Friday, 10 March 2017

New Way to run VBScript Payload


Some day ago I received an email in an unmarked Gmail mail box. It was a clear Phishing email, but what catched my eyes has been a Password reported into the email's body and the attachment. It was a Microsoft Word file with ".docx" extension.

The first question that I asked to myself was: "Why this file wasn't dropped from Google security check?".

I decided to analyze the attachment and investigate about the sender.

First of all, I opened the attachment and putted into the password reported into the email's body. Opened, it had only three icons that looks like word's icons.



My first words were "What a fuck of Word file is this?!?!".
It doesn't makes sense! No text, no request to enable macro on startup.

The total words catch my eye. As you can see into the red circle, they were 369 words, but the document didn't had text, only 3 image's icons.

Double click on the image and I discovered the secret. The macro, VBScript, is embedded within it!

"What?! A macro into an image?!...You are a fucking genius!!" I Thought.

 But in which way is possible to embedded a VBScript into an image?!

The answer of my question was behind the right-click. Who created this document used Packager Shell Object to embed the VBScript content.

Taking a close look to Packager Shell Object properties was easy to understand that it was a VBScript file and where it was it was stored.

It was stored in "\Local\Temp" folder every time the Word file is executed. When the file is going to shut down it is going to be deleted from this folder.



The VBScript was obfuscated, but not in a hard way.

In the snippet code reported below, is reported two different files that are going to be created based on seconds:

  • the first one had extension ".viv"
  • the second one had extension ".qde"
Please note, seconds were used as file's name.



"JAy0D" function reads from file ".qde" and write into the file ".viv".

The snippet code reported below shows the resource that the dropper has to download, file with extension ".pkg".



Using whois protocol, I retrieved domain's information. Is useful to note that this domain is protect by privacy policy agreement.



File format ".pkg" is an installation file used by Apple in its Operating System.

Was impossible to download "tmp.pkg" file. The server gave error 404 Not Found.


Another resource that has to be downloaded is a file ."jpt".
JPT format file (JPEG-PNG-Type) takes advantage of the compression ratio from JPEG and PNG at the same time.
The main image is stored in JPEG while the alpha channel is stored in a PNG file as a gray scale.
While the PNG file can be 32 bit, 24 bit, 8 bit or even palette based, it is recommended to use
only 8 bit or palette based images in order to save space and actually take advantage of the JPT
format.
The next step was to analyze this file.


There I discovered the home page where this library come from.

It was hosted in a github page that it is not longer available.


From the page, I was able to recovery the developer's name "Jake J. Davis" and thanks to Google Cache, part of his GitHub account.

Jakey J. Davis closed a lot of his accounts in the last months, like github, libraries.io, etc.

Another analysis I did was the email's header. Here we can read sender's PC name connected to the server.




 Hey! Bruce, remember: "The first Internet's rule is: Stay Stealth"! 👀


CONCLUSION and HESITATIONs:

Something doesn't seems clear.
  1. File PKG is not reachable.
  2. JTP file doesn't seems to be JTP's format.
  3. This VBScript works only on Windows OS and it acts as a dropper to download other resources. It also use windows like commands ("cmd.exe") to perform some checks ("ping 8.8.8.8");
  4. If everything seems wrote for Windows OS, why it has to download file that works on Mac OS?







In conclusion: Given all these inconsistencies, many questions are still outstanding and this leave us two options, everything is part of a bigger project or the one who created these files is a newbie?


Thanks to my colleague for the support provided! ☺

2 comments:

  1. Can you share a sha256 of the sample(s) you've analysed here?

    ReplyDelete
  2. y85kp46kx1jl32j9d.docx

    MD5: a43cbb141df9aef6b77ecb6ab5d27dda
    SHA256: 9740cc8e0de64f8bc1fd0f7afb8c3b9782cfe8c87bf8a580a47b0f7afc92f357

    img.jpt

    MD5: c95a7f3fdde60fce15bfa74ed87b62ce
    SHA256: 037491839724011c6f02e5cfd3790e05329f9c18888c7e9ad2c9e8558d7f968b

    ReplyDelete