Mailing List Archive

Email Phishing and Zloader: Such a Disappointment
Reference: My reply to KAM's post: "Looking for a sample of the
Microsoft zero day print nightmare"

<RANT>
To continue my rant about the disconnect with the Security community,
this ThreatPost article pops up on my Google feed "Microsoft Office
Users Warned on New Malware-Protection Bypass".  I think not. A typical
Microsoft Office user is "Joe Average", and good ol' Joe can't tell a
ThreatPost from a Fencepost.  But five paragraphs down, this caught my
eye: "The initial attack vector is inbox-based phishing messages with
Word document attachments that contain no malicious code."  Now we're
talking.  Golly, maybe I can help!  So, I read on...

Just a whole lot of uselessness for a Mail Admin:  Unknown file
attachment name, Unknown From Name/Email Address, Unknown IP address,
Unknown message Sugject, Unknown message strings, etc.  You can read the
post here:
https://threatpost.com/microsoft-office-malware-protection-bypass/167652/

ThreatPost is the media arm of McAfee (mostly), and within the article
is a link to an article by a couple of McAfee researchers, found here:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/

The article goes to great lengths to explain that the observed
infections are mostly in the US and Canada.  The Word document (without
macros) loads an external encrypted Excel file and through the power of
DDE, writes VBA macros into the Excel file, and then disables Macro
Warnings in the computer's registry.  The coup de grâce is the download
and execution of ZLoader.  Then its game over for "Joe Average".

Of course, there's a lot of excitement over the technical wizardry
therein; Word document analysis, VBA Code analysis, Excel Cell
Structures, and the like.  But again, it is totally useless for Mail
Admins, who ultimately are in the best position to mitigate the
widespread distribution of this infection.  Great researchers they may
be, but useful communicators they are NOT.

Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source".  I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely.  It
sure sounds like Emotet 2.0 in the making.  So Anti-Virus/Malware
companies will hype up their products, Phishing companies create new
courses, and Firewall companies start blocking "11.php and 22.php's" and
all kinds of "heavenlygems".  Everybody wants to sell a cure, but
mitigation be damned.

Maybe some 400-pound anti-spam nut in New Jersey would've stopped the
whole thing.  We'll never know.  We anti-spam folks are forced to sit on
the bench, waiting for another billion dollars in damages.
</RANT>

$0.02,

-- Jared Hall
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall <jared@jaredsec.com>
wrote:

> The Word document (without macros) loads an external encrypted Excel file

It has macros. It tricks the user into enabling and running them by telling
him to enable the document for editing and enabling "content" (ie. macros).
Hiding macros from the user in this way (calling them "content") is a
terrible piece of UI.

> Both articles conclude with the statement "We suggest it is safe to
> enable them (macros) only when the document received is from a trusted
> source".  I really don't understand that comment since the entire unique
> nature of the exploit is to disable the macro warnings entirely. 

A forged From line means the average Joe will assume the source is trusted.

Another nice analysis, I think with better details, showing how this evades
the usual scanners:

<https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/>

The Word document is assembled from MIME fragments so there's no extension
to block.
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
We use the olevbmacro detection added to SA. I would guess that's blocking
the payload.I would guess that's blocking the payload.

On Sun, Jul 11, 2021, 15:00 Kenneth Porter <shiva@sewingwitch.com> wrote:

> --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall <jared@jaredsec.com>
> wrote:
>
> > The Word document (without macros) loads an external encrypted Excel file
>
> It has macros. It tricks the user into enabling and running them by
> telling
> him to enable the document for editing and enabling "content" (ie.
> macros).
> Hiding macros from the user in this way (calling them "content") is a
> terrible piece of UI.
>
> > Both articles conclude with the statement "We suggest it is safe to
> > enable them (macros) only when the document received is from a trusted
> > source". I really don't understand that comment since the entire unique
> > nature of the exploit is to disable the macro warnings entirely.
>
> A forged From line means the average Joe will assume the source is trusted.
>
> Another nice analysis, I think with better details, showing how this
> evades
> the usual scanners:
>
> <
> https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/
> >
>
> The Word document is assembled from MIME fragments so there's no extension
> to block.
>
>
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail"
<kmcgrail@apache.org> wrote:

> We use the olevbmacro detection added to SA. I would guess that's
> blocking the payload.I would guess that's blocking the payload.

