Saturday, September 3, 2016

The case of Malicious .pub file Attachments

The case of .pub file Attachments

In the past months, we noticed many adversaries are using malicious Office documents as attachments, but different than Word documents, Excel or Powerpoints. in such technique they may let their attachments not to be scanned by any Sandbox technology, as those Sandboxes are using only Office word, excel or powerpoint applications installed on their VMs.

So here in this example, I will explain one of the samples that was captured from live mail environment and using a publisher file.
Static Analysis
The static analysis of the file (.pub)
  • Pub is a publisher file which is part of the office suite
  • File is OLE – binary SS file
  • File has been created in 16 May 2016
  • the Pub file has four VBA modules, the main ones are the same as the ThisDocument module which is the one we will analyze later.
  • Extracting the VBA macro
  • With 2205 lines obfuscated script code, will be consuming if we do code analysis
  • So we will do dynamic analysis by coping the script into .doc file macro enabled and run it.
  • saved it as doc 1 and send it as an attachment

Dynamic Analysis

By sending the crafted .doc file to email server, the analysis on the mail server captured it as malicious and the Indication of compromise as follows:
  • the Macro is a downloader, trying to download an .exe file from a domain related to educational institute in Peru “cta[.]edu[.]pe” (CTA stands for Technological Sciences Institute of Arequipa)
  • then execute the file
  • By doing a simple Threat research for this domain using Maltego
    • we found that the file real.exe published in April 2016
    • and there is another file published in the same domain in May 2016, names “putty.exe”

  • the file has been saved in Temp “keSoHApxepwoREh.exe”
  • the downloaded exe file is (.Net compiled exe) and created/compiled in 19 May 2016, while the main macro downloader is created in 16 may.
    that difference shows that the creator is changed the main .exe file to a new one and uploaded it in 19, or he started writing the code in 16 and finished/uploaded it on 19 may

    /Users/mohamed.morad/Desktop/Screen Shot 2016-05-20 at 5.47.11 PM.png
  • file is written in C#
  • for Dynamic analysis on the same file, here is the findings:
  • The main two highlighted Malicious alerts, which is the IOC from Dynamic analysis, are indicating a malicious behavior
    • Network Activity to the Certificate service and dynamic dns domain
    • The code injection is not clear enough, it is injecting in CSC.exe which is CSharpCompiler. the main file is C#, but why it is injecting. We will know that in the host analysis from the triage collected by Endpoint Analysis (mentioned below)
      REMEMBER: That csc.exe will be interesting, in later stage

  • only 12 out of 57 engines detecting the malicious .exe as “Malicious”

Forensics analysis
Analysis on Fireeye Endpoint HX:
  • HX detected the Word document (that contains the .pub file macro) as Exploitation from the beginning
  • Detected the downloaded file

Triage analysis

From the Triage collected by Fireeye HX, Mandiant redline analysis is as following:
  • there are two processes is in suspicious state
    • CSC.exe (which is CSharpCompiler) it is showing the code injected with binarys not mapped
    • SVCHost.exe: this process will try to connect to the bad domain that is used by the downloader macro to download the exe file
  • In time line analysis
    • word document is opened
    • it tried to download the .exe file using svchost service
    • downloaded file is .Net C# assembly
    • tried to inject code in C#
    • the main .exe file exited
    • now the CSC C# compiled is infected and to be persistent it write a registry key in (run) to keep itself always running
    • then CSC.exe is tried to communicate back to the CnC server “mommyreal[.]ddns[.]net”
    • check the following redline analysis

  • The CnC server ( that C# compiler is talking to is located in Moscow