Malware Analysis – Malicious Macros

Introduction

Advanced Persistent Threat (APT-C-35) group, believed to be based in India, has been observed targeting government and military personnel in Pakistan using spear phishing emails. The threat group has been around for several years, conducting intelligence operations against political and military entities in South Asia. This is a a new round of attacks launched by the APT actor against Pakistani government. It comes as no surprise that cyber attacks against the Pakistan government continue, given the historically tense relations with India  in the region and the recent rise of geopolitical tensions. The group has also demonstrated capability of targeting mobile phone users in the past operations. This group has impersonated National Bank of Pakistan while targeting Pakistani businessmen. 

However, this isn’t the only attack targeting Pakistani organizations. Recently, SideWinder group was found targeting windows machines and mobile devices in Pakistan and China. Rewterz Threat Intelligence also released a detailed analysis of SideWinder targeting Pakistani Government officials in April.

MITRE ATT&CK Table

Analysis Report of APT-C-35 Group

File Identity

Summary of Analysis

A spear phishing campaign initiated by APT-C-35 group was observed targeting Pakistani officials by Rewterz. Our Threat Intelligence team acquired the spear phishing email and found that the email contains an attachment (Microsoft Excel document) portrayed as a legitimate project management document.

As per the detailed analysis of Excel file, it was observed that Excel contains 20 different worksheets and malicious macro codes embedded in it. It was also observed that when victim opens a document, a macro (workbook_open) executes which shows a message box to the victim that ‘Microsoft Excel stopped working’ (Hardcoded in macro). In parallel, it then executes batch file (named as s.bat) which contains step by step instruction of creation of folder and files ‘Temp’ & ‘Appdata’ (Hardcoded in the code). Once created, it then hides files & folder and saves computer name in another file name (agnia) created by attacker in Appdata folder. Once the creation of files & folders is done and attacker has hidden the attributes of the files then it extracts the actual payload dll named as ‘sqmap.dll’ in created directory (Appdata folder).

Upon analysis, it was found that sqmap.dll contains a function named as ‘calldll’ which contains a CnC server address. Attacker then executes sqmap.dll through Rundll32.exe (Microsoft Windows native binary which is used to execute dll) along with its sub function as an argument of dll (sqmap.dll). It initiates a get request connection towards its CnC server through HTTP port 80 hosted in Bulgaria to perform its further activity (Action on objective). Currently it was found that request initiated by infected system toward CnC server contains multiple arguments in the URL parameter and CnC servers currently respond with 404 Error (Page not found).  All activity has been performed through batch script which contains line by line instruction and is embedded in macro which creates a batch file named as ‘s.bat’ in ‘APPDATA’ directory.

Characteristics

Following are the characteristics observed in the Excel document when invoked or opened by the victim.

• When victim opens the excel file, the XLS file prompts user to enable. If user enables macros then user will receive prompt that ’Excel has stopped working’.
  

• Analysis of the internal worksheets of the excel found a series of worksheets  defined below:

• Macro scanner reveals that Excel document has some suspicious and anomalous functions embedded in Excel file that belongs to the creation of s.bat file.
  

In search of VBA scripting we also found that “This Workbook” sheet contains some sort of scripting which is defined in below points one by one:

A) First we extracted the script which is running in the macros of “This Workbook” sheet and we found that it is creating a message box having an intentional message which is “Microsoft Excel has stopped working”.

B) It is also defined in the script that “S.bat” and “S” files should be dropped in certain folders.

C) In the last line it has been declared that s.bat can initiate https request and after that it should hide itself by using vbhide function.

After exploring the main sheet we broke the main XLS file in to raw strings and then we found another sort of scripting in below points:

A) While looking over the script the creation of schedule task has been observed for gapdat.exe file which exists in the directory of “%USERPROFILE%\Files\Shared\Web\” and this directory doesn’t seem to be legit so it seems that gapdat.exe acts as a dependent file already created in this directory.

