Joe Security's Blog
Malicious Documents: The Evolution of country-aware VBA Macros
Published on: 05.03.2019
Today's malware is often delivered via e-mail attachments. Such documents usually contain a VBA macro or utilize the office equation editor exploit (CVE-2017-11882 or CVE-2018-0802). If it is a VBA macro, likely an encrypted PowerShell command is executed.
Lately, we have seen an increase of evasive VBA macros in Excel sheets. We have monitored new samples of the same group over a period of four months and analyzed how the macros changed over time.
This blog post will outline some of our findings.
Initial Sample
Let us have a look at an early version from December 2018, MD5: 2c2545df2bbcd506bd09641ec97ca5ae. The sheet obviously targets Japanese users:
The macro code is triggered once the workbook is opened:
The evasion check is directly performed in the Workbook_Open function:
Application.International(xlCountrySetting) returns the Country/Region version of Microsoft Excel. Here is an incomplete list of version numbers:
' Application.International(xlCountryCode) = ' 'Arabic 966 (Saudi Arabia) 'Czech 42 (Czech Republic) 'Danish 45 (Denmark) 'Dutch 31 (The Netherlands) 'English 1 (The United States of America) 'Farsi 98 (Iran) 'Finnish 358 (Finland) 'French 33 (France) 'German 49 (Germany) 'Greek 30 (Greece) 'Hebrew 972 (Israel) 'Hungarian 36 (Hungary) 'Indian 91 (India) 'Italian 39 (Italy) 'Japanese 81 (Japan) 'Korean 82 (Korea) 'Norwegian 47 (Norway) 'Polish 48 (Poland) 'Portuguese (Brazil) 55 (Brazil) 'Portuguese 351 (Portugal) 'Russian 7 (Russian Federation) 'Simplified Chinese 86 (People's Republic of China) 'Spanish 34 (Spain) 'Swedish 46 (Sweden) 'Thai 66 (Thailand) 'Traditional Chinese 886 (Taiwan) 'Turkish 90 (Turkey) 'Urdu 92 (Pakistan) 'Vietnamese 84 (Vietnam)
81 stands for Japan. This small code ensures that only Japanese computers are affected. In addition, the code prevents sandbox and dynamic malware analysis systems from analyzing the payload which usually runs on computers with US or Western European environments.
Version 2.0
A month later we detected a new variant MD5: d71eaf0ad33a749b8fe3fb8dff56a474. This time the check was split into functions:
The country code is being used by the functions kille and congamerat. Simply changing digitt would not do the job anymore:
Version 3.0
A couple of days later we found a new variant MD5: 894f2f2b7489052f9fe258f0ea70be6d. This time the Boolean check had been made more complicated:
The check includes arithmetic calculation. In addition, it uses built-in Excel constants such as xlTickLabelPositionHigh. The expression to query the country code is split into two statements:
While most of the sheets we found target Japanese users, we also found some which target Italian users (MD5 d0c862c57819f417b852cb1cd308ffa2 and d0c862c57819f417b852cb1cd308ffa2):
Version 4.0
Some days ago we found another variant, MD5: aacb83294ca96f6713da83363ffd9804. There are multiple changes. First of all, Workbook_Open is no longer used but rather Frame1_Layout:
Frame_Layout is triggered whenever Excel redraws the workbook. The country code check has not changed, it uses calculation and built-in constants:
What is more interesting is the second country check: Function tuff creates a currency format. E.g. for US dollar it creates $0.00. For Japan, it would create 0¥.
The size of the currency format is then later used to decrypt and deobfuscate the command line string passed to Shell:
Fighting country-aware Malware
As this blog demonstrates, attackers constantly improve their code base to make the detection more difficult.
Joe Sandbox has an array of different technologies to fight country aware samples. Generic VBA Instrumentation and Cookbooks are just two of them. Below is the full analysis of the latest version:
Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!
Bonus:
