Malicious VBA macro uses CLSID to create Shell object

By

The SonicWall Capture Labs Threat Research Team has observed that Snake KeyLogger malware is being distributed using malicious word documents. The sample in distribution is using CLSID for WScript.Shell object creation rather than the name which is usually seen.

Infection Cycle

Upon opening the document, the user is displayed instructions to enable content as shown below:


Fig-1: Word Document

Shell Object creation:
This sample creates an instance of WScript.Shell object using CLSID. A CLSID is a globally unique identifier that identifies a COM class object.

CLSID’s that corresponds to Shell Object:

  • {72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

The Shell Object instance  is used to execute the PS command to download Snake Keylogger


Fig-2: VBA Macro present in document

 The Powershell command is transferred in obfuscated form as the content of word document:


Fig-3: Obfuscated PowerShell

De-Obfuscated PowerShell command shows it has AMSI bypass technique for Windows 10 systems. This is done to conceal AMSI bypassing technique and the next stage malware download URLs used in the script as seen after de-obfuscation


Fig-4: De-Obfuscated Powershell

Powershell code has embedded URLs from where the payload is downloaded. This sample uses the bit.ly URL shorten service and the target URL is “hxxp://qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg”. The payload, a windows executable file is stored as “0RIG0000000.jpg” on the remote host and belongs to SnakeKeylogger.

Payload Analysis:

The payload is a compiled .Net file and its basic information is shown below:


Fig-5: Details of PE file

The downloaded file contains an encrypted PE file in resource, which is decrypted using AES – ECB mode and loaded into memory. Decyrption Key is SHA256 of hardcoded bytes present in the sample.


Fig-6: Decryption routine

Persistence:

Sample copies itself to startup folder as driver.exe.

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

Sonicwall Capture ATP provides protection from this threat as shown below:


Fig-7: Capture ATP report

Indicators Of Compromise:

SHA256

  • 706f441b1e5b188f4373c6b680ea2c2b50ab81c2163bdaf690b3ec224581b8fb — Malicious Document File
  • 81b94fd7902d516f81fa99c090180e431b1e389e2ccd418fa2d0b3105d98fad9 — Downloaded Executable File

Network Connections:

  • bit[.]ly/2ZJ9xRc
  • qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg

Files:

  • %temp%\czxdpfb.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.