Shulou(Shulou.com)06/02 Report--

This article mainly analyzes the relevant knowledge points of how to use Excel 4.0macro to evade the attack technology of killing soft detection, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn in depth the knowledge of "using Excel 4.0 macros to evade the attack technology analysis of killing soft detection".

Preface

On October 18, 2018, the threat Intelligence Center captured for the first time a sample of an out-of-office attack using Excel 4.0 macros to spread Imminent Monitor remote-controlled Trojans. It has only been more than 10 days since the security researchers of Outflank, a foreign security manufacturer, first publicly used Excel 4.0 macros to execute ShellCode code on October 6, 2018. Although Excel 4.0macro technology has been released for more than 20 years and was often used to make macro viruses in the early days of this technology, in fact, because Microsoft used VBA macros (Visual Basic for Applications) to replace Excel 4.0macro technology very early, this caused Excel 4.0macros to be not well known by the public. And because Excel 4.0macros are stored in the Workbook OLE stream of Excel 97-2003 format (.xls, compound binary file format), it is very difficult for antivirus software to parse and detect Excel 4.0macros.

The threat Intelligence Center analyzes in detail the storage mode of Excel 4.0macros in Excel documents, and finds that after using some techniques to hide Excel 4.0macros and cooperate with the execution of some specially processed ShellCode, it can perfectly evade almost all static and dynamic detection of antivirus software and execute arbitrary malicious code. As the new utilization technology based on Excel 4.0macros has been made public, and there have been wild uses of this technology to spread remote control Trojans, the 360threat Intelligence Center released the analysis report and warned against such attacks.

Extremely strong ability to avoid killing

By deeply analyzing the storage mode of Excel 4.0macros in the compound binary file format, the threat Intelligence Center has constructed Exploit samples that can execute remote arbitrary malicious code. After testing, many famous antivirus software at home and abroad are unable to check and kill this kind of samples:

Kaspersky is statically immune from killing.

Kaspersky dynamic immunity from killing

ESET-NOD32 static immunity from killing

ESET-NOD32 dynamic immunity from killing

POC analysis

The results of the POC samples made public by Outflank security researchers on VirusTotal are as follows. So far, there is no soft kill that can be checked and killed. If combined with some special techniques, you can also avoid the dynamic killing of soft killing:

Execution process analysis

The following is a sample of testing Excel 4.0 macros given by security researchers at Outflank:

Because the cell name of the first column in the first row is set to "Auto_Open", when you open the table and click the enable Macro content button, Excel will automatically execute the contents of the table as Excel 4.0 macros. If you need to analyze its execution process, you can select the first row and the first column of data, right-click and select the execute menu:

Then select the Excel file at "location" in the pop-up dialog box, and then click the "step" button:

Finally, you can see the contents of the formula in the pop-up dialog box, as well as buttons such as "step", "step Skip", "Evaluation" and so on:

From the perspective of debugging, Excel first executes the macro code in the first row and first column, that is, = EXEC ("calc.exe"). After the instruction is executed, the calculator will pop up. In the same way, you can debug the remaining two formulas. Here are the specific meanings of the three formulas:

Formula content function = EXEC ("calc.exe") internal call WinExec function to open calculator = ALERT ("Hello, World") internal call MessageBox function open dialog box = HALT () marks the end of the Excel 4.0macro, similar to the C language return instruction

The result of the sample execution is to open the calculator and pop up a dialog box with the content "Hello, World":

Use Excel 4.0Macros to execute ShellCode

Because the Excel 4.0macro language includes function calls and hundreds of built-in functions, attackers can write subroutines or call built-in functions to achieve malicious code that provides the same functionality as VBA. The following is an example provided by Outflank security researchers:

The following table shows the specific meaning of each macro formula:

Formula content function = REGISTER ("Kernel32", "VirtualAlloc", "JJJJJ", "VAlloc", 1, 9) set kernel32percent VirtualAlloc alias to VAlloc=VAlloc (0,000000pm 4096pcm64) call VAlloc function to assign size to 1000000 Memory attribute is PAGE_EXECUTE_READWRITE memory = REGISTER ("Kernel32", "WriteProcessMemory", "JJJCJJ", "WProcessMemory", 1, 9) set kernel32 alternate WirteProcessMemory alias to WProcessMemory=SELECT (R1C2Kernel32 R999WirteProcessMemory R1C2) Select the first row, second column all data = SET.VALUE (R1C3, 0) set the first row and third column data to 0=WHILE (ACTIVE.CELL () "END") to cycle through the data just selected until the "END" flag = WProcessMemory (- 1, R2C1 + R1C3 * 255255) ACTIVE.CELL (), LEN (ACTIVE.CELL ()), 0) write what you just read to the memory address assigned by VAlloc = SET.VALUE (R1C3, R1C3 + 1) add the value of table R1C3 to one = SELECT (, "R [1] C") = NEXT () next loop = REGISTER ("Kernel32", "CreateThread", "JJJJJJJ", "CThread", 1, 9) set kernel32 created Thread alias to CThread=CThread (0,0, R2C1, 0,0) 0) call the CThread function to create a thread and set the thread entry to the memory allocated by VAlloc = HALT () to identify the end of the subprocess Return similar to C language

Overall, the functional logic implemented by the Excel 4. 0 macro code is:

Step 1: call kernel32programmable VirtualAlloc to allocate a piece of readable, writable, executable memory with a size of 1000000.

