VBA.”, causing the infection chain to stop. This trick is able to bypass all the major sandboxing services, like and Hybrid Analysis.  

- Mcy IN mnHShnIcrQcO696mXp8o2ChZ0456u09Dp7IvYgA4d39ZDIcwD4mToOxDUGBDR2c6Yw1r9WAukIWaw 4kPeQ0B jZBqFqFqAr d6BuBVUZfU6Kq3XGg9oCkFImMEMUTFI - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 4. Obfuscated macro code

After a deobfuscation phase, the malware behavior emerges. The next actions to performed are contained into “%temp%errors.bat” script, which is executed by a copy of “cmd.exe” stored into %appdata% folder, named “msutil.exe”.

- ZOVFgnVn7URv6MaWcFzMH1nWuYkle9xpT7eB12PQ1lMWmjygcP5hHhDv KVHvqX5N2l9ctuZpMzxOZmuWqp6lb7h2lQGbTzeBuGOi6oyIoRmWwOENuKKXIamRJ8YCs0v4VdB gQ - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 5. Deobfuscated macro function

The screen above shows the instruction used to pop up the fake error window (Figure 2), which is a simple Visual Basic MsgBox. Unlike most malwares, this one uses a different technique to automatically start the macro code at the document opening time. Instead of using the Workbook_Open or Auto_Open functions, it the Word InkEdit object to use the InkEdit1_GotFocus function, which will be launched as soon as the InkEdit1 is displayed.

- YHekuodj1uEnjjQbJqo8AjajriiD3 XkNNCy4fL ZtXWzta13wHYyOacWMgnRp2hKBGPWChhWwpBpIawIt7DRiTCPAyVE6mgXAK6heDyGVC7JwDWGDGEH vQKK Xz WcPguuKUM - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 6. Function to start macro at open

The “errors.bat” file contains a Base64 encoded powershell script which will close the initial Word document by killing its process and definitively delete it from the file system. The script shows another evasion technique by checking the memory amount available on the system: if it is less than 1 GB the malware terminates its execution and removes all the infection evidences. 

- mYmpX7IcPgJZgLYL969o9UL7cPkdIKVquAyzKbrMzIrxxDGhfWf5e7I 5I9gabWKO2D3WNrNsXCm1i9kqrwkXzeWd oulIwQPWX47j67ZcJlF5lEt0xxi6rl Pny7e2JsG6CgqI - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 7. Powershell code embedded into “errors.bat” file

The check against available memory is done through a CIM (Common Information ) server instance. Strangely, the return value of this cmdlet is assigned to a variable named “diskSizeGB” even if the function returns the amount of the available RAM (a probable error made by the author) and not the disk’s one.

After the evaluation of the previous conditions, the BAT file proceeds to set a new Registry Key, named as the victim’s username, storing a random value in it. 

- o duL3bJsPHRHcGZdb2MZT7hubDKsGcirrjkqSc7wdLMsWcwUiRGLQh5NdkNRK0JBj83ZPXNUxT76ubDSgOWirB3d3Ij9bkosccZRYL7vd Rd Js44u3anHnlZ82 n0pEIa9Cic - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 8. RegKey set by malware

The random value is necessary to create a new TXT file which will be filled with a base64 payload. Then, the file content is then decoded using the “certutil” Windows utility and finally executed using the instruction:

start /b regsvr32 /u /n /s /i:%appdata%9711.txt scrobj.dll 

This trick is known as “Squiblydoo”. It allows to bypass Windows AppLocker, the application whitelisting technology introduced with Microsoft’s Windows 7 operating system. AppLocker restricts which programs users can execute via Group Policy. i.e. the enterprise administrator can disable the script execution on every machine belonging to the enterprise domain. So, using this AppLocker Bypass trick it is possible to launch any script, eluding the block.

Fundamental part of the trick bypass is the “scrobj.dll”, belonging to Windows Utility DLLs. It is able to create Component Object Model (COM) components using scripting languages such as Visual Basic Scripting Edition (VBScript) and JScript. So, as expected, “9711.txt” is a scripting file producing a new COM object, which will be registered using the “regsvr32” utility.

- 4WCKryl 7iEQNVuBTUwwSWQW7hW inrKUQWVrTWxek4xsyRiBoZ3a3B2afdQYgFiGLa 9avaj3vx8dYqHhbiZ P44vZQGS03fJqBh8n9ir2U1mMSpuBqoE2VGtMOM6srY5pn4YI - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 9. Scripting file used in Squiblydoo trick

Obviously, also this code is heavy obfuscated, but using a JScript interpreter it is possible to extract some interesting evidences.

