On 27 March 2019, we notice a Twitter post by ClearSky Cyber Security on having a sample named “Timelines-ECRL.docx” (MD5: 01b5276fdfda2043980cbce19117aaa0) which likely refers to Malaysian “East Coast Rail Link” project.
It is said to use template injection for loading macro from 167.99.72[.]82, which then drops an unknown dll backdoor (MD5: 4c47ca6ecf0cfe312eb276022a0c381) that is executed by MsMpEng.exe via dll-side-loading. The malware would then beacon to its C2 located at 195.12.50[.]168.
It is interesting to me as I had never come across this method of executing macros, other than the usual embedding macros within the document. When I managed to obtained the malicious document posted by ClearSky Cyber Security, I decided to take a look to understand how it works.
When the document is opened, it shows the following:
To further analyse the document, I decompress it which would allow me to see its directory structure.
Looking through the directory structure of the document, it is found that under the file “settings.xml.rels”, the document is set to have an attached template that is to be retrieved from http://167.99.72[.]82/main[.]dotm.
Templates, in Microsoft Office Word, are pre-designed documents that the editor of the document could create and use as a pattern for a document. These templates can contain Macro which could help in establishing the pattern for the document. Also, Microsoft allows documents to access templates online.
These features may be convenient for normal users to share and grab templates online, but it could pose security risk as what we had seen in this case. Instead of having macro embedded within the document, the malicious macro resides in the document template file that is hosted online. This not only allows the document to bypass security scanning, it also bypass suspicious user’s eyes, as the macro could not be found in the document itself.
Having said that, there are telltale signs which user could possibly look out for. For example, when they are opening this type of document, they would see that Microsoft Word is slow to open as it is connecting to the internet to download something. Also, they would be able to see that Microsoft word is contacting some server at its launching window.
With this, it is understood how this template injection work.
Looking further within the directory structure, it is observed that there are two embedded objects — oleObject1.bin and oleObject2.bin. Examining the hex values of the files found that they are PE objects.
The PE extracted from oleObject1.bin correspond to the unknown backdoor dll that is reportedly dropped when the macro is loaded, while the other is “MsMpEng.exe” which side-loads the dll, and calls its export function “ServiceCrtMain” where the malicious code resides.
Even though the url used to download the template is not available by the time I looked at it, I found it posted on Cs0sf pastebin (https://paste.bin/b3FeMbx6). Below is a snippet of which contains the main bulk of the macro.
Notice that the IP found in the macro correspond to the IP where the macro is downloaded. However, the first octet of the IP found here “1167” which is invalid, instead of “167”. It is unclear if this is done by the author of the macro deliberately or if the user whom posted this macro on pastebin had changed it to deactivate the url so others would not infect their machine accidentally. One thing for sure is this is unlikely a typo because the strings at the back of the urls are different and even if it is copy pasted, it involves some amendments and therefore, should have been picked up.
From the snippet above, it is further understood that two files would be dropped and later executed — Exe and Dll. These are the two PEs that was found embedded in the document mentioned earlier.
This shall be the end of my first post. Since I prefer to make my first post short and easy to digest, I shall not continue with the details of the two PEs.
~Back to geumland