B) Moving of the “s” file has been observed in the first line in raw string of scripting of the excel file, which was being moved from %AppData%  to Directory “%USERPROFILE%\Viewer\Information\Policy” and after moving, it was found trying to rename the file “s” to “Sqmap.dll” as shown below:

C) Modification of attributes of the folders in which gapdat.exe and sqmap.dll files were found can be noticed. According to the scripting language, the three flags that were used to change the attributes are following “+a”, “+h”, ”+s” which is used to archive, hide and make the folders part of DOS operations.

D) Another creation of scheduled task has been observed that this XLS file is using rundll32.exe process to call sqmap.dll which exists in another unusual directory “%USERPROFILE%\Viewer\Information\Policy”.

• Now after moving towards the sqmap.dll it has been found that the sqmap.dll is designed to generate http request and response by using some windows built-in function based on “WinHTTP.h” API shown below:

[Note: Same thing has been found from the raw form of sqmap.dll]

• In addition after reviewing the BIFF structure of XLS document we have found that it is using WRITEACCESS & HIDEOBJ on address 5ch & 8DH in its binary memory.

Dependencies

Following are the dependencies that have been observed in the malware code and required user interaction for execution.

1. It was observed that this malware provides Auto Run/Auto Execution functionality, when victim opens document and enable macros. File creation and CnC connection were automatically established by the infected machine.
2. This malware was designed and compatible for the windows environment.
   

Following is the complete process-working graph for this attack.

Behavioral Findings through Analysis

Following are the behavior of this malware:

• When victim opens the document and enables macros, following message box is visible to the victim.

• In the background, Malware then communicates publicly on the IP address of 185.141.61[.]120 though execution of sqmap.dll hosted by rundll32.exe on port 80 as shown below:

• Further analysis confirmed that, it then polls the C2 server every 30 or so seconds. It uses the fixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and performs an HTTPS GET against  http[:]//dnsresolve[.]live/xx/xx.

• Upon analyzing the Macros It was found that the crashing and the message that appeared above was implanted to manipulate the user into believing that the file is corrupt and closed. The highlighted part shows the event. Upon further analysis of the workbook macro it was observed that the macro creates a file at this directory.

•     C:\User\XYZ\Users\AppData\Roaming.

•     The file names are “s” and “s.bat”

• Upon analysis it is also found from the code that sqmap.dll is used by rundll32.exe with the usage of calldll function so after monitoring the rundll32.exe process network activity we have found the similar behavior which is defined in the code as shown below:

• Further analysis confirmed the finding and showed that the process were called and the task manger further validated the result and the tcp connections to the IP 185.141.61[.]120.

• After every step finally dropper itself uses shell execution technique and starts requesting and responding to the CNC server.

Indicators of Compromise

Visit our Threat Advisory for IoCs.

Remediation

In order to remediate this, following points are defined below:

1. Block subjected URL dnsresolve[.]live along with the IP “185.141.61[.]120”
2. Search for the gapdat.exe, sqmap.dll & s.bat in their relevant directory explained in analysis section and remove them.
3. Disable Bat extension files execution.
4. Closely monitor rundll32.exe process for any suspicious activities.
5. Closely monitor URL having abnormal URI string & abnormal length.
6. Block hashes associated with this malware files on EDR and endpoint controls.
7. Delete unnecessary Appdata & temp entries.

Beware of social engineering techniques employed by cyber criminals—including strategies used in phishing emails, impersonated calls, and fraudulent businesses and domains— to respond effectively to a suspected compromise.

The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, that need to be analyzed, contact us.

Conclusion

It is concluded after analysis that sample excel file is acting as a beacon. It builds up the connection to command and control server using macros feature of Microsoft Excel. As Macros allow scripting, it requires trigger to be enabled, if accidentally or intentionally user enables these macros while opening this excel document, it starts initiating the calls toward command and control server. However, no response from the command and control server has been observed in packet captures.

To read our frequent analyses on malware and APT groups, visit our Threat Intelligence blog.