On December 7, 2020, researchers discovered a malicious document uploaded to Virus Total. The content of the document showed that a meeting would be held in January 2020, and the document was compiled on January 27, 2020, mainly attacking the South Korean government. In other words, it has been 1 year since the attack occurred.
The file contains an embedded macro, which uses VBA self-decoding technology to decode in the office memory space without writing to the hard disk. Then embed the RokRat variant into Notepad.
Based on the analysis of the injected payload, the researchers believe that the sample is related to APT37. APT37 is a mocking hacker organization, also known as ScarCruft, Reaper, and Group123. It has been active since 2012 and its main targets are victims in South Korea.
The VBA self-decoding technology in macros used by the attackers first appeared in 2016. Among them, the malicious macro is encoded and then decoded and executed dynamically.
Figure 1: Malicious document
We can think of the overview as an unpacker stub, which is executed when the document is opened. The unpacker stub will decompress the malicious macro and write it into the office memory instead of the hard disk. In this way, many security mechanisms can be bypassed.
Figure 2: Self-decoding technology
The macro used in this file belongs to Figure 3. The macro starts by calling the “ljojijbjs” function, and gets different paths of execution based on the result.
Figure 3: Encoded macro
Microsoft by default disables the dynamic execution of macros. If an attacker wants to execute macros dynamically, he needs to modify the registry value to bypass the VB object model (VBOM).
In order to check whether the VBOM is bypassed, it is necessary to see whether the VBOM is accessed. The function of “ljojijbjs” is to check read access to VBProject.VBComponent. If an exception is triggered, it means that VBOM needs to be bypassed. If there is no exception, it means that VBOM has been bypassed, and VBA can dynamically extract macros.
Figure 4: Check VBOM access
The “fngjksnhokdnfd” function will be called to bypass VBOM. This function will set the VBOM registry key value to 1.
Figure 5: Modify VBOM registry key
After bypassing VBOM, the CreateMutexA API will be called to create a Mutex on the victim’s machine and name it “mutexname”. In this way, other attackers can ensure that they only infect the victim once, but no trace of checking the mutex is found in the file.
Figure 6: Mutex creation
Finally, in order to perform the self-decoding process, you need to create a new application object to open itself, and load the current document in it in an invisible way.
Figure 7: Self-opening
If VBOM is successfully bypassed, the Init function will be called to generate a malicious macro in the obfuscated format.
Figure 8: Confused macro
Then, the obfuscated macro will be passed to “eviwbejfkaksd” for deobfuscation, and then executed in memory.
Figure 9: Anti-aliasing
In order to de-obfuscate the macro, two string arrays need to be defined:
· StringOriginal: the character array containing the anti-aliasing signature;
· StringEncoded: It contains the character array after de -obfuscation;
The loop is not defined by macro de-obfuscation. For each cycle, get a character from the obfuscated macro and look for its index in StringEncoded. After finding the index, look for the equivalent index in StringOriginal, get the character from it and add it to the new macro. For example, “gm* bf” in the encoded macro will be decoded as “Option”.
Figure 10: Anti-aliasing loop
Then it gets the macro executed in the office memory space. In order to execute the decoded macro, a module is created and written to the module before calling the main function to execute the macro.
The main function defines a shellcode in hexadecimal format, and the target process is notepad.exe. Then, based on the operating system version, create a Notepad.exe process and use VirtualAlloc to allocate memory in its address space. Then use WriteProcessMemory to write the shellcode into the allocated memory, and finally, call CreateRemoteThread to execute the shellcode in the address space of Notepad.exe.
Figure 11: Anti-obfuscation macro
Shellcode analysis (RokRat)
The shellcode injected into Notepad.exe downloads an encrypted payload from http://bit[.]ly/2Np1enh, and the link is redirected to a Google network disk link.
Figure 12 Download URL
The shellcode injected into Notepad.exe is a variant of the cloud-based RAT-RokRat, which APT37 has been using since 2017. The compilation time of the sample is October 29, 2019. The RAT can steal data from the victim’s machine and send it to cloud services, such as Pcloud, Dropbox, Box and Yandex.
Figure 13: Coded cloud service
Similar to the previous variant, this variant uses many anti-analysis techniques to ensure that it is not running in the analysis environment. Some of the checks done include:
· Check the DLL, Microsoft Debugging DLL and sandbox related to iDefense SysAnalyzer;
· Call IsDebuggerPresent and GetTickCount to identify the debugger;
· Check VMWare related files.
Figure 14: Anti-analysis techniques
The RAT has the following functions:
Figure 15: Screenshot
· Collect system information, such as user name, computer name, BIOS, etc.;
Figure 16: Collect BIOS data
· Steal data and send to cloud service;
Figure 17: Data theft
· Credential theft;
· File and directory management, etc.
To sum up
The infection vector used by APT37 is mainly a spear phishing attack. In this article, the researchers found that it used office documents weaponized with self-decoding macros. Self-decoding macro technology can bypass many static detection mechanisms and hide the signs of malicious documents. The final payload used in the attack was a variant of RokRat RAT. In this example, RokRat was injected into Notepad.exe.
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90 676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08 A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A 2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576 C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB ee47206c87482de1915b1e441a23a5b3473697e3 820b7fa90839dd6c4ed2fa3d9df10b4f7f24c47c 705a787bcd02de0433dd5a111cbcd4fade8f66d3 a446f191f61eb102f590d73c6c1ddf04744ce721 4ca27691616eb17bf4de0963b406fda738f4c940 7b5f1c01980faf7801f16a761cb8d377 ca6d92c582a883378f7f3a95cb408415 82e4b4590ac2f4244d7bbd9afb999bbe bc12ddc8baaa2f76b9574e4598948fa7 b680a929edbf58a803887182033f446b