Tuesday, December 23, 2014

Merry Christmas From Malware Tracker or "Christmas Card For You.doc"

Merry Christmas and happy holidays from all of us.

And your obligatory MS12-060 malware Christmas Card:

Christmas Card For You.doc
MD5 0dbe90b1dca29e2daf28ff789b3d43d3
SHA-1 71999500915dff038dc2d39facecbfbb5a907f96
SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
Dropper imphash: 18ddf28a71089acdbab5038f58044c0a
C2 IP: 210.209.127.8:443
Possibly related domains: boshman09.com (resolves to same IP 210.209.127.8)

rule malware_kis
{
    meta:
date = "December 22, 2014"
desc = "Christmas Card for you malware"
ref = "https://www.malwaretracker.com/docsearch.php?hash=0dbe90b1dca29e2daf28ff789b3d43d3"
MD5 = "0dbe90b1dca29e2daf28ff789b3d43d3"
author = "@mwtracker www.malwaretracker.com"
    strings:
$s1 = "\\kis(by XC)\\MYDLL\\Release\\MYDLL.pdb"

    condition:
all of them
}






You can view our automated Cryptam report on this sample as well as the extracted dropper's strings in Cryptam.

Thursday, December 11, 2014

CVE-2014-4114/CVE-2014-6352 Evade AV by removing read access in zip structure

We recently came across a CVE-2014-4114/CVE-2014-6352 sample (MD5 c69978405ecbb4c5691325ccda6bc1c0) which used the Zip directory structure of OpenXML ppsx files to assign no access permissions to the exploit. This may allow the malware to slip by some automated analysis systems while still allowing the exploit to function properly in MS Office Powerpoint which ignores the Zip format access permissions. This Powerpoint exploit is usually delivered by email and has been used by both espionage and criminal groups.

An early version of the exploit with normal file access permissions:



The new c69978405ecbb4c5691325ccda6bc1c0 with no user read permissions:


This modification to file permissions does appear to offer lower detection rates when comparing to another recent version of a similar exploit.

VT Detection rate of 23/56 for the version with read access:




And VT results of only 13/56 for the version with no read access to the exploit. Most of the major AV engines do not detect the exploit:



Our Cryptam document malware analysis engine has been updated to make any docx/ppsx/pptx/xlsx embedded files readable during processing as well.

Sunday, August 10, 2014

Countering darknet tracking docs with Cryptam (and yara)

We've been keeping an eye on the big conferences going on this week - Blackhat/Defcon/BSidesLV and noticed an interesting presentation at this years Defcon "Dropping Docs on Darknets: How People Got Caught".

We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.



Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document  or within an RTF file.

rule openxml_remote_content
{
meta:
ref = "https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Crenshaw"
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"

strings: 
$a = "schemas.openxmlformats.org" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase

condition:
all of them
}

Cryptam results on the Poc here with the openxml_remote_content rule detected.



Sunday, May 4, 2014

Cryptam Document Analysis + OpenXML embedded in RTF

Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.





MD5: af17892aa82b48282d956adeb5e70e65
Original filename: aircanada_eticket_820910108.doc
Cryptam report.
VirusTotal: 29/51



While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.


RTF content with embedded OpenXML (zip header):


OpenXML embedded content and CVE-2012-1856 ActiveX files:

CVE-2012-1856 classID referenced in activeXNN.xml files:

RTF Start of CVE-2013-3906 Tiff referenced as a jpeg:


We quietly added support for OpenXML (docx etc) in RTF a couple weeks ago to Cryptam, but are just now getting the word out. Our testing has shown most of the embedded OpenXML files are likely manually created as their magic numbers tend to match a regular Zip as opposed to a properly generated OpenXML file. Both the Cryptam web suite and command line versions now process Embedded OpenXML files to automatically extract and scan. To accommodate handling of corrupt zip information by the built-in zip support, we now use an external zip command.

Use Cryptam free on our website.

