1 f 8 03/22/2015 07 49 PM ----- ### uploaded again to Virus total, again from Israel. This time it was detected as malicious only by Kaspersky, as Trojan- Dropper.MSExcel.Agent.ce. # Infection ### Upon opening the �le a message is displayed, saying: “Due to security considerations I consciously hid the Informations. It will be visible for you by enabling content above.” #### [1] ### This is a social engineering tactic meant to lure the victim into enabling Macro content. If enabled, the message disappears, and the following information is presented to the victim (it is possible that the unreadable characters in the screenshot below are the result of an encoding error in our lab environment, and that the victim would see different, readable content). # Technical Analysis ### Analysis of the Macro code reveals the following structure: In order to avoid detection by protection measures such as computer antivirus and intrusion detection systems, ASCII 2 f 8 03/22/2015 07 49 PM ----- ### characters codes are used instead of actual characters. The ASCII codes are converted to strings as they are concatenated into a single variable within a function Tens of these functions then concatenated, creating a single PE �le #### [2] [3] ### Finally, the �le is saved to NTUSER.data.{GUIDE}.dll (MD5: 48573a150562c57742230583456b4c02) and the function ShellExecte is used to run it under cmd.exe /C and Rundll32 This is in order to hide the process. The Dll �le is obfuscated and includes various mechanism to hide from Debuggers such as Ollydbg and IDA and from Sandbox software such as Cuckoo and Anubis. Analyzing the �le, we have found an interesting entry point called gholee. 3 f 8 03/22/2015 07 49 PM ----- #### [4] [5] ### A quick Facebook search for that name and Iran discovered Gholee is a popular Iranian singer: #### [6] ## Communication ### When run, the DLL �le is communicating with a Kuwait based IP address: 83.170.33.60, owned by German company iABG Mbh, which provides satellite communication services. 4 f 8 03/22/2015 07 49 PM ----- #### [7] ### The malware opens an SSL connection over port 443 using a digital certi�cate that expired in 2010. The certi�cate was issued for security company Core Security, the creators of the offensive suite Core Impact, for the address *coreimpactagent.net. #### [8] [9] ### It was issued by Thawte certi�cate authority. #### [10] 5 f 8 03/22/2015 07 49 PM ----- #### [11] ### Certi�cate Fingerprint MD5: 9C 80 C2 47 40 6D 6C ED FC E0 08 AE EF D9 98 90 Using a proxy and SSL stripping, the following communication pattern over HTTP can be seen: GET /index.php?c=Ud7atknq&r=17117d HTTP/1.1 POST /index.php?c=Ud7atknq&r=1710b2 HTTP/1.1 # Related incidents ### Searching for speci�c strings from the malicious �le, we found another �le that we believe is related to this campaign. The �le name is “svchost 67.exe” (MD5: 916be1b609ed3dc80e5039a1d8102e82 ) and it was uploaded to Virus Total[5] on 2 June 2014, more than two months earlier than “Operation Protective Edge.xlsb”. It was uploaded twice from Latvia – potentially to test the malware’s detection rate. “svchost 67.exe” communicated with 83.170.33.37, which is on the same /26 netblock as the address “Operation Protective Edge.xlsb” 6 f 8 03/22/2015 07 49 PM ----- 7 f 8 03/22/2015 07 49 PM ----- ### maltype = “Remote Access Trojan” �letype = “dll” strings: $a = “sandbox_avg10_vc9_SP1_2011″ $b = “gholee” condition: all of them #### 1. http://www.clearskysec.com/wp-content/uploads/2014/09/2.png 2. http://www.clearskysec.com/wp-content/uploads/2014/09/5.png 3. http://www.clearskysec.com/wp-content/uploads/2014/09/5.png 4. http://www.clearskysec.com/wp-content/uploads/2014/09/6.png 5. http://www.clearskysec.com/wp-content/uploads/2014/09/6.png 6. http://www.clearskysec.com/wp-content/uploads/2014/09/1.png 7. http://www.clearskysec.com/wp-content/uploads/2014/09/7.png 8. http://www.clearskysec.com/wp-content/uploads/2014/09/8.png 9. http://www.clearskysec.com/wp-content/uploads/2014/09/8.png 10. http://www.clearskysec.com/wp-content/uploads/2014/09/9.png 11. http://www.clearskysec.com/wp-content/uploads/2014/09/9.png 8 f 8 03/22/2015 07 49 PM -----