Picus Security
Published in

Picus Security

Hackers’ Favourite Scripting Languages Part 2: Offensive and Defensive Analysis of a VBA Script used by a Real Malware (Emotet)

Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

Red and Blue Team Exercises

Red Teaming — How to simulate?

In this exercise, we explain a real VBA code that was used by Emotet malware. We analyzed this payload in our following blog posts:

This payload was included in the following Word document:

Researchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private information. Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware, including other banking Trojans. Emotet incorporated various obfuscation and evasion techniques to avoid detection in its payload.

If you’d like to learn more about MITRE ATT&CK, check out our LinkedIn group with all the latest! https://www.linkedin.com/groups/8955879/

Briefly, the VBA code embedded in the Word document executes an encoded PowerShell command using WMI, then the PowerShell code downloads a second payload of Emotet. Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems [23].

Let’s split and analyze the command:

  • Do While GetObject(winmgmtS:win32_Process).Create(): In the Do While loop, the Create method of the WMI's Win32_Process class is used to create a new process. The first variable of this method is the CommandLine code to execute, which is a PowerShell command in this code.
  • Powershell -w hidden: There is not a parameter named -w according to the official PowerShell documentation [24]. In fact, the -w parameter is completed by PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of PowerShell. Adversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell commands to avoid detection.
  • -en: Similar to -w, there is not a parameter named -en, according to the official PowerShell documentation [24]. The -en parameter is completed as -EncodedCommand parameter by PowerShell. -EncodedCommand accepts a base-64-encoded string version of a command. Therefore, we must use base64 decoding to reveal the PowerShell command.

We’ll get the following code after base64 decoding, removing garbage variables, backtick (`), and plus (+) characters, and putting values of variables and beautifying the code. You can read the details of these de-obfuscation process in our blog post [25].

Briefly, this code tries to download a file from the URLS included in the $list array in the given order via the Net.WebClient.DownloadFile method and saves the downloaded file to the $env:userprofile directory as 937.exe.

In conclusion, the VBA code given in this exercise incorporates following MITRE ATT&CK techniques:

  • T1059.005 Command and Scripting Interpreter: Visual Basic
  • T1047 Windows Management Instrumentation
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1564.003 Hide Artifacts: Hidden Window
  • T102 Obfuscated Files or Information

Blue Teaming — How to detect?

The following Sigma rule can be used to detect WMI DLLs loaded via VBA Macros in Word, Excel, PowerPoint and Outlook files:

References

[23] stevewhims, “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: 11-Aug-2020]

[24] SteveL-MSFT, “about_PowerShell_exe — PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 11-Aug-2020]

[25] S. Özarslan, “Emotet Technical Analysis — Part 2 PowerShell Unveiled.” [Online]. Available: https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled. [Accessed: 12-Aug-2020]

Originally published at https://www.picussecurity.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Picus Security Inc.

Picus Security Inc.

Breach and Attack Simulation (BAS) | Continuous Security Validation | Gartner Cool Vendor