.Net RAT Malware Being Spread by MS Word Documents

Breaking Threat Research from FortiGuard Labs

 

Just days ago, Fortinet’s FortiGuard Labs captured a malicious MS Word document from the wild that contains auto-executable malicious VBA code that can spread and install NanoCore RAT software on a victim’s Windows system. NanoCore RAT was developed in the .Net framework, and the latest version is “1.2.2.0”. Its author, “Taylor Huddleston”, was captured by the FBI and sent to prison early last year . The sample we captured uses NanoCore to execute malicious behavior on a victim’s system.

In this blog, I’ll show you how it is spread and installed onto a victim’s system.

The Malicious Word Document

The name of the captured Word document is “eml_-_PO20180921.doc”. When it’s opened in MS Word, we see the content shown in Figure 1. As you can see, there is a warning message in yellow on the top of the window.

Once the yellow button “Enable Content” in Figure 1 is clicked by the victim, the malicious VBA code is executed in the background. The VBA code is executed automatically from the function “Document_Open”. Its code is obfuscated, as shown in Figure 2.

From the API function names and debug output information in Figure 2, we can see that the VBA code does one thing: it downloads an EXE file from the URL “hxxp://www.wwpdubai.com/wp-content/plugins/jav/inv.exe” and saves it into “%temp% CUVJN.exe”. It then executes this EXE file once the download is complete. 

CUVJN.exe is a .Net framework program. Its original name was “icce.exe”. The screenshot in Figure 3 shows detailed information. However, this is not the real NanoCore RAT, which is extracted later when running CUVJN.exe. Let’s continue and see how it does this.

Execute the Downloaded CUVJN.exe

I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them.

From Figure 4 below, we see that CUVJN.exe repeatedly loads resource blocks via their names from the “9” resource folder. All data is then put together into local array variable “array10”. It then decrypts the data to get a new PE file. You can see it in Figure 5.

The decrypted PE file is another .Net framework program. Its original name is “dll.exe”. At this point, its “main” function has not yet been called. Below is the code snippet of the function “МđыдĐäѦГБуѦ”, which shows it calling the “main” function through “invoke”, where the argument “crap” has the “main” function. It’s like executing function “invoke(crap)”. That means the decrypted “dll.exe” will be run inside the CUVJN.exe process.

public static void МđыдĐäѦГБуѦ(object fileName, object crap)
    {
        checked
        {
            try
            {
                NewLateBinding.LateCall(crap, null, “invoke”, new object[]                 {null, new object[0] }, null, null, null, true);
                int num = 0;
                object instance;
[ … ]    

According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules.

public static void avast()    {
        try        {
            IntPtr moduleHandle = RunPE.GetModuleHandle(“snxhk.dll”);
            while (moduleHandle != IntPtr.Zero)            {
                moduleHandle = RunPE.GetModuleHandle(“snxhk.dll”);
                Thread.Sleep(500);
            }
        }
        catch (Exception ex)
        {        }
    }

It then performs similar activities to what CUVJN.exe did above to load data from its resource section, which is a gzip archive. It then executes the following function to decompress the gzip archive and get a PE file. This one is the real NanoCore RAT client.

public static byte[] DEC(byte[] ThrowApples, int VAR12 = 70)
 {
        int num = 0;
        GZipStream gzipStream = new GZipStream(new MemoryStream(ThrowApples), CompressionMode.Decompress, true);
        int num2 = ThrowApples.Length;

        byte[] result;
        try   
        {     
            byte[] array;
            for (;;)  
               {     
                array = (byte[])Utils.CopyArray((Array)array, new byte[num + num2 + 1]);
                int num3 = gzipStream.Read(array, num, num2);
                if (num3 == 0)
                    {     break;     }
                num += num3;
              }
            array = (byte[])Utils.CopyArray((Array)array, new byte[num – 1 + 1]);
            result = array;
         }
 [ … ] 

Before running the real NanoCore client, it performs some checks. It checks if the current process’ full path is “%AppData%MicrosoftWindowsScreenToGifnetprotocol.exe”. Of course, the result is “FALSE”. We are still inside the process CUVJN.exe, so its full path is “%temp%CUVJN.exe”.  It then stops and takes a branch to copy the CUVJN.exe file into the folder “%AppData%MicrosoftWindowsScreenToGif” and it then renames it to “netprotocol.exe”. After that it creates a new “Process” object with the new file and calls the “Start()” function  of the “Process” object to run it. Finally, it calls “ProjectData.EndApp()” to terminate the CUVJN.exe process.

Figure 6 shows the code snippet that copies the malware to a new path, runs it, and then exits CUVJN.exe.

