Analysis of MaliciousMacroMSBuild & Cobalt Strike Stager

On October 4, 2020 I came across an interesting malware sample.  The payload is a Cobalt Strike Beacon stager, and the initial loader was built using MaliciousMacroMSBuild Generator, or M3G.

Here's a look at the first stage code, which is a VBA macro intended for insertion into an Office document:

The first two functions are fairly straightforward.  

1. sBinToStr takes a binary typed object and converts it to a string object

2. decodeBase64 takes a base64 encoded string, decoded it to binary, and uses sBinToStr to convert it to text

 

 

The last seven functions (in order of appearance in the file) are also mostly straightforward, with only some simple replacement obfuscation used to hide potentially problematic static strings:

1. The first three functions are VBA triggers to attempt to launch the macro when the containing Office document is opened or when macros are enabled.

2. StrRev takes a string as an argument and reverses the order of the characters in the string.

3. FileExists takes a string argument, checks to see if a file & path matching the content of that string exists, and returns a Boolean true or false.

4. WhereIs takes no argument, and uses FileExists to look for path locations for preferred versions of the .NET Framework, and returns the first matched path.

5. Delay takes a string as an argument and running loop until the current time matches the argument passed. 

This function is where the fun begins:

The function hdJQbniHq takes no arguments. It builds a base64 encoded string using multiple rounds of concatenation & string reversing.  It opens a new file object at %USERPROFILE%\Downloads\WikiUpdate.csproj, then decodes the large string containing the payload with the decodeBase64 function, and writes the output to a file. It then calls the Delay function for a random number of seconds.  Next it creates a new COM server application with the CLSID "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" which is then used to call Document.Application.ShellExecute and run msbuild.exe to execute the contents of WikiUpdate.csproj with the .NET Framework location found by WhereIs as an argument.

 

OK, now that we understand how the macro loader works, let's see what's in the WikiUpdate.csproj payload:

What we can see here is the default M3G shellcode template Visual Studio project file.  When run with msbuild.exe, it will launch C:\Windows\System32\searchprotocolhost.exe and inject the shellcode into the new running processes. 

 The base64 string can be decoded and visually inspected:

 

An IP address, User-Agent string, and URI path can all be plainly seen. Those familiar with shellcode stagers will immediately recognize this as an x64 Cobalt Strike stager.

Loading the shellcode into a debugger, we can see the Windows function calls in order:

Confirmed, Cobalt Strike HTTP stager which pulls down and executes the payload at http://10.10.10.20:8004/x4Bo.