Disclaimer

Wednesday, May 22, 2019

URSNIF Malicious Macro Document using InlineShape.AlternativeText to hide payload...

this Macro technique was also used by other malware like ICEID. The technique is quite simple but really good in hiding its malicious code from AV detection.

Macro Code:

 As we go through to its macro code, a bunch of "Debug.Print" command will welcome us. but actually those code are garbage or dummy code to make its macro code looks complicated and hard to read like the screenshot below.


figure 1: the macro dummy/garbage code.

But actually the main code that this macro code will execute is the  builtin VBA command InlineShapes.AlternativeText. base on Microsoft documentation  it is a function that return or sets a String that represents the alternative text associated with a shape in a webpage. Read/write.

In this case it will return the actual powershell script that will download the actual URSNIF malware.

figure 2 : main code of this macro malware


figure 3: the actual powershell script that this macro tries to execute


upon decoding the base64 encoded Poweshell script, you can easily see what it tries to do. It will download a malicious executable to its C&C server and drop in common %appdata% as "GNsstGv.exe".

figure 4: decoded powershell script


IOC:

Sha1: abf7656a677a250bdfd47ffebf6851b35b94b028
Sha256: 0cd3c30d9da5be2c53d70bf75ca150b0c2a1fe7ab886cf725fd82c263b440fd3
md5: 56b6872f4e37ea81dfae9d1f6ef4224d
url: hxxp[:]//quo75fbm.club/skoex/po2.php

















"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...