Monday, April 14, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
    meta:
        author = "MalwareTracker.com"
        version = "1.0"
        date = "2014-04-09"
    strings:
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
    condition:
        any of them
}




In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog post.  However we could not find any references to the Mime MSO document MD5 0f765671a844190d74e985410fe31e8e "Where is MH370.doc" with 0/51 detection on VirusTotal.com in any other reporting. We were one of the first to previously report that Mime MSO files were being used to exploit CVE-2012-0158 in Word (August 30, 2013 Malware Tracker Blog CVE-2012-0158 exploit evades AV in Mime HTML format). At the end of this post we provide 4 other March 2014 0 detection file indicators from Cryptam samples to hopefully assist AV in improving detection rates for this threat.

 Sample current as of this post on VirusTotal


 Cryptam result showing CVE-2012-0158 plus a 256byte xored exe:




The CVE-2012-0158 trigger is not obfuscated but uses a class ID BDD1F04B-858B-11D1-B16A-00C0F0283628 to activate the vulnerable MSCOMCTL ActiveX control:

The class ID is disclosed in MS12-027 as vulnerable to CVE-2012-0158:



Other 0 detection samples:
517782778e296fade32ce3fd2330afc8 "0319 Montsame.doc" (mwtracker comment: Mongolia) 2014-03-20T02:14:45.000Z 0/50

f721f3a22ad26105a8894ce967c02e32 "內政部公文.doc" (mwtracker comment: Taiwan) 2014-03-10T00:22:23.000Z  0/50

f851e312899d11abe39390cb6a21f982 "保釣信頭2012.doc" (mwtracker comment: Taiwan) 2014-03-07 07:05:26 0/50

82542d9913301396f6f1a676c9b93f58 "Iltgeh huudas_revised.doc"  (mwtracker comment: Estonia) 2014-03-05 07:54:10 0/50



Some of the samples appear to drop a vidgrab/evilgrab variant and another not-yet-identified implant.


Sunday, April 13, 2014

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in pefile.py. Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.



This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

















Searching the example imphash c948ebda9bd9367f9fc50e01020766c8 dropped by RTF b2b8127bae5b61e258b17dc057338075 (24 / 51 on Virustotal April 11 2014) shows a number of dropped samples some of which have been identified as the malware called "Safe" related to Lurid. This sample beacons to www[.]getapencil[.]com visible in the executables strings extracted by Cryptam.

Scan a document for embedded executables with Cryptam at https://www.malwaretracker.com/doc.php

Sunday, January 12, 2014

CVE-2013-5331 evaded AV by using obscure Flash compression ZWS

Update: 2013-01-14 added Yara signature.

We recently came across what is likely the CVE-2013-5331 zero day (Adobe Flash in MS Office .doc) file on virustotal.com (Biglietto Visita.doc, MD5: 2192f9b0209b7e7aa6d32a075e53126d, 0 detections on 2013-11-11, 2/49 on 2013-12-23). The filename is Italian for "visit card" and could be related to MFA targeting in Italy. This exploit was patched 2013-12-10, and was in the wild for at least a full month.



While it appears to be the only CVE-2013-5331 sample on Virustotal we could find, it's also interesting that the Flash exploit payload is a very unusual ZWS compression header (the compression algorithm uses LZMA as in Lempel–Ziv–Markov chain algorithm and which is also used in 7zip). Flash CWS headers for Gzip compression is the most commonly used, and we are not aware of Flash content creation tools outputting ZWS Flash. This compression method ZWS combined with embedding within MSOffice documents is very likely to evade most AV products.

From our Cryptam Database Related files with similar metadata:
5da6a1d46641044b782d5c169ccb8fbf 2013-06-28 CVE-2012-5054 7/46 2013-07-07
8d70043395a2d0e87096c67e0d68f931 2013-06-28 CVE-2013-0633 6/46 2013 07-18

Yara Rule for ZWS Flash embedded in MSOffice:
rule doc_zws_flash {
    meta:
    ref ="2192f9b0209b7e7aa6d32a075e53126d"
    author = "MalwareTracker.com"
    date = "2013-01-11"

    strings:
        $header = {66 55 66 55 ?? ?? ?? 00 5A 57 53}
        $control = "CONTROL ShockwaveFlash.ShockwaveFlash"
      
    condition:
        all of them
}