Monday, 3 September 2018

MHTML Macro Based Documents Targeting Colombian Users

I have recently observed a lot of macro based Documents using the MHTML format targeting users located in Colombia. There are certain interesting aspects of this campaign which make it stand out from the common spam campaigns.

Documents sent inside Password Protected RAR Archives

The malware delivery method involves sending a malicious macro based Document inside a password protected RAR archive as an email attachment. The content of the email is written in Spanish language and the password is mentioned inside the email body.

As an example:

MD5 hash of the Archive file: 592c9b2947ca31916167386edd0a4936
Password for the RAR archive: censonacionaldepoblacion2018307421e68dd993c4a8bb9e3d5e6c066946ro
MD5 hash of the Macro based Document inside the Archive file: 4bbfc852774dd0a13ebe6541413160bb
Filename of the Document: listado de funcionarios autorizados para censo nacional 2018.doc

Figure 1 shows a screenshot of the email which was sent to the user:

 Figure 1

You will notice something interesting about the length of the password in the above email. It's a very long password with a length of 64 characters.

Based on other emails related to this campaign, this seems to be a pattern.

Figure 2 shows the Document:

Figure 2

Figure 3 shows that the Document uses an MHTML format

Figure 3

Why would the attackers use a very long password?

One of the reasons for using a very long password is because some open source password cracking tools like John the Ripper do not support password length greater than 32 characters for RAR5 archive file formats. This would prevent the use of password cracking tools to access the content inside the RAR files used in the campaign.

Analysis of the Macro based Document

The Document uses MHTML format and all the Document files used in this campaign used the same format. olevba supports extraction of macro from documents which use this format. However, some other Macro extraction softwares such as OfficeMalScanner do not support extraction of macros from Documents which use this format.

The macro itself performs the following 2 main functions:

1. Downloads a Malicious binary from the URL: hxxp://, drops it in the path: %appdata%\p.exe

2. It then uses Schedule.Service object to create a new Scheduled Task on the system with the following details:

Name of the Scheduled Task: GoogleUpdate
Description of the Scheduled Task: Esta tarea detiene el Agente de telemetría de Google, que examina y carga la información sobre el uso y los errores de las soluciones de Google cuando un usuario inicia sesión en el sistema.
Program to Run: This scheduled task is configured using the action, TASK_ACTION_EXEC to execute the binary dropped in step 1 in the path: %appdata%\p.exe

Figure 4 shows the relevant macro code which creates the Scheduled Task:

Figure 4

The binary downloaded is a .NET binary.

MD5 hash of the binary: 584b0648ac3d22f8c8d1fa6d8ab26dce

I will share more details about the Binary in another post.