# Gamaredon: Docx Template-Injection **[aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/](https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/)** Ali Aqeel January 18, 2021 [New APT malware samples have been found by Shadow Chaser Group researchers](https://twitter.com/ShadowChasing1) recently, that points to the same attacker group [Gamaredon. Two different samples in](https://attack.mitre.org/groups/G0047/) separate incidents are being analyzed and presented in this post to show the techniques used by the attacker. Also there are interesting findings that have been extracted during dynamic analysis and not been found by sandbox engines. Will focus on the extracted information and techniques and skip the match results. **Sample One: Downloader** ----- -1- Tweet of sample 1 _Host-Based IOCs_ **File Name** **MD5 hash** Figure **File** **Size** Мои данные.docx fbc037e68f5988df9190cdadf7424752 24.56 KB dCiBlGD.dot 7467DBBB6DBEA83256B13FB151A594EF 73 bytes index.dat C6DBAAA421E7CC2A51564EC14EE98372 244 bytes ----- **File Name** **MD5 hash** **File** **Size** sell on office360-expert.online E382A34494F25B9F31F8A3745135970E 62 bytes TCD18CC.tmp\CleanGradient.thmx E9294DCC4C80544EFDDD8BCA7F1FFBE6 57.7 KB Table -1- Sample one Files basic properties This malware is a Docx file with (50 4B 03 04) signature that has an embedded xml when extracted (word\_rels\settings.xml.rels) (Figure -2-), it has a URL, which by the time writing _this post the link is still active (Figure -3-)_ [[2]](https://app.any.run/tasks/17575220-f087-4baa-bc96-3d9bdb0f10ed/) Figure -2- XML file with Suspicious URL Figure -3- Active links _Netword-Based IOC_ **URL** **IP** **Port** hxxp://office360-expert[.]online/sell/dCiBlGD[.]dot 195.161.114.130 80 Table -2- Sample One Connections Unlike other malware techniques used in similar procedures, when first running this Docx file it’s already too late. As an attack vector, it doesn’t require the victim to Enable Macro in order to serve its malicious purpose. ----- Figure -4- Running the document Since it’s a downloader it only makes sense to find out what is next when running this malware live and infect the computer. Four files been extracted as in (Table -1-) in: (C:\.\.\AppData\Roaming\Microsoft\Office\Recent), and (C:\.\.\AppData\Local\Temp\TCD18CC.tmp\), There’re dozens of other xx.TMP directories but been created and deleted during the process. The DOT file dCiBlGD is nothing but a shortcut linked to the URL shortcut (sell on _office360-expert.online) which links to the same URL. The current files are almost useless_ and there doesn’t appear to be a use for template file or any other files in that matter. However, presenting in the following section of this post another sample belongs to the same attacker group which has the use of dot file as a second stage dropper, but more on that in a little bit. There’s persistent mechanism that might lead to download another files like dot file, or [maybe other evasion techniques. What’s missing from VirusTotal behavior [3] is the registry](https://www.virustotal.com/gui/file/499caf4558ca05440875a94d5e06663cc637f9c6acdaa7c1a89f889a025837f3/behavior) below ‘At least by the time writing this post’. The sample been tested with both MS word 2010 and 2016. _HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\Server_ _Cache\http://office360-expert.online/sell/_ ----- Figure -5- RegValue: Office 2010 Figure -6- RegValue: Office 2016 By the time of live analyzing this sample there’s no threat presented yet! However, as a first stage downloader, the attacker successfully made it to place foothold via temp files like dot or (Docs Template) which remains in the temp directory unnoticed, and also set the registry values linking to the suspicious URL. **Sample Two: Dropper** ----- Figure -7- Tweet of sample 2 [In what appears to be an older found sample discovered by the same researchers [1] linked](https://twitter.com/ShadowChasing1) to the same attacker group [[4]. A dot file is been statically analyzed in this section, so there’s](https://attack.mitre.org/groups/G0047/) a chance to take a glance at what a dot file might be used for and what evasion and persistent techniques