{"id":190,"date":"2019-04-04T12:46:40","date_gmt":"2019-04-04T10:46:40","guid":{"rendered":"https:\/\/lab52.es\/blog\/?p=190"},"modified":"2019-05-30T15:53:33","modified_gmt":"2019-05-30T13:53:33","slug":"military-financing-maldoc-analysis","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/military-financing-maldoc-analysis\/","title":{"rendered":"Military Financing Maldoc: analysis"},"content":{"rendered":"\n

Recently at Lab52<\/strong> from S2 Grupo, we have detected an\n infection campaign through a malicious document that has called our \nattention due to its content and title.<\/p>\n\n\n\n

The document in question, named \u201cMilitary Financing.xlsm\u201d and hash \n\u201cefe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\u201d  \nstands out mainly for the image it contains, which refers to a document \nwith secret information about the US Department of State.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 1 Content of the document<\/em><\/p>\n\n\n\n

The file contains macros without any kind of obfuscation, which are \nresponsible for extracting lots of hexadecimal code from the cells in \nthe document, with which it composes two files, an executable and a \nscript:<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Illustration 2 Macros code<\/em><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 3 Hex strings on the document cells<\/em><\/p>\n\n\n\n

Once both files are extracted, it stores them in the directory %ProgramData% with the following names and hashes:<\/p>\n\n\n\n
Nombre<\/strong><\/td>Hash<\/strong><\/td><\/tr>
AutoHotkeyU32.exe<\/strong><\/td>967dba8d919693febf96fde4877e7f08077630f886d4e77b778855d998c073c2<\/td><\/tr>
AutoHotkeyU32.ahk<\/strong><\/td>acb3181d0408c908b2a434fc004bf24fb766d4cf68bf2978bc5653022f9f20be<\/td><\/tr><\/tbody><\/table>\n\n\n\n

From the document, there are two other elements that have also called our attention.<\/p>\n\n\n\n

The first one is its Russian language and the fact that some macro data is written in Cyrillic:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 4 Macros internal data<\/em><\/p>\n\n\n\n

The second element that has caught our attention is the fact that it contains an author name of the document:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 5 Document info<\/em><\/p>\n\n\n\n

From that name, we have found another 4 documents uploaded to the \nVirustotal platform from the Arab Emirates just over a week ago, at \nalmost the same time. They contain tests of different macros and ways to\n exploit the office document to install malware, with the same metadata \nas the main document and same strings in Russian in the macro data, so \nthey seem to be tests done by the author prior to this infection \ncampaign.<\/p>\n\n\n\n

Once the embedded files are extracted, the document launch the executable passing the script as a parameter:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The executable consists of a legitimate AutoHotkey script loader, and\n the malicious logic comes on the file with extension \u201c.ahk\u201d. This \nscript, is in charge of, in first place, creating a shortcut in the \n\u201cStartup\u201d folder that brings persistence on each restart, and then, \nreporting the serial of the disk \u201cC:\u201d to the command and control server.\n Depending on the received command, it will update itself (Command 000) \nor create a new scripting file and execute it in parallel (Command 001).<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Illustration 6 Script Code<\/em><\/p>\n\n\n\n

This allows it to remain as a backdoor, allowing the attacker to load\n any kind of new functionality or update the script itself, for example,\n an update with a new C2.<\/p>\n\n\n\n

The domain of the command and control with which the threat contacts is the following: \u201chxxp:\/\/185.70.186.]145\/7773\/index.php\u201d<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 7 C2 IP info<\/em><\/p>\n\n\n\n

The IP is located in the Netherlands and belongs to the company \n\u201chostkey.ru\u201d, which offers a VPS hosting service in Russia or the \nNetherlands:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 8 C2 Hosting Website<\/em><\/p>\n\n\n\n

At the moment, we have not been able to obtain new stages of \ninfection of this threat, nor other versions of this document with \ndifferent indicators, so we will continue monitoring this type of actors\n using TTPs slightly different from those used by more generic \ncybercrime actors.<\/p>\n\n\n\n
Name<\/strong><\/td>IOC<\/strong><\/td><\/tr>
C2<\/strong><\/td>hxxp:\/\/185.70.186.145\/7773\/index.php<\/td><\/tr>
AutoHotkeyU32.ahk<\/strong><\/td>acb3181d0408c908b2a434fc004bf24fb766d4cf68bf2978bc5653022f9f20be<\/td><\/tr>
AutoHotkeyU32.exe<\/strong><\/td>967dba8d919693febf96fde4877e7f08077630f886d4e77b778855d998c073c2<\/td><\/tr>
Military Financing.xlsm<\/strong><\/td>efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12<\/td><\/tr><\/tbody><\/table>\n","protected":false},"excerpt":{"rendered":"

Recently at Lab52 from S2 Grupo, we have detected an infection campaign through a malicious document that has called our attention due to its content and title. The document in question, named \u201cMilitary Financing.xlsm\u201d and hash \u201cefe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\u201d  stands out mainly for the image it contains, which refers to a document with secret information about the […]<\/p>\n","protected":false},"author":5,"featured_media":402,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-190","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/141113-A-QS211-509_-_Soldiers_of_the_1st_Brigade_Combat_Team_1st_Cavalry_Division_and_2nd_Cavalry_Regiment_participate_in_the_closing_ceremony_for_Iron_Sword_2014-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/141113-A-QS211-509_-_Soldiers_of_the_1st_Brigade_Combat_Team_1st_Cavalry_Division_and_2nd_Cavalry_Regiment_participate_in_the_closing_ceremony_for_Iron_Sword_2014-600x600.jpg","author_info":{"display_name":"JagaimoKawaii","author_link":"https:\/\/lab52.io\/blog\/author\/jagaimokawaii\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/190"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=190"}],"version-history":[{"count":5,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":335,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/190\/revisions\/335"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/402"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}