Overview
Proofpoint researchers recently discovered a small email-based campaign attacking a major financial services provider. This attack was notable for a few reasons:
- The attack was very narrow in scope - a small number of malicious emails appear to have been sent to users in a single organization
- The emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated
- The payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses.
While the use of embedded objects instead of macros is not new, malicious macros remain the vector of choice for most threat actors at this time. However, we expect that this technique will become more popular in 2017.
Analysis
The emails sent in this attack include a Microsoft Word attachment named "info.doc". The document contains an image requesting that users click to install Microsoft Silverlight to view the content (Figure 1).
Figure 1: Lure document
Closer examination reveals that there are no macros in this document, but rather a "Packager Shell Object Object" (Figure 2).
Figure 2: Right-clicking on the image reveals that it is an embedded object instead of just a linked figure
Selecting "Properties" reveals that this is a Visual Basic Script file (Figure 3).
Figure 3: Properties of the embedded object
Once we extract this Visual Basic script, we find a file that is obfuscated by adding "We are safe" after every character in strings (Figure 4).
Figure 4: Obfuscated code snippet from the Visual Basic script with function to deobfuscate the code
However, the first three lines of the code includes the deobfuscation function that replaces the "We are safe" strings with empty strings. The deobfuscated code is shown in Figure 5.
Figure 5: Deobfuscated code
Note that the code performs an HTTP GET request to https://a[.]pomf[.]cat/sfkpiff.exe on line 6, followed by a string of question marks. We expect these would simply be discarded by the requested site. At the time of analysis, the file has already been removed from pomf[.]cat, a free file hosting site allowing anonymous uploads and frequently used to host malicious executables.
However, we were able to retrieve a sample from a public malware repository to further analyze the malware. A memory dump of the malware process reveals the following points of interest (also shown in Figure 6):
- A network request to http[:]//icanhazip[.]com, which allows the malware to identify the public IP address of the infected machine
- The occurrence of "GetAsyncKeyState" API. This Windows API is used frequently by keyloggers to identify keyboard keys pressed by the user. Calling GetAsyncKeyState 10 times per second creates a basic keylogger.
Figure 6: Memory dump from the unidentified malware
Further examination of the memory dump confirms that this is a keylogger (Figure 7).
Figure 7: Memory dump confirms keylogger function
Although not shown here, the malware also uses Gmail's SMTP server to send these logs to two hardcoded Gmail addresses.
To date, we have not identified this particular keylogger. It is written in AutoIt and uses additional tools such as the Lazagne password recovery tool that it downloads from hxxp://0v3rfl0w[.]com. The infection vectors are of greater interest at this point and the functions of the malware itself are fairly straightforward.
Conclusion
As threat actors move beyond the use of malicious macros, organizations will need to rethink how they prevent malicious content from reaching end users. While many businesses are either blocking Microsoft Office macros at a policy level or educating users about the dangers of enabling macro content, attackers have other means of creating weaponized documents for distributing malware - in this case, an embedded Visual Basic script in a Microsoft Word document with a keylogger payload.
Indicators of Compromise (IOCs)
IOC |
IOC Type |
Description |
8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003 |
SHA256 |
Attachment |
https://a[.]pomf[.]cat/sfkpiff.exe |
URL |
Hosted keylogger (since removed) |
9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3 |
SHA256 |
Keylogger |
ET and ETPRO Suricata/Snort Coverage
2819671 || ETPRO TROJAN AutoIt Downloading Lazagne PW Recovery Tool
2019935 || ET TROJAN AutoIt Downloading EXE - Likely Malicious
2807400 || ETPRO MALWARE AutoIt EXE or DLL Windows file download
2008350 || ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile