Use encrypted OFFICE binary format to escape detection
This article was published by Intel's secure Haifei Li and Intel's laboratory Xiaoning Li.
Microsoft Office documents play an important role in our work and personal life. Unfortunately, in the past few years, we have seen some attacks against OFFICE documents, especially some key 0-day attacks. Here are some outstanding:
CVE-2014-4114/6352, "Sandworm" 0day attack, reported in October 2014. McAfee LAB provides an in-depth theoretical analysis of this vulnerability and patches that Microsoft initially failed.
CVE-2014-1761, a highly crafted 0-day attack, was detected by Google in March 2014. Read here to learn why we say it is highly crafted.
CVE-2013-3906, a 0-day vulnerability in graphics components in Microsoft Office documentation. The 0-day attack was detected and reported by McAfee's laboratory in October 2013.
Two fairly old vulnerabilities in CVE-2012-0158/1856, MSCOMCTL. OCX, were collected by attackers for years. It was eventually discovered during exploitation.
At the McAfee lab, we are conducting some leading research on OFFICE security to drive reform in detection and protection. Recently, we have seen an increasing number of attacks against the Sandworm vulnerability. Most importantly, the threat owner has introduced some interesting detection and avoidance technologies. We hope to share them with the security community.
PPSX and PPS
We have seen quite a lot of Sandworm attacks (CVE-2014-4114) disguised. pps (slide) format instead of the current one. the ppsx format uses the Office Open XML format, replacing the old OFFICE binary format. This binary format is still supported by OFFICE compatibility. Because the open XML format is transparent, it is a third-party application that is easy to parse and understand, including security products. Therefore, most security vendors cannot detect CVE-2014-4114 vulnerabilities for these files using open XML format.
This is a different story. The. pps File uses the OFFICE binary format. Even if Microsoft has released a specification, the format is not easy to understand. Therefore, it is difficult for the security product to detect the vulnerability exploitation files using these formats. Of course, the bad guys are aware of this and they have begun to provide CVE-2014-4114 utilization using the. pps format instead of the. ppsx format. One example is reported by ThreatGeek a few days ago.
. (We also tracked this attack) in this attack, the exploitation was converted to the. pps format, successfully avoiding most AV detection.
Common PPS and encrypted PPS
Fortunately, even if it is difficult to parse the binary format, it is still a "normal" format, which means that malicious bytes cannot be hidden if there is a good signature and generic model. However, the authors are not just transferred to The. pps file. At the McAfee lab, we see that they are currently encrypting exploitation to make them more noticeable.
Let's take a look at a normal. pps and an encrypted. pps, which looks like a common pps we found in the sample. As we can see in, the key byte (string "package") can still be seen, which indicates that the byte is not encrypted.
Encrypted. pps:
In the encrypted version, we cannot find any malicious bytes.
Let's try to open PowerPoint to edit the sample. In order to avoid running without authorization, we should first rename the document from .ppsto .ppt.
The author cleverly exploits a function of OFFICE to allow the author to protect documents and view or edit them. In this example, the author uses a password to encrypt the file, allowing anyone to view but not edit it. (When we open a. pps document (slide), we are actually "watching" it, which is why there is no password prompt for normal operation .) On the other hand, the idea is that the internal file cannot be edited. It can prevent security products from conducting content analysis, or prevent others from statically analyzing malicious samples.
We have tracked threat activities and encrypted OFFICE vulnerabilities for some time. Here is an example that is older than a cross-fishing system. MD5 value: 2E63ED1CDCEBAC556F78F16E8E872786; file name: "Attachment Information (English version). pps"; first appeared on VirusTotal in May 12. As of January 1, July 2, encryption is still not detected on VirusTotal.
Analyze malicious code in encryption Exploitation
In the use of the CVE-2014-4114, this malicious. pps sample places a malware in the temp directory and runs it as update. dat (9421D13AA5F3ECE0C790A7184B9B10B3 ).
Main functions of the file:
The Main function executes several tasks:
Decrypt the encrypted. exe file to $ AppData \ Roaming \ SearchCache. dll (97FE2A5733D33BDE1F93678B73B062AC)
Run a new rundll32.exe process to call the exported SearchCache. dll (C: \ Windows \ system32 \ rundll32.exe $ AppData \ Roaming \ SearchCache. dll ", _ flushfile @ 16 $ AppData \ Local \ Temp \ update. API_flushfile @ 16 In dat)
In the exported API _ flushfile @ 16, the first code block is used to escape detection, delete the original update. dat, and create a new thread to execute other tasks.
The new thread connects to the control server, the local system information of the mobile phone, and sends the data to the control server. This thread simultaneously downloads irmon32.dll and registers a service for its future malicious behavior. Detailed steps:
Threat intelligence
To help our peers conduct analysis, we will release the hash values of some samples (MD5 ):
0BC232549C86D9FA7E4500A801676F02
12F8354C83E9C9C7A785F53883C71CFC
142B50AEAEBE7ABEDA2EC3A05F6559B6
1E479D02DDE72B7BB9DD1335C587986B
209470139ee8760da-21a234d967e40
2E63ED1CDCEBAC556F78F16E8E872786
3ea3435fda-cecb7ad53aee0bbe3a31d
4AF0B2073B290E15961146E9714BD811
6360DDC19A858B0CE3DB7D1E07BC742F
710A39FA656981A81577D2EE31B46B18
719A7315449A3AE664291A7E0C124F0A
822F13D2A8AE52836BB94D537A1E3E3C
864EC7ED23523B0DC9C4B46DE3B852D1
8675174a45aabc8407c858dda-abb049
8A6A6ADCDE64420F0D53231AD7A6A927
96432AC95A743AC329DF0D51C724786F
AD2A5B0AF9B3188F42A5A29326CDDB0E
B4F788E76E60F91CF35880F5833C9D27
B86297F429FFBC8AFD67BDDD44CBB867
D57DF8C7BA9F2119660EA1BCE01D8F4A
E5BEF07992F88BCF91173B68AC3EA6BC
E7399EDE401DA1BACB3D2059A45F0763
Conclusion and response
These escape tactics are a real challenge for defense. Although security is always a tug-of-war, we need to stay ahead of the bad guys. This situation also emphasizes the fact that in today's network environment, there is no single security product (whether based on the network, node, or sandbox) to prevent all threats. For such threats, our sandbox-based Advanced Threat Defense and Host Intrusion Prevention are an ideal choice. (If you haven't patched the Sandworm vulnerability, you 'd better hit it.) McAfee has detected the two events we have discussed, including common and encrypted vulnerability exploitation files.
In addition
Speaking of OFFICE security, we will give an introduction at the Black Hat USA August 8 this year security conference held in Las Vegas, USA on March 13, 2015. We will introduce some of our original ideas and some cutting-edge research on important OLE features in OFFICE. We want to help the community better understand the risks of office ole and better protect users.