I see the plugin in the distribution but it doesn't appear to be loaded by
default and the rules in the plugin's man page don't appear in the
downloaded rules. So I guess I need to create a custom cf file.
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
On Sun, 11 Jul 2021, Kenneth Porter wrote:

> --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall <jared@jaredsec.com>
> wrote:
>
>> The Word document (without macros) loads an external encrypted Excel file
>
> It has macros. It tricks the user into enabling and running them by telling
> him to enable the document for editing and enabling "content" (ie. macros).
> Hiding macros from the user in this way (calling them "content") is a
> terrible piece of UI.
>
>> Both articles conclude with the statement "We suggest it is safe to
>> enable them (macros) only when the document received is from a trusted
>> source".  I really don't understand that comment since the entire unique
>> nature of the exploit is to disable the macro warnings entirely. 
>
> A forged From line means the average Joe will assume the source is trusted.
>
> Another nice analysis, I think with better details, showing how this evades
> the usual scanners:
>
> <https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/>
>
> The Word document is assembled from MIME fragments so there's no extension to
> block.


"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files) are used
by Microsoft Word to load the embedded Word document."

Would the presence of all three of those MIME types be a scorable
indicator?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What the hell is an "Aluminum Falcon"?? -- Emperor Palpatine
-----------------------------------------------------------------------
9 days until the 52nd anniversary of Apollo 11 landing on the Moon
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
It's in the KAM ruleset if that helps.  Search "ifplugin
Mail::SpamAssassin::Plugin::OLEVBMacro" and you'll see the set of rules
we use.  Add the plugin to an appropriate pre file to activate it.

On 7/11/2021 4:35 PM, Kenneth Porter wrote:
> I see the plugin in the distribution but it doesn't appear to be
> loaded by default and the rules in the plugin's man page don't appear
> in the downloaded rules. So I guess I need to create a custom cf file.

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
On 7/11/2021 5:11 PM, John Hardin wrote:
> "The other parts contain an application/vnd.ms-officetheme and an
> application/x-mso file. Which (in addition to the text/xml files) are
> used by Microsoft Word to load the embedded Word document."
>
> Would the presence of all three of those MIME types be a scorable
> indicator?

If you can get me a spample, I'm sure I can tell you but in general we
block macros so that's all that's needed.  Likely the OLEVBMacro plugin
and KAM ruleset is blocking all of these already if you have the plugin
enabled.

Regards,

KAM

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
On Sun, 11 Jul 2021, Kevin A. McGrail wrote:

> On 7/11/2021 5:11 PM, John Hardin wrote:
>> "The other parts contain an application/vnd.ms-officetheme and an
>> application/x-mso file. Which (in addition to the text/xml files) are used
>> by Microsoft Word to load the embedded Word document."
>>
>> Would the presence of all three of those MIME types be a scorable
>> indicator?
>
> If you can get me a spample, I'm sure I can tell you but in general we block
> macros so that's all that's needed.  Likely the OLEVBMacro plugin and KAM
> ruleset is blocking all of these already if you have the plugin enabled.
>
> Regards,
>
> KAM

Aren't there already rules and heuristics in ClamAV for detecting VBmacros in
office docs?

I've got two copies of ClamAV running, one used as a blocking direct milter with
default rules and another one feeding into the SA "clamav.pm" plugin with extra
rules and heuristics/algorithms enabled.



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
On 12/07/2021 07:40, Dave Funk wrote:
> On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
>
>> On 7/11/2021 5:11 PM, John Hardin wrote:
>>> "The other parts contain an application/vnd.ms-officetheme and an
>>> application/x-mso file. Which (in addition to the text/xml files)
>>> are used by Microsoft Word to load the embedded Word document."
>>>
>>> Would the presence of all three of those MIME types be a scorable
>>> indicator?
>>
>> If you can get me a spample, I'm sure I can tell you but in general
>> we block macros so that's all that's needed.  Likely the OLEVBMacro
>> plugin and KAM ruleset is blocking all of these already if you have
>> the plugin enabled.
>
> Aren't there already rules and heuristics in ClamAV for detecting
> VBmacros in office docs?
>
> I've got two copies of ClamAV running, one used as a blocking direct
> milter with default rules and another one feeding into the SA
> "clamav.pm" plugin with extra rules and heuristics/algorithms enabled.

I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and
'AlertOLE2Macros true'; these are then checked by command-line tool
mraptor (part of olevba) to see if the macros are truly malicious.

I will try the OLEVBMacro plugin alongside, thanks for the heads up.
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
>On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>If you can get me a spample, I'm sure I can tell you but in general we
>block macros so that's all that's needed.  Likely the OLEVBMacro plugin
>and KAM ruleset is blocking all of these already if you have the plugin
>enabled.


The inital email has not a macro... they use an old MS feature where a document marks itself as "incomplete" andtells MS Office App where to download the  missing part, that contains the payload.
To my knowledge (very limited) only zipped versions of MS files can use that feature. Within them, there are 2 data structures to checkif you want to find prizes...
-----Pedro.
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
>>>On 7/11/2021 5:11 PM, John Hardin wrote:
>>>>"The other parts contain an application/vnd.ms-officetheme and
>>>>an application/x-mso file. Which (in addition to the text/xml
>>>>files) are used by Microsoft Word to load the embedded Word
>>>>document."
>>>>
>>>>Would the presence of all three of those MIME types be a
>>>>scorable indicator?

>>On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
>>>If you can get me a spample, I'm sure I can tell you but in
>>>general we block macros so that's all that's needed.? Likely the
>>>OLEVBMacro plugin and KAM ruleset is blocking all of these already
>>>if you have the plugin enabled.

>On 12/07/2021 07:40, Dave Funk wrote:
>>Aren't there already rules and heuristics in ClamAV for detecting
>>VBmacros in office docs?
>>
>>I've got two copies of ClamAV running, one used as a blocking direct
>>milter with default rules and another one feeding into the SA
>>"clamav.pm" plugin with extra rules and heuristics/algorithms
>>enabled.

On 12.07.21 08:51, Dominic Raferd wrote:
>I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and
>'AlertOLE2Macros true'; these are then checked by command-line tool
>mraptor (part of olevba) to see if the macros are truly malicious.
>
>I will try the OLEVBMacro plugin alongside, thanks for the heads up.

note that standard SA rules don't contain any rule using the OLEVBMacro
functions, but the KAM.cf do.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Email Phishing and Zloader: Such a Disappointment [ In reply to ]
>--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail"
><kmcgrail@apache.org> wrote:
>
>>We use the olevbmacro detection added to SA. I would guess that's
>>blocking the payload.I would guess that's blocking the payload.

On 11.07.21 13:35, Kenneth Porter wrote:
>I see the plugin in the distribution but it doesn't appear to be
>loaded by default and the rules in the plugin's man page don't appear
>in the downloaded rules. So I guess I need to create a custom cf file.

I simpy uncommented it in /etc/spamassassin/v343.pre:

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

the KAM.cf takes care of the rest.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
Re: Email Phishing and Zloader: Redux [ In reply to ]
1) Kenneth:  Uncomment the line in v343.  Rules in the present KAM.cf
are thusly:

ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro

  # increase number of mime parts checked

  olemacro_num_mime 10

  if (version >= 3.0040005)

    body     KAM_OLEMACRO eval:check_olemacro()

    describe KAM_OLEMACRO Attachment has an Office Macro

    score    KAM_OLEMACRO 7.5

    body     KAM_OLEMACRO_MALICE eval:check_olemacro_malice()

    describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro

    score    KAM_OLEMACRO_MALICE 10.0

    body     KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()

    describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

    score    KAM_OLEMACRO_ENCRYPTED 3.0

    #This may cause more CPU usage

    olemacro_extended_scan 1

    body     KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()

    describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed

    score    KAM_OLEMACRO_RENAME 0.5

    meta     GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )

    describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook

    score    GB_OLEMACRO_REN_VIR 10

  endif

  body     KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()

  describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip

  score    KAM_OLEMACRO_ZIP_PW 1.0

  body     KAM_OLEMACRO_CSV eval:check_olemacro_csv()

  describe KAM_OLEMACRO_CSV Macro in csv file

  score    KAM_OLEMACRO_CSV 5.0

  #meta     KAM_OLEMACRO_ZIP_PW_NOMID  ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )

  #describe KAM_OLEMACRO_ZIP_PW_NOMID  OLE macro sent by a bot / ratware

  #score    KAM_OLEMACRO_ZIP_PW_NOMID  5.0

  meta     KAM_OLEMACRO_ZIP_BOT    ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )

  describe KAM_OLEMACRO_ZIP_BOT    OLE macro sent by a bot / ratware

  score    KAM_OLEMACRO_ZIP_BOT    5.0

endif


Yes, there does seems to be one "endif" too many but  I don't think it
matters much with this type of a plugin.

Thanks for the information from hornetsecurity.  It's the most
comprehensive write-up on Zloader that I've seen.

I did do some testing with Word and MHTML.  A Word document when sent
out is assigned Content-Type: application/msword and
Content-Transfer-Encoding: base64.  A MHTML file is sent out with
Content-Type: text/html and Content-Transfer-Encoding: quoted-printable
(w/ my document anyway).

I'm curious as to what HornetSecurity saw in their E-mail MIME header. 
It DOES make a difference, at least regarding plugin scanning.  But a
.doc file is a .doc file as far as Word is concerned.

I put forth a query to them.  I'll let you know if they respond.

-- Jared Hall




>
> I simpy uncommented it in /etc/spamassassin/v343.pre:
>
> # OLEVBMacro - Detects both OLE macros and VB code inside Office
> documents
> loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
> the KAM.cf takes care of the rest.