Tuesday, October 6, 2020

Analysis of MaliciousMacroMSBuild & Cobalt Strike Stager

On October 4, 2020 I came across an interesting malware sample.  The payload is a Cobalt Strike Beacon stager, and the initial loader was built using MaliciousMacroMSBuild Generator, or M3G.

Here's a look at the first stage code, which is a VBA macro intended for insertion into an Office document:

The first two functions are fairly straightforward.  

1. sBinToStr takes a binary typed object and converts it to a string object

2. decodeBase64 takes a base64 encoded string, decoded it to binary, and uses sBinToStr to convert it to text

 
The last seven functions (in order of appearance in the file) are also mostly straightforward, with only some simple replacement obfuscation used to hide potentially problematic static strings:

1. The first three functions are VBA triggers to attempt to launch the macro when the containing Office document is opened or when macros are enabled.

2. StrRev takes a string as an argument and reverses the order of the characters in the string.

3. FileExists takes a string argument, checks to see if a file & path matching the content of that string exists, and returns a Boolean true or false.

4. WhereIs takes no argument, and uses FileExists to look for path locations for preferred versions of the .NET Framework, and returns the first matched path.

5. Delay takes a string as an argument and running loop until the current time matches the argument passed. 


This function is where the fun begins:

The function hdJQbniHq takes no arguments. It builds a base64 encoded string using multiple rounds of concatenation & string reversing.  It opens a new file object at %USERPROFILE%\Downloads\WikiUpdate.csproj, then decodes the large string containing the payload with the decodeBase64 function, and writes the output to a file. It then calls the Delay function for a random number of seconds.  Next it creates a new COM server application with the CLSID "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" which is then used to call Document.Application.ShellExecute and run msbuild.exe to execute the contents of WikiUpdate.csproj with the .NET Framework location found by WhereIs as an argument.

 

OK, now that we understand how the macro loader works, let's see what's in the WikiUpdate.csproj payload:

What we can see here is the default M3G shellcode template Visual Studio project file.  When run with msbuild.exe, it will launch C:\Windows\System32\searchprotocolhost.exe and inject the shellcode into the new running processes. 

 The base64 string can be decoded and visually inspected:


 

An IP address, User-Agent string, and URI path can all be plainly seen. Those familiar with shellcode stagers will immediately recognize this as an x64 Cobalt Strike stager.

Loading the shellcode into a debugger, we can see the Windows function calls in order:

Confirmed, Cobalt Strike HTTP stager which pulls down and executes the payload at http://10.10.10.20:8004/x4Bo

 

 

Friday, October 18, 2019

BSides Augusta 2019

My PowerShell hunting presentation from BSides Augusta 2019.

BSides Augusta 2018

This is the presentation I gave at BSides Augusta 2018 on the @ScumBots project. The GitHub repo for this project is located at https://github.com/pmelson/narc/.

Friday, July 27, 2018

BSides Augusta 2017

This is my talk from BSides Augusta 2017. I can't say enough good things about the caliber of speakers and the concentration of defender / Blue Team talks at their event. It has become one of my favorite cons.


Wednesday, February 8, 2017

BSides Augusta 2016

Last fall, as promised, I made a return trip to BSides Augusta to talk about malware analysis, the Viper Framework, and threat intelligence.

Here's the talk:

Also like last year, I released more code for using Viper and VirusTotal as shown in the presentation.

Saturday, September 19, 2015

BSides Augusta Talk

Earlier this month I had the privilege of speaking at BSides Augusta.  I gave a lightning talk on working with the Viper Framework for static analysis.

Here's the talk:

I also released the module and API scripts I wrote for the talk.

I cannot say enough about the talent and quality technical content in the BSides Augusta talks.  This is easily a "Top 5" defensive security event.  I seriously have no idea how I managed to sneak into this speaker lineup.  Definitely going back next year.


Tuesday, August 20, 2013

BSides Detroit Presentation

In June I gave a presentation at BSides Detroit entitled, "Broke, Note Broken: An Effective Information Security Program With a $0 Budget."  Here's the video:


I have teased the BSides Detroit organizers that they ought to rename their conference to ASides Detroit because, unlike other BSides events, it doesn't coincide with another security conference, and also because it is has the best content and activities of any security conference in Detroit.  If you're in Michigan or the Great Lakes region at all, I recommend making plans to attend next year.  I'll be there.

Also, here are some other upcoming security-related events taking place in Michigan: