Authors Jyoti Naveen and Kiran Raj
McAfee Labs is watching a spike in a phishing campaign that uses the macro capabilities of Microsoft Office. These malicious documents reach victims through mass spam e-mail campaigns and usually evoke instantaneous, fearful or similar emotions, prompting unsuspecting users to quickly open them. The purpose of these spam activities is to distribute contaminated payloads to as many people as possible.
A recent spam campaign Ursnif Trojan is using malicious word documents to download and run. Ursnif is a high-risk Trojan designed to record various sensitive information. It usually saves this sensitive data and sends it back to a command-and-control server.
This blog describes how attackers can download and execute Ursnif Trojan using document features and some other tactics.
Summary of threats
- The initial attack vector is a phishing email with a Microsoft Word document attachment.
- After opening the document, VBA executes a malicious shellcode
- Shellcode Remote Payload, downloads Ursnif and calls rundll32.exe to run it.
Transmission chain
The malware comes via a phishing email that contains a Microsoft Word document as an attachment When the document is opened and the macro is activated, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe
Word analysis
Macros are disabled by default and malware authors are aware of this and therefore present an image to entice victims to enable them.
VBA macro analysis of word document
Stable analysis of the sample with ‘oleId’ and ‘olevba’ indicates suspicious vectors.
The VBA macro is compatible with the x32 and x64 architectures and is extremely obscure as shown in Figure 5.
To better understand the functionality, we have obscured the contents in the 2 statistics shown below.
An interesting feature of this template is that some strings such as CLSID, URL for downloading Ursnif and the name of the environment variable are stored in custom document properties as opposed to. As shown in Figure 7, the VBA function is used to restore the “ActiveDocument.CustomDocumentProperties ()” properties and uses “StrReverse” to reverse the content.
We can see the features of the document in Figure-8
Payload Download and Execution:
The macro macro retrieves the hidden shellcode from a custom property called “Company” using the “CDEC” function, which converts the shellcode from a string to a decimal / hex value and executes it. The shell code is shown below.
The Shellcode Is Written Per Memories and Access protection Changes Page_EXECUTE_READWRITE.
Later Add Shellcode in memory, The Environmental variables containing harmful URL of Ursnif The payload is made. This environment will be changeable Later used by Shellcode.
The shellcode is executed using the SetTimer API. SetTimer generates a timer with the specified time-out value specified and notifies a function as time passes. 4M The parameter used to make the SetTimer call is the pointer to the memory shellcode that will be used after the specified time has elapsed.
Shellcode downloads the file from the URL stored in the environmental variable and saves it as “y9C4A.tmp.dll” and executes it using rundll32.exe.
| URL | hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ |
| CMD | rundll32 “C: \ Users \ user \ AppData \ Local \ Temp \ y9C4A.tmp.dll”, DllRegisterServer |
After the shellcode is successfully executed, the environment variable is removed.
IOC
| Type | Price | Products | Identification name |
| Key word document | 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f | McAfee Livesafe and Total Protection | X97M / Downloader.CJG |
| dll has been downloaded | 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 | McAfee Livesafe and Total Protection | Ursnif-FULJ |
| URL to download dll | hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ | Web Advisor | Blocked |
MITER Attack Framework
| Technic ID | Strategy | Description of technology | Description |
| T1566.001 | Early access | Spear fishing attachment | Manual execution by user |
| T1059.005 | The death penalty | Visual Basic | Harmful VBA macros |
| T1218.011 | Defense evasion | Sign in Binary Abuse | Rundll32.exe is used |
| T1027 | Defense evasion | Opacity strategy | VBA and PowerShell Base 64 Execution |
| T1086 | The death penalty | PowerShell Execution | PowerShell command abuse |
Conclusion
Macros are disabled by default in Microsoft Office applications, we recommend keeping it that way unless the document is retrieved from a trusted source. The transition chain discussed in the blog is not limited to Word or Excel. Further threats could use other live-of-the-land tools to download its payloads.
McAfee customers are protected against malicious files and sites detailed in this blog with McAfee LiveSafe / Total Protection and McAfee Web Advisor.
The post-phishing campaign Ursnif appeared on the first McAfee blog featuring Trojan on the Rise.
