From Targeted Attack to Untargeted Attack

Pierluigi Paganini June 17, 2019

Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of ‘Targeted Attack’.

Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.

Stage3_a

Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.

Stage3_b

This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)


Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b

Conclusion

Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

Further technical details, including IoCs and Yara rules are reported in the original post published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/06/17/from-targeted-attack-to-untargeted-attack/

About the author Marco Ramilli

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

[adrotate banner=”9″][adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – targeted attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]





you might also like

leave a comment