Thursday, March 5, 2015

Return of the Mime MSO, now with Macros

Didier Stevens at Sans ISC reported a new Mime MSO XML variant used in Dridex attacks which embeds a compressed OLE document (ActiveMime), with VBA auto open macros, within a Mime MSO XML document. Previously we've only seen CVE-2012-0158 delivered in Mime MSO (of which we've previously blogged).

Cryptam our document malware analysis tool has been updated to process the base64 stream and uncompress the ActiveMime data. We anticipate this attack vector to be adapted to APT type attacks as well. In addition to VBA macros, the MSO XML specs also allow for a OLE document to be embedded as well (we also now handle this type of embedding with Cryptam). The specs also allow some flexibility in the XML to be coded as Attributes or Elements. Sample report.



The following Yara signatures will detect Mime MSO XML files and some of the newly found obfuscation techniques:

rule mime_mso
{
meta:
    comment = "mime mso detection"
    author = "malwaretracker.com @mwtracker"
strings:
$a="application/x-mso"
$b="MIME-Version"
$c="?mso-application"
condition:
$a and $b or $c
}


rule mime_mso_embedded_SuppData
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docSuppData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}


rule mime_mso_embedded_ole
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docOleData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}




rule mime_mso_vba_macros
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "macrosPresent=\"yes\""
    $b = "schemas.microsoft.com"

condition:
    all of them
}



No comments:

Post a Comment