Monday, March 9, 2015

0 Detection PDF with external link to malware EXE


This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on VirusTotal.com:







The PDF has the following attributes:

Original filename: 2015-03-05Label.pdf
Size: 96697 bytes
md5: 0323382619193827959ee85631f6043d
sha1: f64e86177b5b5f8db8a78c346e2a165423b4a427
sha256: bc415d1f0c8d8af1b02008f03788de7e073650893eec01296c537346b42f7244
ssdeep: 1536:s3Orf9OoEPqFlpcTVrGxokqE/3wrqx8TnWOgQSawAgl4a+E7zQGBEkc4ryH:serf9nEUpOJGmTE/BaLJ4qE7EGbmH
content/type: PDF document, version 1.5


Loading the PDF into PDFExaminer does detect an exploit, which is actually more of a "feature" of PDF to link to external content, however, linking to a remote EXE is always bad and probably should be detected in the PDF:




Drilling down to the malicious object in PDFExaminer reveals an external hyperlink to an remote executable:





Now opening the PDF reveals how a user could be exploited, but they still need to click a malicious link to download and execute the malware. So while AV may not protect you from this attack vector initially, about half the AV products tested will detect the downloaded remote executable. User education to avoid clicking suspicious links is a key defence here.

The PDF contents:


AV detection for the remote executable linked to from this PDF is 25/57:



And finally, you can use PDFExaminer for free, online to detect this and other potential threats in PDF documents.

Thursday, March 5, 2015

Return of the Mime MSO, now with Macros

Didier Stevens at Sans ISC reported a new Mime MSO XML variant used in Dridex attacks which embeds a compressed OLE document (ActiveMime), with VBA auto open macros, within a Mime MSO XML document. Previously we've only seen CVE-2012-0158 delivered in Mime MSO (of which we've previously blogged).

Cryptam our document malware analysis tool has been updated to process the base64 stream and uncompress the ActiveMime data. We anticipate this attack vector to be adapted to APT type attacks as well. In addition to VBA macros, the MSO XML specs also allow for a OLE document to be embedded as well (we also now handle this type of embedding with Cryptam). The specs also allow some flexibility in the XML to be coded as Attributes or Elements. Sample report.



The following Yara signatures will detect Mime MSO XML files and some of the newly found obfuscation techniques:

rule mime_mso
{
meta:
    comment = "mime mso detection"
    author = "malwaretracker.com @mwtracker"
strings:
$a="application/x-mso"
$b="MIME-Version"
$c="?mso-application"
condition:
$a and $b or $c
}


rule mime_mso_embedded_SuppData
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docSuppData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}


rule mime_mso_embedded_ole
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docOleData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}




rule mime_mso_vba_macros
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "macrosPresent=\"yes\""
    $b = "schemas.microsoft.com"

condition:
    all of them
}



Tuesday, December 23, 2014

Merry Christmas From Malware Tracker or "Christmas Card For You.doc"

Merry Christmas and happy holidays from all of us.

And your obligatory MS12-060 malware Christmas Card:

Christmas Card For You.doc
MD5 0dbe90b1dca29e2daf28ff789b3d43d3
SHA-1 71999500915dff038dc2d39facecbfbb5a907f96
SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
Dropper imphash: 18ddf28a71089acdbab5038f58044c0a
C2 IP: 210.209.127.8:443
Possibly related domains: boshman09.com (resolves to same IP 210.209.127.8)

rule malware_kis
{
    meta:
date = "December 22, 2014"
desc = "Christmas Card for you malware"
ref = "https://www.malwaretracker.com/docsearch.php?hash=0dbe90b1dca29e2daf28ff789b3d43d3"
MD5 = "0dbe90b1dca29e2daf28ff789b3d43d3"
author = "@mwtracker www.malwaretracker.com"
    strings:
$s1 = "\\kis(by XC)\\MYDLL\\Release\\MYDLL.pdb"

    condition:
all of them
}






You can view our automated Cryptam report on this sample as well as the extracted dropper's strings in Cryptam.

Thursday, December 11, 2014

CVE-2014-4114/CVE-2014-6352 Evade AV by removing read access in zip structure

We recently came across a CVE-2014-4114/CVE-2014-6352 sample (MD5 c69978405ecbb4c5691325ccda6bc1c0) which used the Zip directory structure of OpenXML ppsx files to assign no access permissions to the exploit. This may allow the malware to slip by some automated analysis systems while still allowing the exploit to function properly in MS Office Powerpoint which ignores the Zip format access permissions. This Powerpoint exploit is usually delivered by email and has been used by both espionage and criminal groups.

