Wednesday, November 16, 2016

Generic VBA Instrumentation for Microsoft Office Documents

For the last couple of months, we have witnessed a resurgence of Microsoft Office macro malware, cyber attackers leveraging once again macros for evil. Macros are a very efficient set of VBA’s (Visual Basic Applications) codes,  used by organizations to automate frequently performed tasks in Microsoft Office. Although their time-saving potential, macros can also be used perfidiously, allowing attackers to run malicious software on someone's computer. 

What we have also seen, is how state sponsored APT groups were using MS Office documents as an initial attack vector to infect and damage state critical infrastructure. This was possible not only because of VBA's ease of use, but also because of exploitation potential. Most notable examples from this year:

Opening not trusted documents in a sandboxed environment slowly becomes a standard in security-aware companies. At Joe Security, we are constantly improving and quickly adapting,  to be at the leading-edge of innovation, so we can offer our customers the broadest possible protection. The method proposed by Kacper Szurek in his latest research on VBA macro analysis (https://github.com/eset/vba-dynamic-hook), was a great source of inspiration. Therefore we decided that similar approach will be a interesting addition to Joe Sandbox.

The initial idea was to insert instrumentation code into the APIs called from the VBA script and log arguments, which at this point were not encrypted. The outcome of this instrumentation would be bypassing string encryption and facilitating further analysis. This would also allow us making a better detection, based on accessed host-names or strings used as a process blacklist. This initial plan quickly evolved into something bigger, so today we can proudly present VBA instrumentation with the following set of features:

  • Arguments and return value logging for predefined set of VBA APIs - the list of supported functions can be easily extended in our On-Premise products. Below you can see a interesting output of the instrumentation (part of the Joe Sandbox Reports):

  • Local functions execution mark - all user defined functions are logged once during script execution, so we can later divide functions to the executed / non-executed groups, this data is also shown as a colored execution graph:

  • Heuristic detection of string encryption function - if our algorithm properly recognizes the string encryption function, the final output will be enriched with the additional information that match encrypted and decrypted strings. String encryption function has also separate color in the execution graph (red node above):

  • Custom user defined Pre / Post VBA API hooks (available only in the On-Premise products for now) - this is really powerful feature that can be used to bypass various evasion techniques. Basically the customer can define VBA code that will be executed before and after certain VBA APIs. Defined hook can access and modify API arguments and return value.

Bypassing MaxMind IP check with user defined hooks

Checking properties of the IP number with help of the online GeoIP services is a quite popular evasion trick. Usually a malicious scrip checks:

  • the IP location/country code - used to target specific countries
  • ISP/Organization name - mostly used for blacklisting purposes (VPN providers, security companies, TOR nodes). Such lists sometimes are quite long:

 

It can be also easily circumvented with the custom VBA hooks. In the screenshot below, we can see the behavior of the original IP check function:


Meta Information column contains every information that we need, so we don't even have to read the original VBA code. WinHttpRequest.Status() call returned status 403 (Forbidden). Probably MaxMind GeoIP service introduced stricter checks and it refuses to return proper data. The above macro verifies if the returned status code is 200 and if not, it will return default String value (empty string). This is the first API call that we need to bypass. We can define simple Post hook for Status() function:


Analysis can be re-run with the new hook, and the actual results will looks like this:


WinHttpRequest.Status() now returns 200 and the JBWQC() function returns the content of the WinHttpRequest.ResponseText. Returned HTML is fully visible in the Meta Information column of the report. The sample still doesn't execute the final payload, so we need to check where the returned HTML content is used. This can be done just by looking at the VBA Call Graph:


IP-checking function is named JBWQC() and it is reached only from mtUBxZ(). We can easily navigate to this function just by clicking on the specific graph node.


Here we can see, that the returned HTML content is passed to the WjUJV() function which is just a wrapper for the VBA InStr API. The second argument seems to be an encrypted string, luckily we have heuristic detection of string encryption functions and in this case it properly logged the decrypted value. It is visible above the VBA function: "xINsEBWARZWSLGTDqR" - "SWITZERLAND". So, the ResponseText have to contain string "SWITZERLAND", this is our second VBA Post hook:


After re-running analysis we can further inspect the instrumented VBA code, or just look at the rest of the report, since the macro successfully executed the final payload:


Final words

Being able to quickly act has become a major strategy to fight evasion. With Joe Sandbox security teams (CERTs, CIRTs, SOCs, etc.) get an extensive analysis tool which allows them to fight evasions within minutes. Our newly introduced VBA instrumentation engine is a perfect example. While dealing with a new macro based Office evasion, analyst can easily identify it via the dynamic data visible in the "Meta information" column of the VBA report. Next they can detect the evasion by writing a behavior signature, and finally bypass it by adding a new Pre or Post hook.

VBA Instrumentation is available in Joe Sandbox 17.

Sample analysis with VBA instrumentation turned on:
http://joesecurity.org/reports/report-58258b89e076c4d378436f3b03682402_2.html#vba-code
http://joesecurity.org/reports/report-43b8cc7dc3ff1987354e974d77216b1b_2.html#vba-code
http://joesecurity.org/reports/report-2e374756930bee59c371d98ff88572a8.html#vba-code