Macro Malware Again
Contents
Macro Malware Again
2018-12-23 (2019-02-02) Mat
In this post I’ll describe an approach on how to leverage Excel to dump dynamically created Shellcode from a Macro.
I’m always looking for new challenges for our team that they can solve in slow times. During my research I stumbled upon a nice sample in @0xffff0800 malware archive (Find the current link to the archive at 0day.coffee0). The sample itself was not that complex, getting the potential shellcode out required a technique I never used before. So let’s cut to the chase.
The sample is a Word document with a Macro. According to 0xffff0800 directory structure it’s out of Lazarus group’s tool chest (Wikipedia). The Thor APT scanner by BFK Consulting supports that assumption as it flags the Document with the yara rule “APT_MalDoc_SharpShooter_Lazarus_Campaign_Dec18_1“
Filename Strategic%20Planning%20Manager.doc
MD5 a82cdb9f5bffcb24708e66eb52cce2af
VT Score 2018-12-23: 39/58
Attribution Lazarus Group (APT38)
The first step when dealing with potentially malicious documents for me is always using Didier Steven’s …
2018-12-23 (2019-02-02) Mat
In this post I’ll describe an approach on how to leverage Excel to dump dynamically created Shellcode from a Macro.
I’m always looking for new challenges for our team that they can solve in slow times. During my research I stumbled upon a nice sample in @0xffff0800 malware archive (Find the current link to the archive at 0day.coffee0). The sample itself was not that complex, getting the potential shellcode out required a technique I never used before. So let’s cut to the chase.
The sample is a Word document with a Macro. According to 0xffff0800 directory structure it’s out of Lazarus group’s tool chest (Wikipedia). The Thor APT scanner by BFK Consulting supports that assumption as it flags the Document with the yara rule “APT_MalDoc_SharpShooter_Lazarus_Campaign_Dec18_1“
Filename Strategic%20Planning%20Manager.doc
MD5 a82cdb9f5bffcb24708e66eb52cce2af
VT Score 2018-12-23: 39/58
Attribution Lazarus Group (APT38)
The first step when dealing with potentially malicious documents for me is always using Didier Steven’s …
IoC
a82cdb9f5bffcb24708e66eb52cce2af