An early version of the exploit with normal file access permissions:



The new c69978405ecbb4c5691325ccda6bc1c0 with no user read permissions:


This modification to file permissions does appear to offer lower detection rates when comparing to another recent version of a similar exploit.

VT Detection rate of 23/56 for the version with read access:




And VT results of only 13/56 for the version with no read access to the exploit. Most of the major AV engines do not detect the exploit:



Our Cryptam document malware analysis engine has been updated to make any docx/ppsx/pptx/xlsx embedded files readable during processing as well.

Sunday, August 10, 2014

Countering darknet tracking docs with Cryptam (and yara)

We've been keeping an eye on the big conferences going on this week - Blackhat/Defcon/BSidesLV and noticed an interesting presentation at this years Defcon "Dropping Docs on Darknets: How People Got Caught".

We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.



Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document  or within an RTF file.

rule openxml_remote_content
{
meta:
ref = "https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Crenshaw"
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"

strings: 
$a = "schemas.openxmlformats.org" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase

condition:
all of them
}

Cryptam results on the Poc here with the openxml_remote_content rule detected.



Sunday, May 4, 2014

Cryptam Document Analysis + OpenXML embedded in RTF

Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.





MD5: af17892aa82b48282d956adeb5e70e65
Original filename: aircanada_eticket_820910108.doc
Cryptam report.
VirusTotal: 29/51



While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.


RTF content with embedded OpenXML (zip header):


OpenXML embedded content and CVE-2012-1856 ActiveX files:

CVE-2012-1856 classID referenced in activeXNN.xml files:

RTF Start of CVE-2013-3906 Tiff referenced as a jpeg:


We quietly added support for OpenXML (docx etc) in RTF a couple weeks ago to Cryptam, but are just now getting the word out. Our testing has shown most of the embedded OpenXML files are likely manually created as their magic numbers tend to match a regular Zip as opposed to a properly generated OpenXML file. Both the Cryptam web suite and command line versions now process Embedded OpenXML files to automatically extract and scan. To accommodate handling of corrupt zip information by the built-in zip support, we now use an external zip command.

Use Cryptam free on our website.

Monday, April 14, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
    meta:
        author = "MalwareTracker.com"
        version = "1.0"
        date = "2014-04-09"
    strings:
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
    condition:
        any of them
}




In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog post.  However we could not find any references to the Mime MSO document MD5 0f765671a844190d74e985410fe31e8e "Where is MH370.doc" with 0/51 detection on VirusTotal.com in any other reporting. We were one of the first to previously report that Mime MSO files were being used to exploit CVE-2012-0158 in Word (August 30, 2013 Malware Tracker Blog CVE-2012-0158 exploit evades AV in Mime HTML format). At the end of this post we provide 4 other March 2014 0 detection file indicators from Cryptam samples to hopefully assist AV in improving detection rates for this threat.

 Sample current as of this post on VirusTotal


 Cryptam result showing CVE-2012-0158 plus a 256byte xored exe:




The CVE-2012-0158 trigger is not obfuscated but uses a class ID BDD1F04B-858B-11D1-B16A-00C0F0283628 to activate the vulnerable MSCOMCTL ActiveX control:

The class ID is disclosed in MS12-027 as vulnerable to CVE-2012-0158:



Other 0 detection samples:
517782778e296fade32ce3fd2330afc8 "0319 Montsame.doc" (mwtracker comment: Mongolia) 2014-03-20T02:14:45.000Z 0/50

f721f3a22ad26105a8894ce967c02e32 "內政部公文.doc" (mwtracker comment: Taiwan) 2014-03-10T00:22:23.000Z  0/50

f851e312899d11abe39390cb6a21f982 "保釣信頭2012.doc" (mwtracker comment: Taiwan) 2014-03-07 07:05:26 0/50

82542d9913301396f6f1a676c9b93f58 "Iltgeh huudas_revised.doc"  (mwtracker comment: Estonia) 2014-03-05 07:54:10 0/50



Some of the samples appear to drop a vidgrab/evilgrab variant and another not-yet-identified implant.