- sOFvk6Z3mFzoBIC84G8zsEk 4E6SFNUxSnicRdnoptEev62cXQq1TUYvV 8vWAzY Q4e0KGN3uqlr Jhre1CI9MMWh8FfKCq vQchmuoplKx EyW41VH9mDhBgjq XL43eJQLl0 - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 10. ActiveXObject executed through Squiblydoo

The just created ActiveXObject uses the previously stored random value to set malware persistence into HKCU\Environment\UserInitMprLogonScript in order to start its malicious actions at logon time.

- LYLx12 2VV H0tOZ6pFI6z6 V2R9c1FnyNbyuyuz8RwIFNbDtFAbLkHgh67CbSOGXotgjo0oi3l2AT mOZFcUemFMLGLbsfRumm9SsdN60PrCY3eNSZfhrahuKcs4Tqn92 04AE - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 11. Malware persistence

After that, it starts a new obfuscated Powershell script which looks like that:

- ZZzYZw72Q nGTZqM3kx7azfIQb4a3Ux TFLAAw j5WRX4qY56GHM0xyFJQ1sGQhgj1Klx4AOJVElsG86kdgKF7 SNkVEwHeQYBaEL0h5CECqAr Yw2FrBvfqwK5QM0BeqGB9n7s - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 12. Final payload including an Empire stager

The malware shows also in this stage an evasion technique to avoid sandboxing analysis waiting for a long time period, over 5 minutes. So, it checks the OS version and retrieves code from “hxxp://riscomponents[.]pw/test[.]txt”: these Powershell instructions are used to bypass the Antimalware Scan Interface (AMSI). 

AMSI is a versatile interface standard that allows applications and services to integrate with any anti-malware product that is present on a machine. It is mainly designed to help two kind of stakeholders: application developers who want to make requests to anti-malware products from their apps and anti-virus vendors who want their products to offer their features directly to applications. Moreover, AMSI is  integrated by default into some Win10 components, such as User Account Control (UAC), PowerShell, Windows Script Host, JavaScript, VBScript and Office VBA and it allows to evaluate code just prior to its execution, after all the obfuscation has been stripped away. 

However, several AMSI bypass methods exist in Internet, many of them require only a few code lines, like the one found during the analysis:

- 2zXZsaP02t3Xakj5ZfSlaRahzwoZIi5zQ5hTHYY8ttqo4PbDj99RMY7of eUcoDN7k12ypLQ7 iahVhfMxr2Elbv9X12OpGZJFnha cOfuGRZRJfaZEdG0hbZXz5hIDJNxcD6r8 - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 13. AMSI bypass code used by the malware

This code retrieves the memory address of the AmsiScanBuffer function belonging to “amsi.dll”system library, then rewrites some of its bytes with the buffer {0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3}, permanently disabling the AMSI scan capability. The attacker probably re-used one of the scripts publicly available in Internet, like this , written in C#. As shown in figure, the snippet seems to be almost the same used by the malware:

- PkFq   8Dv3iy9Ig5WdALdgfCX4Rug648xZwC2PQZU7284mSPV rRECRCPLhg3kHkz8coVv cDyahSo0dePC8zwW187W mvVSgFqeRWY2jUKhoTOZzBP1470z 7g0l0QPv6KhYA - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 14. AMSI bypass snippet available on Github

The rest of code’s goal is to retrieve new commands to execute from its Command&Controls located at hxxps://185.198.57[.]142/admin/login.php. Analyzing the piece of script involved to download new instructions, it seems to be an Empire powershell stager, as shown in some examples reported by SANS in their paper. Unfortunately, the server is down at the analysis time, so it is impossible to carry on the investigation.

Due the malware complexity, a brief scheme of its behavior is shown in the following figure.

- lPy9UxIZfGCOhbgpUIzGY4SKyzACHOuBdPaoUBeeFGQf0vSZByxwQF7LuH4VfK23zSyce7OOdjaEmuXHXc9918PUsMd9tEGVvJfddbk76n45RQvZlJZkbdAw5Qwzsu7wawjJxB8 - The Document that Microsoft Eluded AppLocker and AMSISecurity Affairs
Figure 15. Malware infection scheme

Using a combination of multiple evasion techniques, some of them even trivial such as the exploiting of the lazy naming scheme adopted by popular sandboxes, the analyzed threat was able to evade advanced security mechanism in place in modern Windows systems like AppLocker and AMSI: controls designed to support the implementation of high level security requirements, such as application white-listing policies and the mitigation of file-less threats. Showing how a sufficiently motivated attacker could be able to set up a hardly detectable payload able to overcome even these strict security mechanism, providing another evidence of the gap between technology and human attackers.

Technical details, including Indicators of Compromise, are reported in the analysis published by the experts on the Yoroi blog:

Pierluigi Paganini

(SecurityAffairs – AppLocker, evasion)

Source link


Please enter your comment!
Please enter your name here