Step 2: loop through the data in the second column and call the kernel32 write WriteProcessMemory function to write the memory allocated in step 1 until the END flag

Step 3: call the kernel32 thread CreateThread function to create a thread and set the thread entry to the memory allocated in step 1

After these three steps, the goal of using Excel4.0 macros to execute ShellCode has been achieved.

Parsing Excel 4.0Macros Execl File (.xls) parsing in XLS

The XLS file used by the Execl 4.0 macro sample is actually a MS-CFB (Microsoft Compound File Binary File) file, while the MS-CFB file uses a structure similar to the FAT file system to save data. Many existing tools can parse this structure, such as OffVis, oletools, Structured Storage eXplorer, and so on. To learn the MS-CFB file structure, it is recommended to use OffVis. Here are the results opened with this tool:

It is recommended to use StructuredStorage eXplorer to read the contents of the file. The following is the effect image opened with this tool:

For manual parsing, please refer to:

Https://msdn.microsoft.com/en-us/library/dd953721(v=office.12).aspx .

Book/Workbook parsing

As shown in the figure above, the formula contents in the XLS file are saved to Workbook, and the structure needs to be parsed in order to read the formula from it. According to the MS-XLS documents provided by Microsoft, the Workbook structure is composed of record arranged in sequence:

Record consists of three fields, namely, record type, record size, and record data. The following is recorded by the MS-XLS document:

The record type and record size are 2 bytes each, and the record data is determined by the record size, as shown in the following figure. The record type is 0x0809, the record size is 0x0010 (16bytes), and the record data is 00 06 05 00 54 38 CD 07 C1 C 0 01 00 06 07 00 00.

The record type must be the RecordEnumeration type provided by Microsoft. For the type table, please refer to https://msdn.microsoft.com/en-us/library/dd945945(v=office.12).aspx.

The recode with a Recode type of 133 (BoundSheet8) contains the type information of the table (sheet), including the table name, hidden state, table type, etc.

The following is the structure of BoundSheet8:

LbPlyPos occupies 4bytes and specifies the book/workbook stream offset at the beginning of the table BOF record.

Dt occupies 1byte and specifies the table type.

ValueMeaning0x00Worksheet or dialog sheet0x01Macro sheet (Execl 4.0Macros) 0x02Chart sheet0x06VBA module (VBA macros)

StName identifies the name of the table, including the 2bytes length and string.

Take the samples of this analysis as an example:

Sha256:ac6f6a9463dabeb485973a0bc440e740627e3d2a0593f1e6c26dbd116d6b2e3e

The following figure identifies two tables, the first table is visible with an Execl 4.0macro and the name is Macro1, and the second table attribute is visible, type Worksheet or dialog sheet, and the name is Sheet1.

As you can see from the figure above, the BOF recode flow of Execl 4.0macro form is offset to 0x001AF6, and locate the recode with stream offset of 0x00001AF6 as shown in the following figure. Its type is 2057, which corresponds to the BOF record:

Then iterate from BOF recode to find the recode with record type 6 (Execl 4.0macro formula) to EOF recode:

Excel 4.0Macro object parsing

Recode with record type 6 contains macro formula objects in the format shown in the following figure:

Cell occupies 6 bytes and specifies the cell in which the formula resides.

FormulaValue occupies 8 bytes and specifies the value of the formula.

The CellParsedFormula structure is used to specify formulas.

As shown in the following figure, there are two Formula, the first of which is made up of data 0F 0017 08 00 63 61 6C 63 2E 65 78 65 42 01 6e

00 specifies the formula, and the second one is specified by data 04 00 4200 36 00.

The structure of CellParsedFormula is as follows:

Ccb occupies 2 bytes and specifies the rgce size.

Rgce specifies at least one formula data, including function numbers, parameters, and so on.

The rgce structure is roughly shown in the following figure:

RgceType accounts for 2bytes and specifies the formula data type. For the type, please refer to https://msdn.microsoft.com/en-us/library/dd948654(v=office.12).aspx.

