Disclaimer

Monday, April 1, 2019

Ammyy RAT Hide its Macro in Hidden WorkSheet...

In past few days I found a very interesting macro malware that are known in downloading Ammyy RAT. The clever way how this macro hide its code from detection and from the typical approach in analyzing macro code is really interesting.

so lets start...

Initial Analysis:

Upon running this malicious .xlsx file you can see right away that it is a suspicious one, not only because it prompt a security warning that the file contain macro code but also the common image file attach to it.

Figure 1 - the malicious macro



and through file triage and strings you will see right away that this macro will download something using indirect execution technique with msiexec.exe /i <url link>

figure 2 - payload of the macro


Further Analysis:

But upon enabling the macro for further analysis I notice that macro code cannot be seen through typical macro approach View->Macro and through using some python tools.

figure 3 - macro is hidden

 

figure 4 - using some parsing tool.

 Now it catches my attention, So I further look to the file to find how it hides the macro code and finally I got it, This macro use an old but effective technique to hide a code or formula in a .xls file. it is by hiding column, row or even hidden worksheet. In this case the malware hide the spread sheet that contain macro in form of formula.

figure 5 - hidden worksheet

Below show how it execute the hidden worksheet especially in row A30 that will concatenate the string command that will download a file and save it to a %tmp% folder.
figure 6 - the execution of the malicious code

 

Conclusion:

In this interesting macro malware, show and teach us how they tweak their weaponization to be undetected and make their code hidden in plain sight of the analyst.

 

IOC:

Sha1: 4418cf2ee24196b9967188568bbaa33a3311b2a0
md5: 588e52444284d810cf9c3cd684361ed7
Sha256: d65ce03cc8e888c94c5dcb797630db33fb01fbf166b38db09744c115f20150b7

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...