{"id":291,"date":"2019-04-17T13:22:57","date_gmt":"2019-04-17T11:22:57","guid":{"rendered":"https:\/\/lab52.es\/blog\/?p=291"},"modified":"2019-05-16T12:30:03","modified_gmt":"2019-05-16T10:30:03","slug":"ukraine-election-2019-polls-maldoc-analysis","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/ukraine-election-2019-polls-maldoc-analysis\/","title":{"rendered":"Ukraine election 2019 polls Maldoc: analysis"},"content":{"rendered":"\n

From Lab52 at S2 Grupo, we have recently detected a malicious document titled \u201cUkraine_election_2019_polls.doc<\/em>\u201d. The document was uploaded to Virustotal on March 12nd, 2019 from Germany.<\/p>\n\n\n\n

The title and uploading date is especially relevant in this case, \nbecause of the existing conflict between Ukraine and Russia and the \ngeneral elections at Ukraine.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Document content<\/em><\/p>\n\n\n\n

Regarding that, the first round of the general elections of Ukrania \n(15 days before the document was uploaded) took place on March 31st, and\n the second round will be on April 21st. The result of the elections \nwill have a definitive impact on the conflict between both countries.<\/p>\n\n\n\n

To give the reader some geopolitical background, the conflict between\n Russia and Ukraine began with the Crimea annexation (by the Russian \nFederation), and has lead to a second conflict due to the disruption of \nthe \u201cmaritime order in the Black Sea and the Sea of Azov. While the exact content of Ukraine\u2019s claims is not publicly known, it is understood<\/a> that [Ukraine] include Russia\u2019s ongoing construction of a bridge across Kerch Strait<\/a>\n and restrictions on passage of Ukrainian vessels through Kerch Strait \nand the Sea of Azov [\u2026]. Kerch Strait Bridge is intended to create a \nland connection between Crimea and Krasnodar region which, in light of Ukraine\u2019s blockade of Crimea<\/a>, is crucial for supplies from Russia<\/em>\u201c.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

[The text in italics and the image above comes from this voelkerrechtsblog.org post<\/a> and is authored by Dmytro Koval<\/strong> and Valentin J. Schatz<\/strong>]<\/p>\n\n\n\n

There are three mainly candidates with high probabilities to win the \nelections: Petro Poroshenko, Yulia Tymoshenko and Volodymyr Zelenskiy. \nEach one has a specific way to approach the conflict, but the main \npositions are divided into looking for support from the European Union \nor get closer to the Russian Federation.<\/p>\n\n\n\n

The content of the document is a real news<\/a>\n coming from the conservative and liberal British Daily Express \nnewspaper. European right-wind citizens tend to align against the \nKremlin\u2019s international policies, what makes this document a good bait.<\/p>\n\n\n\n

All the context and sophistication of the content of the document \nmakes it to stand out from the generic campaigns of malware infections, \nfitting more into TTPs related to APT groups.<\/p>\n\n\n\n

Regarding its malicious logic, it depends on macros, which are \nprotected with a password in order to make its analysis more difficult:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Password prompt<\/em><\/p>\n\n\n\n

This is not a serious problem, since there are many tools that allows\n to extract them despite that. Once extracted, we see the function \nresponsible for the execution of the threat:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Malware execution function<\/em><\/p>\n\n\n\n

This function executes the next stages by extracting text in Base64 \nfrom the \u201cCompany\u201d field of the document metadata, decoding it and \nlaunching a \u201ccmd.exe\u201d with WMI.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

By\n executing the next payload through WMI, the process created does not \ndepend on the Microsoft Winword editor but \u201cWmiPrvSE.exe\u201d:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The decrypted base64 text consists of a obfuscated Bash command that \nafter several calls to CMD.exe, ends up loading a Powershell.exe with \nthe final Payload.<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Base64 encoded payload<\/em><\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Decoded payload<\/em><\/p>\n\n\n\n

The final Powershell.exe process runs as follows:<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

Powershell process params<\/em><\/p>\n\n\n\n

If we take a look, the powershell call has several mistakes in its parameters, in spite of which it is perfectly functional:<\/p>\n\n\n\n