SSEへのジャーニーを加速します。 RSAでNetskopeブースにお越しください

  • セキュリティサービスエッジ製品

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護します。

  • Borderless SD-WAN

    すべてのリモートユーザー、デバイス、サイト、クラウドへの安全で高性能なアクセスを自信を持って提供します。

  • プラットフォーム

    世界最大のセキュリティプライベートクラウドでの比類のない可視性とリアルタイムデータおよび脅威保護。

ネットスコープ、2022年Gartner社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラントでリーダーの1社と位置付けられる

レポートを読む 製品概要に移動
Netskope Gartner マジック・クアドラント 2022 SSEリーダー
Gartner® Quick Answer:NetskopeのInfiot買収はSD-WAN、SASE、SSEプロジェクトにどのような影響を与えますか?

レポートを読む
Gartner quick answer
Netskope は、データと脅威の保護、および安全なプライベートアクセスを実現するための機能を統合した、最新のクラウドセキュリティスタックを提供します。

プラットフォームを探索する
大都市の俯瞰図
  • 変身

    デジタルトランスフォーメーションを保護します。

  • セキュリティの近代化

    今日と明日のセキュリティの課題に対応します。

  • フレームワーク

    サイバーセキュリティを形作る規制の枠組みを採用する。

  • 業界ソリューション

    Netskopeは、クラウドに安全に移行するためのプロセスを世界最大規模の企業に提供しています。

最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

詳しくはこちら
Lighted highway through mountainside switchbacks
シングルパスSSEフレームワークを使用して、他のセキュリティソリューションを回避することが多い脅威を防止します。

詳しくはこちら
Lighting storm over metropolitan area
SSEおよびSASE展開のためのゼロトラストソリューション

詳しくはこちら
Boat driving through open sea
Netskopeは、クラウドサービス、アプリ、パブリッククラウドインフラストラクチャを採用するための安全でクラウドスマートかつ迅速な旅を可能にします。

詳しくはこちら
Wind turbines along cliffside
  • 導入企業

    Netskopeは、フォーチュン100の25以上を含む世界中の2,000以上の顧客にサービスを提供しています。

  • カスタマーソリューション

    お客様のため、Netskopeでお客様の成功を確実にすべく、あらゆるステップを共に歩んでまいります。

  • トレーニングと認定

    Netskope training will help you become a cloud security expert.

私たちは、お客様が何にでも備えることができるように支援します

お客様を見る
Woman smiling with glasses looking out window
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

詳しくはこちら
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

詳しくはこちら
Group of young professionals working
  • リソース

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ

    Netskopeがセキュリティサービスエッジ(SSE)を通じてセキュリティとネットワークの変革を可能にする方法を学びましょう。

  • イベント&ワークショップ

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ

    サイバーセキュリティ百科事典で知っておくべきことすべて。

セキュリティビジョナリーポッドキャスト

エピソード 10: 透明性によるセキュリティ関係の構築
In this episode, Mike and Andreas discuss aligning with works councils, forging business relationships through transparency, and embedding security into value streams.

ポッドキャストを再生する
Building Security Relationships Through Transparency
Netskopeがセキュリティサービスエッジ(SSE)機能を介してゼロトラストおよびSASEジャーニーを実現する方法に関する最新情報をお読みください。

ブログを読む
Sunrise and cloudy sky
RSAのネツコペ

今年のRSAカンファレンスでNetskopeブースにお越しいただき、SASEとゼロトラストに関するお話をお聞きください。サウスホールのブースにお立ち寄りいただき、エキスパートとの情報交換や、講演セッションへの登録など、ぜひイベントにご参加ください!

詳しくはこちら
RSA logo
セキュリティサービスエッジとは何ですか?

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

詳しくはこちら
Four-way roundabout
  • 会社概要

    クラウド、データ、ネットワークセキュリティの課題の先取りをサポート

  • ネットスコープが選ばれる理由

    クラウドの変革とどこからでも機能することで、セキュリティの機能方法が変わりました。

  • リーダーシップ

    ネットスコープの経営陣はお客様を成功に導くために全力を尽くしています。

  • パートナー

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

Netskopeは仕事の未来を可能にします。

詳しくはこちら
Curvy road through wooded area
Netskopeは、組織がゼロトラストの原則を適用してデータを保護できるように、クラウド、データ、およびネットワークのセキュリティを再定義しています。

詳しくはこちら
Switchback road atop a cliffside
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
Group of hikers scaling a snowy mountain
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

詳しくはこちら
Group of diverse young professionals smiling

Abusing Microsoft Office Using Malicious Web Archive Files

Jan 12 2022

Summary

In November of 2021, we described several techniques used by attackers to deliver malware through infected Microsoft Office files. In addition to exploits like  CVE-2021-40444, these infected documents frequently abuse VBA (Visual Basic for Applications) to execute their techniques, regardless of the final payload. Attackers also often use extra layers of protection to evade signature-based detections, like constructing PowerShell scripts and WMI namespaces at runtime, as done by Emotet. In addition to code obfuscation, attackers use other techniques to evade detection like non-standard file types in Microsoft Word.

Netskope Threat Labs is currently tracking a malicious campaign that uses Web Page Archive files (“.mht” or “.mhtml”) to deliver infected documents, which eventually deploys a backdoor that uses Glitch for C2 communication. This is effective because Microsoft Word is able to open the document in “.mht” format, even using the “.doc” extension.

The usage of Web Archive files to deliver infected documents was previously seen and linked to APT32 (a.k.a. Ocean Lotus and Cobalt Kitty), a cyber espionage group known for targeting governments and journalists. Furthermore, a similar backdoor used in this campaign was spotted in August 2021 and also linked to this same threat group.

In this blog post, we will show details about how this threat campaign works.

Stage 01 – RAR Files

The attack chain starts with a RAR file that contains the infected Web Archive, probably delivered through phishing campaigns. We have spotted some of the files in VirusTotal with a low detection rate, between 7 and 10 engines.

Example of RAR files related to this malicious campaign.
RAR files related to this malicious campaign.

The MHT file compressed in the RAR is quite large, between 35 and 63 MB, containing the infected Word document as well as other files used throughout the attack.

Screenshot. Web Archive file that is opened by Microsoft Word
Web Archive file that is opened by Microsoft Word.

Furthermore, we also found the “Zone.Identifier” file within the RAR, which is a common ADS (Alternate Data Stream) used to store metadata about the original file.

Screenshot of Zone.Identifier ADS within the RAR file.
Zone.Identifier ADS within the RAR file.

Modern browsers may include additional information about the downloaded object in this ADS, such as the source URL and the ZoneID, which defines the security zone based on where the file was downloaded from. 

Microsoft Word won’t open the Web Archive file if the ZoneID is 3 or 4, as this indicates that the file came from untrustworthy sources. It’s unclear if the attackers created this ADS on purpose, but the “ZoneId=2” bypasses the Office protection by making it look as if it came from a trusted site.

We can test this by changing the ZoneId to a higher number, which prevents the file from being opened.

Screenshot showing Web Archive error when ZoneId is higher than 2.
Web Archive error when ZoneId is higher than 2.

Stage 02 – Infected Word File

As previously mentioned, Microsoft Word is able to handle Web Archives, and as soon as the victim opens the file, the infected document within the Web Archive is opened, luring the user to click on the “Enable Content” button to execute the malicious code. Analysis tools such as olevba and oledump are able to parse “.mht” and “.mhtml” files, however, we were not able to extract the code from these malicious files using these tools.

Screenshot of fake message asking the victim to enable the file’s content.
Fake message asking the victim to enable the file’s content.

The attackers also protected the VBA project with a password, likely to delay analysis.

Example of VBA project protected by password.
VBA project protected by password.

Once the protection is removed, we can observe a large and obfuscated VBA macro code.

Screenshot of Malicious VBA code within the document.
Malicious VBA code within the document.

We created a script to decode all the strings in this VBA code, which revealed some file names and paths.

Example of some VBA decoded strings.
Some VBA decoded strings.

After some minor deobfuscation and analysis of the VBA code, we can tell that the script:

  1. Drops the payload to “C:\ProgramData\Microsoft\User Account Pictures\guest.bmp“;
  2. Copies the payload to “C:\ProgramData\Microsoft Outlook Sync\guest.bmp“;
  3. Creates and display a decoy document named “Document.doc“;
  4. Rename the payload from “guest.bmp” to “background.dll“;
  5. Executes the DLL by calling either “SaveProfile” or “OpenProfile” export functions.

The final payload lies within the Web Archive, and the attackers removed the magic number and the MS-DOS stub message, likely to avoid detection. When the VBA code drops the DLL in the disk, it replaces the two bytes at the beginning of the file.

Screenshot of VBA fixing DLL’s magic number.
VBA fixing DLL’s magic number.

After executing the payload, the VBA code deletes the original Word file and opens the decoy document.

Example of decoy file created by the malicious VBA code.
Decoy file created by the malicious VBA code.

Stage 03 – DLL Backdoor

The payload is a 64-bit DLL named “background.dll”, which is executed every 10 minutes through a scheduled task named “Winrar Update”.

Example of backdoor persistence technique.
Backdoor persistence technique.

The DLL is quite large (between 20 and 32 MB) and it’s packed. The malicious entry point is located in the DLL exported function named either SaveProfile or OpenProfile. As soon as it’s running, the payload is unpacked and injected into another process.

Example of DLL unpacking and injecting payload.
DLL unpacking and injecting payload.

The API “CreateProcessW” is used to create a “rundll32.exe” process that runs indefinitely, by calling the “Sleep” function from “kernel32.dll”. Using Windows native binaries (LoLBins) for malicious activities is a common technique to stay under the radar, as previously mentioned in our blog post.

Screenshot of Process injection technique.
Process injection technique.

Looking closely at the function we named “mw_inject_payload”, it’s possible to observe calls to “VirtualAllocEx”, used to allocate memory in the new process, and “WriteProcessMemory”, used to write the payload in the allocated space.

Once the unpacked payload is running, it starts by collecting information about the environment, such as the network adapter information, username, computer name, etc.

Screenshot of backdoor collecting environment information.
Backdoor collecting environment information.

Furthermore, the backdoor also enumerates all system’s directories and files and collects information about running processes.

Example of backdoor collecting information about directories, files, and processes.
Backdoor collecting information about directories, files, and processes.

Once the data is collected, the malware compiles everything in a single location and encrypts the content before sending it to the C2 server.

Example of encrypting data before C2 communication.
Encrypting data before C2 communication.

Finally, the data is sent to a C2 server hosted on Glitch, which is a cloud service that provides tools for collaborative web development.

Screenshot of Backdoor C2 communication.
Backdoor C2 communication.

We have reported all the malicious URLs we found in this campaign to Glitch’s abuse team, which took immediate action to bring them down.

Conclusion

Attackers will opt to use all available tools and techniques to minimize the chances of detection, like in the case we just analyzed, where the usage of Web Archive files to deliver infected documents minimizes the chances of signature-based detection. Also, by using a cloud service for C2 communication, attackers increase their chances to stay under the radar.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • Win32.Trojan.MHTGlitch
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

A full list of IOCs, a Yara rule, and the script used in this analysis are all available in our Git repo.

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.