Sunday, 17 September 2017

Possible Targeted Attack on Belarus Ministry of Defense

Attackers often use latest news relevant to an organization in order to craft the decoy content used in Targeted Attacks. One such instance was observed recently during my research. I observed an email message delivered to with a malicious Macro based Document attached to the email. This email address corresponds to Ministry of Defense (International Military of Defense Cooperation Directorate) of Belarus.

The content of the email is as displayed in Figure 1.

Figure 1: Email Contents

This Macro based Document would display a decoy to the user with the details of the Russian Military operations which are scheduled to be carried out in Belarus in September 2017. The decoy document content is as shown in Figure 2.

Figure 2: Document Contents
Technical Analysis of the Macro based Document

After extraction of macro, we can see that it will drop the following files on the file system post execution:

1. %Appdata%\Microsoft\Office\aa.doc -> The original document is copied to this location.
2. %Appdata%\Microsoft\Office\Wincred.acl -> The malicious DLL which will be dropped to this path. This DLL is encrypted and embedded inside the Original Document.
3. %Appdata%\Microsoft\Office\T.vbs - This is the VBScript which will be decoded and dropped to the file system. The VBScript is executed using cscript by the Macro.

Few seconds after the execution of the VB Script, the macro deletes both the copy of the Document (aa.doc) and the VB script from the file system.

We can see in Figure 3, the encoded VBScript embedded inside the macro as well as the different paths to which the malicious files will be dropped post execution of Macro.

Figure 3: Macro Contents

The VBScript is shown in Figure 4.

Figure 4: VBScript Contents
This VBScript performs the following main operations:

1. It will open and read the contents of the document copied to the location, %Appdata%\Microsoft\Office\aa.doc
2. It will decrypt 53248 bytes of the Document using a custom XOR Decryption routine.
3. The decrypted contents are written to the file: %Appdata%\Microsoft\Office\Wincred.acl. This corresponds to the malicious DLL.
4. It then sets the Windows Registry Key for persistence as shown in Figure 5. This allows the DLL to be loaded when the system restarts. It will use rundll32 to load the DLL and invoke the exported function, WinCred from it.

Figure 5: Windows Registry Contents
Once the DLL is loaded, we can see in the WinCred function as shown in Figure 6, that by calling PeekMessage() function, the malware inspects the Window Message value before starting the malicious activities.

Figure 6: Window Message Check
The malicious activities are performed only when the Window Messages, WM_QUERYENDSESSION or WM_ENDSESSION are received. If neither of these Window Messages are received, then the malware sleeps for 1000 milliseconds and continues inspecting the Window Messages.

Based on quick analysis of the payload, Network Traffic is as shown in Figures 7 and 8.

Figure 7: HTTP GET Request

 Figure 8: HTTP POST Request

The callback domain, was registered on 12th July 2017 as per whois info.

I will add some more details on the analysis of the DLL in a follow up blog.

1 comment:

  1. A non-technical comment: This coincides with the Zapad drill. It could be part of it in at least two ways. Either a rehearsal, or more ominously part of an effort to destabilize Lukashenka who has become too independent in the view of Russia and is seeking a rapprochement with the West. For Russia, Belarus is part of their defensive perimeter and they won't let it go easily.