Tuesday, March 5, 2019

Malicious Documents: The Evolution of country-aware VBA Macros

Today's malware is often delivered via e-mail attachments. Such documents usually contain a VBA macro or utilize the office equation editor exploit (CVE-2017-11882 or CVE-2018-0802). If it is a VBA macro, likely an encrypted PowerShell command is executed.

Lately, we have seen an increase of evasive VBA macros in Excel sheets. We have monitored new samples of the same group over a period of four months and analyzed how the macros changed over time.

This blog post will outline some of our findings.

Initial Sample

Let us have a look at an early version from December 2018, MD5: 2c2545df2bbcd506bd09641ec97ca5ae. The sheet obviously targets Japanese users:

The macro code is triggered once the workbook is opened:

The evasion check is directly performed in the Workbook_Open function:

Application.International(xlCountrySetting) returns the Country/Region version of Microsoft Excel. Here is an incomplete list of version numbers:

' Application.International(xlCountryCode) =
'Arabic                966       (Saudi Arabia)
'Czech                 42        (Czech Republic)
'Danish                45        (Denmark)
'Dutch                 31        (The Netherlands)
'English               1         (The United States of America)
'Farsi                 98        (Iran)
'Finnish               358       (Finland)
'French                33        (France)
'German                49        (Germany)
'Greek                 30        (Greece)
'Hebrew                972       (Israel)
'Hungarian             36        (Hungary)
'Indian                91        (India)
'Italian               39        (Italy)
'Japanese              81        (Japan)
'Korean                82        (Korea)
'Norwegian             47        (Norway)
'Polish                48        (Poland)
'Portuguese (Brazil)   55        (Brazil)
'Portuguese            351       (Portugal)
'Russian               7         (Russian Federation)
'Simplified Chinese    86        (People's Republic of China)
'Spanish               34        (Spain)
'Swedish               46        (Sweden)
'Thai                  66        (Thailand)
'Traditional Chinese   886       (Taiwan)
'Turkish               90        (Turkey)
'Urdu                  92        (Pakistan)
'Vietnamese            84        (Vietnam)

81 stands for Japan. This small code ensures that only Japanese computers are affected. In addition, the code prevents sandbox and dynamic malware analysis systems from analyzing the payload which usually runs on computers with US or Western European environments.

Version 2.0

A month later we detected a new variant MD5: d71eaf0ad33a749b8fe3fb8dff56a474. This time the check was split into functions:

The country code is being used by the functions kille and congamerat. Simply changing digitt would not do the job anymore:

Version 3.0

A couple of days later we found a new variant MD5: 894f2f2b7489052f9fe258f0ea70be6d. This time the Boolean check had been made more complicated:

The check includes arithmetic calculation. In addition, it uses built-in Excel constants such as xlTickLabelPositionHigh. The expression to query the country code is split into two statements:

While most of the sheets we found target Japanese users, we also found some which target Italian users (MD5 d0c862c57819f417b852cb1cd308ffa2 and d0c862c57819f417b852cb1cd308ffa2):

Version 4.0

Some days ago we found another variant, MD5: aacb83294ca96f6713da83363ffd9804. There are multiple changes. First of all, Workbook_Open is no longer used but rather Frame1_Layout:

Frame_Layout is triggered whenever Excel redraws the workbook. The country code check has not changed, it uses calculation and built-in constants:

What is more interesting is the second country check: Function tuff creates a currency format. E.g. for US dollar it creates $0.00. For Japan, it would create 0¥.

The size of the currency format is then later used to decrypt and deobfuscate the command line string passed to Shell:

Fighting country-aware Malware

As this blog demonstrates, attackers constantly improve their code base to make the detection more difficult.

Joe Sandbox has an array of different technologies to fight country aware samples. Generic VBA Instrumentation and Cookbooks are just two of them.  Below is the full analysis of the latest version:


Application.International(xlCountrySetting) and Format(0, "currency") are not the only ways to build country aware malware. Just recently we found a sample MD5 6a9eda3eb0bfc222ab46725829faaec7 which uses GetLocaleInfo: