Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint”
series, a report prepared by FireEye Labs that documents malicious
software not being detected in the wild by traditional signature-based detections.

In this study, all the families identified are samples from
VirusTotal (VT) with zero detections, but detected as malicious by our
Multi-Vector Virtual Execution (MVX) Engine. We also added a few
samples with very low detection rates (VT <=3) but with interesting
bypass techniques.

Our goal is to share indicators that help the AV community and
others improve their detection coverage.

  • So far, only samples found in VT with the following file types
    were included in this study:
  • Win32 binaries
  • Office
    documents (including Open XML format)
  • RTF documents
  • Hangul Word Processor (HWP)[1] documents

The study includes samples submitted to VT in 2015 that were still
found undetected or with minimal detection rates as of January 2016
(see VT detection Tables in the Appendix).  


The following samples were identified in our research:

Suspected APT malware:

  1. GOODTIMES backdoor: Suspected APT; MS Office with Embedded
    Hacking Team Flash Exploit
  2. UPS backdoor: Suspected APT3
  3. VBA Macro + Metasploit Shellcode Loader: Suspected Middle
    Eastern-based APT
  4. Hancom Office HWP Exploit: Possible APT targeting of South

Malware without attribution:

  1. OccultAgent: (New) Code hidden in Excel spreadsheet
  2. Spy-Net RAT: Targeting Brazilian victims
  3. VBA Macros + PowerShell scripts: Netcat Backdoor
  4. VBA Macros + Python scripts: Metasploit Shellcode Loader
  5. Office Downloader
Detailed Sample Analysis

Malware that remains undetected by more than 56 different AV vendors
over a long period of time is worth investigating. This section
briefly describes the malware and techniques identified in the
undetected samples. A full list of indicators can be found in the IOC
section at the end.

1. 4b3858c8b35e964a5eb0e291ff69ced6 – 201507.xlsx

Type: XLSX
Description: CVE-2015-5119 (Flash exploit exposed
in the Hacking Team leak)
Attribution: Suspected APT threat
group targeting Taiwan
Current detection: 0/53
Submission: July 13, 2015
Last Submission: January 27,
Time undetected in VT: At least 6 months       

This Excel document is PKZIP compressed (following the Open XML
Format) with the structure shown in Figure 1:

Figure 1: Structure of XLSX document

When the spreadsheet is opened, a dialog prompts the victim to allow
unknown embedded content to be played, as shown in Figure 2. In this
case, social engineering is needed to convince the victim to execute
the malicious Flash object.

Figure 2: Excel document content and prompt

When the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE
Control to be used (which corresponds to Macromedia Flash Player, as
shown in Figure 3) through the ClassID attribute to finally load the
Flash Exploit embedded in the activeX1.bin object.

Figure 3: Content of activeX1.xml file

The embedded Flash exploit corresponds to CVE-2015-5119, one of
several zero-day exploits identified following the Hacking Team leak
in July 2015.[2]

A look at the Flash Action Script (AS) reveals code similar to that
from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique,
and even the same error message “can’t cause UaF” as shown in Figure 4.

Figure 4: Flash exploit code

The combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5)
were not observed in the original Hacking Team version of the exploit,
suggesting that the group responsible for this malicious Excel file
modified the original exploit code.

Figure 5: Flash Action Script classes from
malicious Excel file

The exploit drops a variant of the backdoor we call GOODTIMES (also
known as Linopid). The backdoor communicates to Taiwan-based IP
addresses and on ports 8080 and 443 via HTTP.

While this particular GOODTIMES sample has not been attributed to a
specific threat group, GOODTIMES has previously been used by suspected
APT actors. Based on previously identified targets and the use of
Traditional Chinese language and Taiwan-centric themes in spear
phishing messages and decoy documents, the group appears to focus on
Taiwanese targets.

Potential AV bypassing reason

1.     New delivery mechanism: The leaked CVE-2015-5119 Flash
exploit has been used by a wide range of threat groups, including
other APT groups such as APT3 and APT18[3].
Previous delivery methods entailed luring the victim to click on a
malicious link (delivered via a spear phishing message) where the
malicious Flash exploit was hosted on a web page. In this case, the
suspected APT group responsible for the GOODTIMES backdoor changed the
delivery mechanism by embedding the exploit as ActiveX object
inside the Excel Open XML Format (PKZIP compressed).

2.     In addition, while an ActiveX object would normally be
embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content
is embedded directly in the Excel file, right after the ClassID, as
shown at Figure 6.

Figure 6: Embedded Flash object

·      The above steps might be enough to avoid proper parsing of
the malicious Flash object. This is the first time we have seen a
CVE-2015-5119 sample embedded in an Excel document this way.

2. 22da029dd4e018b7c7135a03d0ba9b99

Type: Win32 binary
Description: A variant of the UPS
Attribution: suspected APT3
Current detection:
First Submission: August 6, 2015
Last Submission:
February 2, 2016
Time undetected in VT: At least 6 months

UPS is a backdoor capable of uploading and downloading files,
creating a reverse shell, reconfiguring itself to use different
command and control (CnC) servers, and acting as a proxy server. It
uses a custom binary protocol to communicate with its CnC server and
it encrypts this custom protocol using a TLS TCP connection.

While this particular UPS sample has not been attributed, UPS is
commonly used by the China-based APT3.

Potential AV bypassing reason

1.     Junk code insertion: Examining this UPS sample, we see a
significant amount of “junk code” potentially designed to mask the
malicious nature of the binary, as well as to complicate analysis or
reverse engineering efforts.

In Figure 7 we see the backdoor executing a jump to address 0x4043AB
by forcing the “jump if greater than” comparison to be true by moving
a large value (0x4A2E88E4) to the ebx register and then comparing it
with a hardcoded lower value (0x6A1E839), after which a large number
of junk instructions are skipped (red square). This strategy can be
seen through several different execution paths.

Figure 7: Decompiled UPS sample showing junk code

3. aedd5d8446cc12ddfdc426cca3ed8bf0 – S-old.xlsb

Type: XLSB
Description: VBA Macro + Metasploit Shellcode
Loader Backdoor
Attribution: Suspected Middle Eastern-based
Current detection: 1/52    
First Submission:
September 28, 2015
Last Submission: January 28, 2016
undetected in VT: At least 4 months

This particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we
believe it is still worth mentioning in this report.

When the spreadsheet is opened, the victim is shown a table of
Israeli holidays and prompted to enable macros to view the full list,
as shown in Figure 8:

Figure 8: Malicious Excel file showing calendar data

When the macro is executed it creates a Windows binary in memory as
shown in Figure 9. Note the Chr(77) +
builds the MS-DOS header magic number “MZ”.

Figure 9: Macro concatenating bytes to form a
Windows binary

The binary is written to the file system with the file name NTUSER.dat{GUID}.exe as shown in Figure 10.

Figure 10: Creating the Windows binary

In this case, the GUID selected corresponds to Scriptlet.TypeLib
ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe
(md5  6aab47b18afacbfa7423f09bd1fa6d25)
that is later
executed via the ShellExecute() API with the
SW_HIDE parameter to run silently.

Finally, the executable comes with an embedded Metasploit Shellcode
loader that connects to on port TCP 13661.

While this sample has not been attributed, similar techniques (use
of XLSB files with embedded, obfuscated macros; creation of the file
name NTUSER.dat{GUID}.exe; use of the binary
to download additional malware) and the same CnC IP address have been
referenced in reporting on a suspected Middle Eastern-based APT group
known as “Rocket Kitten”, primarily targeting Middle Eastern and
European organizations.

Potential AV bypassing reason

1.     The byte concatenation inside the VBA Macro, used to build a
Win32 binary at runtime, helps to bypass signature-based detection.

4. 4e51143b01e99afc3bd908794d81d3cb

Type: HWP
Description: Hancom Office HWP Exploit
Attribution: None
Current detection: 3/53    
Submission: July 31, 2015
Last Submission: February 2,
Time undetected in VT: At least 6 months with 3 generic detections

This sample, a Hangul Word Processor (HWP) document, has only three
generic detections on VT, so we found it to be worth analyzing for
this report.

When opened, the HWP document displays Korean text and some
photographs, as shown in Figure 11. Behind the scenes the document
will exploit vulnerable versions of Hancom Office, dropping and
executing a malicious file.

Figure 11: Content of malicious HWP document

Internally, the document structure includes three sections, where
section 0 will trigger a Type Confusion vulnerability while parsing
the content of the paragraph located at the data record structure
HWPTAG_PARA_TEXT starting at offset 0x1C
(see uncompressed section 0 at Figure 12). The logic bug will cause
the string starting at offset 0x50 to be treated as a control
structure. This control structure contains a fake object at offset
0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that
eventually will redirect the execution flow to the shellcode.

Figure 12: Section0 malformed paragraph

A similar type confusion vulnerability has been previously
documented by Ahnlab,[6] however, the
vulnerability trigger is different.

Section 2 has an uncompressed size equal to 112MB, used to perform
the heap spray and expecting to place the shellcode at a memory
address close to 0x0e040e04. In Figure 13, the beginning of the
shellcode can be seen (uncompressed).

Figure 13: Start of shellcode

The shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute->
This generates a connection to a
compromised Korean automotive website and attempts to retrieve a file
with a .JPG extension, which we suspect may be a second-stage binary.
However, the file was no longer available on the website at the time
of our analysis.

This particular sample has not been attributed to any threat group.
However, the use of malicious HWP documents is notable, as that format
is specific to a regional word processing program used heavily in
South Korea and in particular by the South Korean government. While
the use of malicious HWP files could simply indicate regional
targeting by unspecified threat actors, similar exploits have been
used in the past by suspected APT groups.

Potential AV bypassing reason

1.     Heap Spray technique change: Similar exploits used to be
created with multiple large-size sections in order to spray the heap.
This exploit fulfills the same purpose but with only one large-size section.

2.     Vulnerability triggered in a different format: A similar type
confusion vulnerability described in this section was seen implemented
in the Open XML Format (HWPX extension)[7], but
this time ported to the Compound File Binary Format  (HWP extension).

5. 497eddab53c07f4be1dc4a8c169261a5 – Barclays_Q22015_IMS_excel_tables.xlsm

Type: XLSM
Description: VBA Macro + VBScript generated from spreadsheet

Attribution: None
Current detection: 1/54    
Submission: Julio 08, 2015
Last Submission: January 27,
Time undetected in VT: At least 7 months

This sample, an Excel macro-enabled file, has only one generic
detection. The embedded macro creates an encoded Visual Basic (VBE)
file that connects to a CnC site and allows remote control of the
victim’s computer. As we had not previously observed this backdoor, we
named it OccultAgent.

When the XLSM file is opened, the user is prompted to enable macros,
as shown in Figure 14. The instructions are displayed in both English
and Greek:

Figure 14: Prompt to enable macros

The macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e),
obtained from the data in a spreadsheet cell (see Figure 15), to
C:\octemp001\ and executes it. The script connects to
hxxp://0x5E469BFD, which is equivalent to hxxp://, via
the victim’s web browser.

Figure 15: Obfuscated script embedded in
spreadsheet cell

The first stage Macro source code can be seen in Figure 16.

Figure 16: Embedded VBA macro

The dropped ocagent.vbe VBScript is
essentially a backdoor that connects to the CnC server at to register the victim’s computer and to obtain commands
to run on the victim’s machine.

Potential AV bypassing reason

The following steps may be sufficient to bypass AV detection:

1.     Adding encoded VB script into a spreadsheet cell allows
attackers to hide the malicious code.

2.     Representing the IP address in hexadecimal format may be
sufficient to bypass regular expressions trying to match standard
32-bit IP addresses (dotted decimal notation).

6. dc15336e7e4579c9c04c6e4e1f11d3dd – dedinho no cuzinho.rtf

Type: RTF
Description: RTF file with embedded executable
Attribution: None
Current detection: 0/54    
Submission: October 22, 2015
Last Submission: January 15,
Time undetected in VT: At least 3 months

In this attack scenario, the victim receives an RTF document that
appears to contain an embedded JPG image. The embedded file is
actually an executable that attempts to hide its file extension by
using a long sequence of underscore characters (e.g., Copy of foto.jpg<underscores>.exe (see
Figure 17).

Figure 17: RTF document with embedded file

The embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed
with RLPack[8]. It drops a second Borland
Delphi binary packed with a customized version of UPX, which will then
drop the Spy-Net RAT on the system.

Spy-Net[9] allows an attacker to interact
with the victim via a remote shell to upload/download files, interact
with the registry, run processes and services, capture images of the
desktop, and record from the webcam and microphone. It also contains
functionality to extract saved passwords and turn the victim into a
proxy server. 

A beacon to dennyhacker[.] on TCP port 81 prepended with an
ASCII representation of the length of the payload  (33) and followed
by a pipe and a new line character confirms Spy-Net activity:

00000000  33 33 7c 0a                                      33|.

The RAT commands are translated to Portuguese to adapt the attack to
Brazilian victims; some command examples are shown below (additional
commands are listed in the Appendix):

Configuracoesdoserver = Server settings
Listarjanelas = List
Finalizarconexao = End connection
Listarchaves =
List keys

Potential AV bypassing reason

1.     Packers are commonly used to obfuscate code in order to
bypass traditional signature-based detection. The use of multiple
files packed with two different packers may be sufficient to bypass detection.

7. b1f43ca11dcf9e60f230b9d6d332c479 – Book2 – Copy.xls

Type: XLSX
Description: VBA + Python Shellcode loader
Attribution: None
Current detection: 0/54    
Submission: September 20, 2015
Last Submission: January 28,
Time undetected in VT: At least 6 months

When opened, this Excel document appears to be blank but contains
the VBA macro shown in Figure 18.

Figure 18: VBA Macro with OLE Object

The macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object
contains two files:

  • python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) – a
    legitimate file
  • file.exe (md5
    73f16dbf535042bc40e9c663fe01c720) – a binary created with py2exe[10]

Once file.exe is executed it launches a copy of the Windows
calculator (calc.exe) as a decoy. However, behind the scenes it
performs a Metasploit reverse TCP Connect to a CnC server.

The unpacked version of file.exe is obfuscated python that can be
seen in Figure 19.

Figure 19: Python Shellcode

The following steps describe the process in greater detail:

  • File.exe spawns a copy of calc.exe.
  • Base64-decode and
    AES-decrypt embedded shellcode.
  • Via Python ctypes, the
    environment is set to run the shellcode loader in memory.
  • The shellcode loader, which has been encoded with the Metasploit
    Shikata encoder, [11] is configured to
    connect to the host on port 443.
  • The malware
    sleeps for 60 seconds and starts again.

Potential AV bypassing reason            

Multiple tricks to evade detection can be seen here:

  1. The file extension of the document is .xls. However, the file
    is actually an Open XML Format file (.xlsx). This simple trick may
    bypass extension-based parsers.
  2. The Embedded OLE object
    contains a legitimate binary (python27.dll) and a py2exe executable
    may appear to be a legitimate file.
  3. The malicious python
    script is packed using py2exe.
  4. The Embedded OLE object is
    extracted from a hidden Sheet3, so the VBA Macro may not appear
  5. The shellcode is Base64 encoded and AES

8. 95e89fd65a63e8442dcf06d4e768e8f1 – Doc1.docm

Type: DOCM
Description: VBA + PowerShell + Netcat as
Attribution: None
Current detection:
First Submission: June 19, 2015
Last Submission:
January 26, 2016
Time undetected in VT: At least 7 months

The word document comes with a simple message shown in Figure 20.

Figure 20: Message distractor

When the VBA macro is executed (see Figure 21), PowerShell code is
loaded from the document’s comments (see Figure 22):

Figure 21: Loading malicious code

Figure 22: Code embedded in the document comments

The PowerShell script will act as a backdoor to allow remote access
to the compromised machine. The script will download and execute
netcat to listen on IP and port 3724. Once a connection
is received, a PowerShell shell will be sent (via –e powershell.exe option) to the client
(PowerShell Reverse shell) as shown in Figure 23.

Figure 23: Malicious code content

It is interesting to note that attackers are moving from traditional
command prompt shells (cmd.exe) to PowerShell shells (powershell.exe),
which are actually more powerful. For example, PowerShell allows the
use of WMI (Windows Management Instrumentation), something not readily
accessible via the standard command prompt[12].

The script references a non-routable (RFC1918) IP address, so we
suspect that the script was either a proof of concept or meant to be
used during the lateral movement phase in a specific internal
environment that uses this IP space.

Potential AV bypassing reason

1.     Use of the .docm extension may evade extension-based parsers.

2.     Embedding the PowerShell script in the document’s comments
and executing it from a VB macro adds another layer of complexity.
While this is clearly a suspicious behavior, it is not properly
identified by signature-based detection.

We identified several other examples of malware using VBA Macros
with PowerShell to mainly run shellcode loaders that allow attackers
to gain remote access to victims’ machines. Another example is shown
below; it has two VT detections, but serves as an example of a very
common variant seen in the wild.

9. 8de1ebacb72f3b23a8235cc66a6b6f68 – Polnoe_raspisanie_igr.xlsm

Type: XLSM
Description: VBA Macro + PowerShell – Shellcode
Attribution: None
Current detection: 2/54    
First Submission: October 14, 2015
Last Submission: January 28,
Time undetected: 3.5 months with two generic detections

When the Excel document is opened, a message is displayed in
Russian. The user is even provided with a link to a legitimate article
describing how to enable macros (see Figure 24).

Figure 24: Excel file with legitimate link

When the VBA Macro runs, it executes a PowerShell script that
Base64-decodes and decompresses a second-stage PowerShell Script that
will be used as the shellcode loader in memory (see Figure 25).

Figure 25: PowerShell script being built on the
fly via VB script

PowerShell uses the Invoke-Expression (or
IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.

The Shellcode in this case comes hardcoded in the second stage
PowerShell script, loaded and executed from memory with the following syntax:

Start-Sleep -Second 100000

Where $x contains the Shellcode loaded in memory that eventually
will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the
domain spl[.]noip[.]me previously resolved to Russian IP

Most of the VBA Macro + PowerShell scripts we identified were
created with the
[13] and
[14] scripts, often used for penetration testing.

Potential AV bypassing reason

1.     The .xlsm extension may bypass extension-based parsers

2.     Using the VBA Macro in the first stage to build the first
PowerShell script via concatenation provides an easy way to bypass
signature-based detection

3.     The PowerShell scripts are Base64 encoded and compressed

10. cda305a6a6c6ace02597881b01a116e3 – CVE-2013-1331-doc.docx

Type: DOCX
Description: Office Downloader
Current detection: 0/55    
First Submission: January
12, 2015
Last Submission: January 16, 2016
Time undetected
in VT: The whole year and counting!

In 2013, a stack-based buffer overflow triggered while parsing PNG
images was exploited in the wild against MS Office 2003 and Office for
Mac. CVE-2013-1331 was assigned to the vulnerability.

The malicious samples did not include the PNG directly embedded in
the document; rather, the PNG file was loaded from the Internet by
using the INCLUDEPICTURE option

This new sample uses a different option from the new XML Format
called “Relationships” in order to download a resource from the
Internet, as seen at Figure 26.

Figure 26: XML content loading the PNG image remotely

The same domain was used back in 2013, but now with a different
download technique. Although the vulnerability has been patched by
Microsoft, the aforementioned technique can be used to download any
resource from the Internet.

Potential AV bypassing reason

1.     Use of the XML ‘Relationship’ instead of the original
INCLUDEPICTURE method to download resources from the Internet is a
novel technique that may not be recognized.