the attacker’s using. _Host-Based IOCs_ **File Name** **MD5 hash** **File Size** KzGdWvmSq.dot ddc38e9b53458ee58504a40fdc41df61 216.00 KB PrintDriver.exe d1ab72db2bedd2f255d35da3da0d4b16 138.50 KB ----- Table -3- Sample two Files basic properties When the dot file KzGdWvmSq made it to victim machine it establishes connection with a C2 [sever. And by the time analyzing this sample the C2 servers are not found [5].](https://app.any.run/tasks/26e685f3-9a76-45fa-ad70-dd61cb64812c/) **URL** **IP** **Port** hxxp://sufflari[.]online/increase[.]php 188.225.82.216 80 hxxp://188.225.82.216/inspection[.]php 188.225.82.216 80 http://sufflari%5B.%5Donline/increase%5B.%5Dphp 188.225.82.216 80 [http://188.225.82.216/inspection%5B.%5Dphp](http://188.225.82.216/inspection%5B.%5Dphp) 188.225.82.216 80 _Table -4- Sample Two Connections_ This malware sample is a wrapper and dropper to a PE executable (printdrive.exe) that runs as process in victim machine. However, this analysis focus more on the code and interesting indicators. Using either oledump.py or olevba.py tools in a Remnux machine is a good way to identify VBA streams and extract macros. On this sample it’s clear the macro been detected at the 8th stream. Figure -8- Oledump streams detected The extracted macro seems to be decoded and almost every line and function has been obfuscated. With the help of olevba.py summary table, detection of base64 encoding is helpful. ----- Figure -9- Olevba summary The use of Document_Close function in this macro VBA is interesting. According to Microsoft [documentation [6] the event only happen after closing the open document.](https://docs.microsoft.com/en-us/office/vba/api/word.document.close(even)) ----- Figure -10 Document_Close Event Even after decoding the code, there’s still heavy usage of swap functions, but at least the important parts are in clear text as in below IOC snaps. After closing the document, the below lines are executed and (PirntDrive.exe) is up and running in the process. Figure -11- Host-Base IOCs ----- Figure -12- Network-Based IOCs Couple of registry values been altered during runtime. however, the spotted hardcoded ones [are as below and more with the same sample/registry section [7] as persistent mechanism.](https://any.run/report/13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36/26e685f3-9a76-45fa-ad70-dd61cb64812c#registry) _HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\PrintSoftware_ _HKEY_CURRENT_USER\Software\Microsoft\Office\ & Application.Version &_ __”\Word\Security\_ Compared to the rest of the dot file, the ‘Macros/VBA/ThisDocument‘ file is relatively small. Just in case to avoid missing any other hidden data back to Figure -8- above. Let’s try make use of pcodedmp.py tool and extracting a possible hidden p-code. There aren’t any hidden, just the fact that the 5th stream ‘Data’ that appears to be the image file in the template embedded in this section. What get the attention in the also is this little overhead as referral to image content. ----- Figure -13- Embedded Image file **Credits** [Shadow Chaser Group for discovering both samples](https://twitter.com/ShadowChasing1) **Update (27 Jan 2021)** [Contribution work from Nicko on](https://twitter.com/NinjaOperator) [Github](https://github.com/NinjaOperator/Indicators-with-some-juice/blob/main/Gamaredon) **References** [[1] Shadow Chaser Group, https://twitter.com/ShadowChasing1](https://twitter.com/ShadowChasing1) [2] AnyRun – Sample One, https://app.any.run/tasks/17575220-f087-4baa-bc963d9bdb0f10ed/ [3] VirusTotal – Template Injection Malware Sample, https://www.virustotal.com/gui/file/499caf4558ca05440875a94d5e06663cc637f9c6acdaa7c1 a89f889a025837f3/behavior [[4] Gamaredon Group by Mitre Att&ck definition, https://attack.mitre.org/groups/G0047/](https://attack.mitre.org/groups/G0047/) [5] AnyRun – Sample Two, https://app.any.run/tasks/26e685f3-9a76-45fa-ad70dd61cb64812c/ ----- [6] Microsoft documentation, https://docs.microsoft.com/enus/office/vba/api/word.document.close(even) [7] AnyRun – Sample Two Registry Values, https://any.run/report/13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf 150d36/26e685f3-9a76-45fa-ad70-dd61cb64812c#registry -----