As “netprotocol.exe” is running, because it is a copy of “CUVJN.exe”, we can expect that it does exactly the same thing as the CUVJN.exe does that we reviewed about above. They are:  

1.     Load data from the resource section and then decrypt it to get a “dll.exe”

2.     Run the main function of “dll.exe” inside “netprotocol.exe” instead of in “CUVJN.exe”

3.     Unzip NanoCore from “dll.exe”’s resource

4.     Check if the current process’ full path is “%AppData%MicrosoftWindowsScreenToGifnetprotocol.exe”. This time the answer is “TRUE”.

Let’s resume tracing from where it was interrupted, where only the process’s name has been changed to “netprotocol.exe”.

The Daemon Process Can’t Be Killed

Through my analysis, “dll.exe” is a daemon process. It starts another “netprotocol.exe”, injects unzipped NanoCore into its memory, and runs it. One task of “dll.exe” is to keep NanoCore running well in the second “netprotocol.exe” as a daemon process. It has a class “ProtectMe” with a function “ProtectMe.Protect()” to protect itself from being killed. When I was testing this malware in my test environment the very first time, I was surprised that I could not kill the process “netprotocol.exe” at all. It’s neither a system service nor did it have higher privilege than me. After doing some research, I got this class and function as shown below.

[DllImport(“ntdll.dll”)]

private static extern IntPtr ZwSetInformationProcess(IntPtr _1, IntPtr _2, IntPtr _3, IntPtr _4);

public static void Protect()
{
    ProtectMe.ZwSetInformationProcess(ProtectMe.GetCurrentProcess(), (IntPtr)33L, (IntPtr)ProtectMe.VarPtr(-2147421911), (IntPtr)4L);    

It turns out that it uses an undocumented function, ZwSetInformationProcess, from NTDLL.dll. This function can modify the state of the process, which is why I could not kill the process. Figure 7 is a screenshot of when I tried to kill “netprotocol.exe” via the command “taskkill”, the daemon process “netprotocol.exe” (PID 3428) could not be killed.

There is a function named “RunPE.doIt()” that is used to run and protect the NanoCore RAT client. It calls the API CreateProcessA to start a new “netprotocol.exe” and then suspends it. Next, it allocates memory in the new “netprotocol.exe” and puts the entire NanoCore into the newly allocated memory using the API WriteProcessMemory. Finally, it modifies the entry point of the thread context to NanoCore’s entry point and resumes NanoCore running inside the second “netprotocol.exe” by calling the API ResumeThread.

NanoCore RAT Client

NanoCore is a RAT (Remote Access Trojan) that was first identified in 2013. It is able to perform numerous malicious actions, such as registry edit, process control, upgrade, file transfer, keylogging, password stealing, etc. on a victim’s machine.

NanoCore is a .Net framework program. Its code was completely obfuscated, as you can see in Figure 8.

Once it runs in the second “netprotocol.exe”, it creates a new folder as its home folder under “%AppData%” folder. The new folder was named “AA401429-5100-45C4-9496-689224150CC3” in my test environment. It also creates a number of subfolders, such as “DHCP Manager” and “Logs”, and then copies “netprotocol.exe” into “DHCP Manager” and renames it as “dhcpmgr.exe”. It then creates an auto-run item in the Windows registry whose value name is “DHCP Manager” and its data is the full path of “dhcpmgr.exe”. Figure 9 shows the detailed information of this key item.

The “Logs” subfolder contains the data collected from the victim’s system in different subfolders with names that are the current login user name for different login users.

For a demonstration, I will show you how it keylogs my inputs. I opened Chrome browser and went to an online banking website where I entered a test account number and test password on the login page. We can find that everything I typed was obtained by the NanoCore client and saved in files under my login user folder in the “Logs” subfolder. The file names are disguised as Windows update log files. You can get more information about this from Figure 10.

Solution

The malicious Word document has been detected as “VBA/Agent.1B7E!tr.dldr”, and the “CUVJN.exe” has been detected as “MSIL/Injector.REB!tr” by FortiGuard AntiVirus service.

The malware download URL has been rated as “Malicious Websites” by the FortiGuard WebFilter service.

How to remove this malware:

1>    Delete the value “DHCP Manager” from the system registry “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” or “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” (it depends on the Windows system version) and save the value’s data for later use, like “%AppData%[Random string]DHCP Managerdhcpmgr.exe“.

2>    Restart your Windows system.

3>    Delete the folder “%AppData%MicrosoftWindowsScreenToGif”.

4>    Delete the folder that was saved in step 1.

 

IoC:

URL:

hxxp://www.wwpdubai.com/wp-content/plugins/jav/inv.exe

 

Sample SHA256:

eml_-_PO20180921.doc

FFEE1A33C084360B24C5B987B80887A2D77248224DBD6A0B6574FF9CEF74BDD6

CUVJN.exe / icce.exe / dhcpmgr.exe / netprotocol.exe

 32BB5F767FE7788BCA4DD07F89F145D70EC3F58E2581CAB9CA6182D3FCE9BC86

 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/P_S-UEWOhEQ/-net-rat-malware-being-spread-by-ms-word-documents.html