The following gray background hexadecimal data is sample formula data:

The results of the first formula data analysis are as follows:

0x000F represents the formula data length, that is, ccb. 0x17 represents the formula data type, that is, rgceType, and here 0x17 represents PtgStr, followed by a string. 0x0008 represents the formula data length, that is, sLen. Calc.exe represents data, that is, data. 0x42 represents the formula data type, that is, rgceType, and here 0x42 stands for PtgFuncVar. 0x01 represents the number of function parameters, that is, NumberOfArg, and here 0x01 represents only one parameter. 0x006E ^ 0x0001=0 indicates that FuncID will query from the Ftab table, not from the Cetab table

The PtgFuncVar definition refers to https://msdn.microsoft.com/en-us/library/dd907478(v=office.12).aspx.

0x006E represents the ID of the calling function, that is, FuncID. In this case, it is 0x6E. You can call the EXEC function to query the Ftab table, and query the reference https://msdn.microsoft.com/en-us/library/dd904817(v=office.12).aspx.

In general, the first formula data determines the call to the EXEC function with an argument of "calc.exe". Similarly, the second formula calls the 0x36 function in the Ftab table, and the query shows that the HALT function is called here.

In turn, you can parse all the formula functions and related data in Excel one by one.

Analysis of attack samples of Imminent Monitor remote-controlled Trojans

The threat Intelligence Center first captured samples of attacks using Excel 4.0 macros to spread Imminent Monitor remote-controlled Trojans on October 18, 2018. On VirusTotal, only one antivirus software can detect and kill:

The malicious macro code of Excel 4.0is hidden in the table. If you choose to unhide it, you can see the Excel 4.0macro code:

The macro code starts from:

Hxxps://jplymell.com/dmc/InvoiceAug5e1063535cb7f5c06328ac2cd66114327.pdf downloads the file with the suffix PDF and executes it. The file is actually a malicious msi file. After executing through msiexec, it will decrypt and release a .NET type executable file under the% temp% directory, name it 033ventdata.exe and execute:

033ventdata.exe analysis

The program is a confused .NET program, and the main structure of the code is as follows:

VBM= in Form1 calls the gRQ= function:

The gRQ= function first gets some configuration information, including the CC address to be connected: linkadrum.nl, and determines whether the current process path is "% temp%\ ProtectedModuleHost.exe". If not, move the current file to this directory and delete the current process file:

If the process path matches, the corresponding LNK self-startup file is generated under the startup directory to achieve self-startup:

After that, start the puppet process InstallUtil.exe and inject the master PE file of the Trojan program:

Analysis of the main Control part of Trojan Horse

The injected Trojan master PE file is also a .NET program. After running, the library DLL of 7z LZMA will be loaded in memory, and then the lzma library will be called to decompress the Trojan master EXE that it carries and load it into memory. The EXE has strong confusion. After memory loading and execution, it will go online through linkadrum.nl and accept instructions to achieve complete remote control function:

After decompilation, you can also see the obvious string feature: "Imminent-Monitor-Client-Watermark"

ImminentMonitor RAT is a commercial remote control software, and the official website is imminentmethods.net, which basically includes all the remote control functions:

Early Macro virus samples using Excel 4.0Macros

Through big data association, the threat Intelligence Center also found a large number of samples of macro viruses that were spread by Excel 4.0macros in the early days:

MD5:66bceee6748d720dc6910f8cac7991da

The sample of this kind of macro virus has survived on the Internet for at least several years. The sample is an Excel file infected by Excel 4.0 macro virus. Take one of the samples as an example, as shown in the following figure:

Right-click the label bar and you will find that the sample hides a table (M1) _ (m2) _ (m3):

After unhiding, you will find that the columns are also hidden in the (M1) _ (m2) _ (m3) table. After unhiding the columns, you will find the following Excel 4.0macro code:

The first column is the code for the Excel4.0 macro, whose function is to create an excel.txt file on disk C, and then write the contents of the C1:C108 area of the table to the file. Finally, the excel.txt file is loaded into the current running environment using VBA.INSERT.FILE. Finally, the run function is used to call the createcabfile function in VBA. The function of createcabfile is to write the data of column B to disk C, then decompress and hide it, and finally modify the template file of its Excel to realize the function of worm propagation.

Protection and summary

From the analysis of advanced attack events in recent years, we can see that because of the high cost of exploiting vulnerabilities such as Office 0day, most attackers tend to use Office VBA macros to execute malicious code. On the other hand, the use of Excel 4.0macro technology will bring new challenges to the soft killing. Enterprise users should be as careful as possible to open documents from unknown sources. If necessary, disable all macro code execution by opening: file-options-Trust Center-Trust Center Settings-Macro Settings in Office Excel:

At present, a full range of products based on threat intelligence data from the threat Intelligence Center, including the threat Intelligence platform (TIP), SkyEye Advanced threat Detection system, NGSOC, etc., have supported the accurate detection of such attacks and such kill-free exploit samples. The self-developed kill engine of the threat Intelligence Center can also exclusively statically extract macros from attack samples as well as ShellCode utilization codes:

On the "use of Excel 4.0macros to avoid soft detection attack technology analysis is how to introduce here, more related content can search the previous articles, hope to help you answer questions, please support the website!"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.