Cyren : French Ministry “Survey” Delivers Malware Payloads

A criminal malware group behind a sophisticated Excel macro backdoor, which has been targeting Middle Eastern financial institutions since 2015, appears to have moved on to new targets, with Cyren researchers recently discovering the technique being applied to a fake survey document purportedly sent by the French Ministry of Foreign Affairs.

Analyzing the weaponized file

While to all appearances a common macro malware document, static analysis of the file discovered contains a message that only allows the file to run on newer versions of MS Office. Base64 encoded content is hidden behind the message, which will be decoded later on.

Once the macro is enabled, the malicious content will run in the background and a survey will appear. The image from the English-language 'survey' suggests the target audience for this attack.

The Macro

Taking a closer look at the macro reveals that it uses two functions:

• doom3_Init is used to deploy the payload
• doom3_ShowHideSheets is used to show the hidden decoy survey.

Doom3_Init will drop the payloads test3.vbs and test3.ps1 in the %PUBLIC%]Libraries folder. (Take note the environment variable %PUBLIC% will only work on Windows Vista and newer versions.)

Test3.vbs will be put on the scheduled task named OfficeUpdate. Once the task is triggered, it will then execute test3.ps1, which is a PowerShell script.

1 Stage Payload

Peeking at the contents of test3.ps1, it has a couple of variables that it uses as settings. It will create several more payloads and directories for its setup. All of which are created in %Public%LibrariesRecordedTV directory. All the payloads were initially encoded using base64 and will be decoded upon creation.

The Init function is quite straightforward; it will create the directories, files and a scheduled task named 'GoogleUpdateTasksMachineUI'. If it fails to create the task, it will force the deletion of the created directory.

Before creating the files, it also has a function to modify the content of the 2 stage payloads. It tries to randomize the variables before encoding them using base64 and saving them into the files.

And finally , it will also try to cover the 1 stage payload's tracks.

2 stage payloads

The 2 stage payloads consist of 3 files:

• backup1.vbs - added as a scheduled task to act as autostart mechanism. Responsible for executing the 2 powershell scripts.
• DnE1.Ps1 - used to download/upload files and commands from C2 servers. It uses the User-Agent of the Bitsadmin tool.

(To summarize the main function, we renamed it to describe what it does.)

• DnS1.Ps1 - Uses DNS protocol to get information from/to the victim's network.

Once executed, it will try to get the botid using a DNS query.

It checks that start of the data or IP returned by the DNS query starts 33.33. It gets the rest of the data, converts it and saves it to the batch file. Below is the snippet of the renamed function DNS_Query_Handler.

It will try and execute this batch file and output it to a text file. This text file will be uploaded the same way the contents of the batch file were filled, through DNS queries.

Related attacks

Using the information from the analysis of the file, we came across research from Palo Alto Networks and FireEye reporting on related attack techniques targeting Middle Eastern financial institutions.