Wednesday, December 18, 2019

Fighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation

Country aware malware, which is also known as location or geo-aware malware, is again on the rise. Recently, we have spotted a new campaign targeting Italian organizations. The attack vector is a spam email containing an attachment with a malicious Microsoft Office Macro inside. We covered a similar case that targeted French organizations at the beginning of this year.

In this blog post, we will look at another recent variant and showcase how Joe Sandbox is automatically bypassing the evasions.

The sample we are going to investigate (MD5: c5e1106f9654a23320132cbc61b3f29d) was submitted to Joe Sandbox Cloud Basic on December 9th 2019 (full analysis link, IOCs: The file format is a Microsoft Office Excel sheet. Interestingly, we see more Excel spreadsheets than Word or Power Point files using evasions. There is a high chance that using Excel documents makes it easier for attackers to bypass static detectors. The sample we are going to present targets Italian users:

File Name and Country check

The Macro it contains is triggered via Notifica_Layout:

The Object_Layout routine is less known compared to Workbook_Open or Auto_Open and therefore lowers the detection probability. Notifica_Layout performs the first evasion as a file name check. The execution will proceed only if there is the letter "I" in the file name:

Renaming potential suspicious files is a very common practice. We often see users renaming files to the MD5 or SHA1 name, add the extension .virus, .bin, .sample etc. Obviously, this is very bad practice if you want to analyze the sample in a sandbox, since it's trivial to check for such changes. Please also note that a sandbox has no way of reconstructing the original file name.

Happily, the user of this Excel sheet decided to submit the sample with the original file. As a result, the function Formato is called:

Formato performs another evasion check by calling Finesta. Finesta returns the user interface language (msoLanguageIDUI).

Formato then compares the user interface language to 1040 which is Italian:

The Power of VBA Instrumentation

Now if you look at the screenshot you will see that Excel has English as the UI language:

So how was Joe Sandbox able to fake that user interface language setting? The key technology for doing this is VBA instrumentation. We introduced VBA instrumentation in 2016. If you want to learn more about this unique technology please have a look at this blog post.
VBA instrumentation enables Joe Sandbox to completely control the VBA code. It generates the nice VBA call graph as well as annotated VBA functions. For the given LanguageID function we are able to define a custom "hook" which returns a fake ID:

However, to do so, Joe Sandbox also needs to find out which country is targeted by the document. To achieve this, we developed a new technology which analyzes all strings inside a Microsoft Office document and provides a best guess on the target:

Please note that all this happens fully automated. Other sandboxes require that the user chooses the targeting country manually if such an option exists at all.

Next, an obfuscated PowerShell command is launched via WMIC:

PowerShell then extracts and launches the Ursnif Trojan:

 A Sigma rule also detects Ursnif brilliantly:

Multi-Technology Platform

VBA instrumentation paired with static target discovery ("Which country or the victim is targeted by a sample?") is a very powerful combination. It enables Joe Sandbox to automatically adapt the analysis system as well as the malware sample behavior to bypass any evasion.

Joe Sandbox incorporates many other analysis technologies, including simulation, emulation, hybrid analysis, hypervisor based analysis, execution graph analysis etc. All these technologies make Joe Sandbox one of the most advanced and powerful malware analysis system for Windows, macOS, Linux, Android and iOS. 

Interested to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.