2.     Based on the code shown above, it is clear that the intention
is not to download a .gif image but a .php resource. Signature-based
engines should easily detect the unusual resource name with multiple dots.


Threat actors of all types continue to improve their techniques to
compromise organizations and remain undetected within an environment.
Our study identified a number of techniques that successfully bypassed
many AV engines:

1.     Alternate techniques to embed objects within Office documents
that may not be recognized by AV engines.

2.     The use of a multi-stage infection approach in order to look
unsuspicious at each stage:

    a.     A document downloading an image from the Internet that
cannot be flagged as malicious at that stage
    b.     A VBA
Macro script loading malicious content from spreadsheet cells

3.     Multiple techniques to load malicious content from Office documents:

    a.     Embedded as ActiveX
    b.     Embedded as OLE
    c.      Embedded in the document’s comments
d.     Embedded in the spreadsheet cell

4.     Standalone packed binaries containing malicious Python scripts.

5.     Multi-layer Packing: RLPack + Custom UPX.

6.     The combination of multiple scripting languages to allow the
attackers to obfuscate malicious code, such as VBA Script building
malicious PowerShell scripts.

In several cases we note that the attackers are reusing known
exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the
delivery method; or leveraging obfuscation, encoding, encryption, or
multiple layers of packing to disguise their malicious scripts or backdoors.

For proper detection, it is essential to monitor an attack through
its entire life cycle – not simply when a suspicious document or file
first enters a network. This approach is necessary to detect and block
multi-stage infection strategies. While initial events (such as the
delivery of a macro-enabled spreadsheet) may appear innocuous,
eventually a later stage of the attack will trigger detection.

It is much easier to stop an attack – including a multi-stage attack
– when it first occurs, to include detecting known and unknown
exploits (zero days), or even threats that require user interaction
such as macros inside documents.

This detection approach is the core logic behind FireEye
Multi-Vector Virtual Execution (MVX) technology.


Indicators of Compromise – IOCs

Network Based:


POST /0000/a242550.asp
TCP Port: 8080 


GET /bbs/file/machinery/machine_body.jpg
PORT: 80


TCP Port: 80


TCP Port: 443


TCP Port: 13661


GET /ocagnt/gethooks.asp
TCP Port:
GET /ocagnt/enckeys
TCP Port:
GET /ocagnt/getstatus.asp
Port: 80


TCP Port: 81



C:\Windows\System32\install\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146


Mutex created:



Figure 27 shows the MD5s with zero detection detailed on this report.

Figure 27: 2015 samples from VT with zero
detections in 2016

Some exceptions to this study were added for samples with low
detection rates, but with only generic detection (that is, not
detected as part of any specific code family), that used an
interesting technique or that were suspected of being used by an APT
group (see Figure 28).

Figure 28: Samples with low and / or generic detection

dc15336e7e4579c9c04c6e4e1f11d3dd – Brazilian RAT

Some interesting commands from the RAT in Portuguese language:

 0002A3A8: pingtest

 0002A3BC: tentarnovamente

 0002A3E0: mouseposition

 0002A3F8: keyboardkey

 0002A40C: webcaminactive

 0002A424: webcamgetbuffer

 0002A43C: webcam

 0002A44C: desktop

 0002A45C: stopsearch

 0002A470: listarvalores

 0002A488: maininfo

 0002A49C: configuracoesdoserver

 0002A4BC: disconnect

 0002A4D0: uninstall

 0002A4E4: renameservidor

 0002A4FC: enviarexecnormal

 0002A518: enviarexechidden

 0002A534: executarcomandos

 0002A550: openweb

 0002A560: downexec

 0002A574: resumetransfer

 0002A58C: listardrives

 0002A5A4: listararquivos

 0002A5BC: execnormal

 0002A5D0: execinv

 0002A5E0: deletardir

[1] Hangul Word Processor is a word processing application developed
by South Korean software firm Hancom.
[5] An XLSB file is stored in binary format instead of the normal XML
format, allowing the file to be read from and written to much faster. 
[10] Py2Exe is a distutils extension to create standalone windows
programs from python scripts.  See

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog