Today's malware is often delivered via e-mail attachments. Such documents usually contain a VBA macro or utilize the office equation editor exploit (CVE-2017-11882 or CVE-2018-0802). If it is a VBA macro, likely an encrypted PowerShell command is executed.
Lately, we have seen an increase of evasive VBA macros in Excel sheets. We have monitored new samples of the same group over a period of four months and analyzed how the macros changed over time.
This blog post will outline some of our findings.
Initial Sample
Let us have a look at an early version from December 2018, MD5: 2c2545df2bbcd506bd09641ec97ca5ae. The sheet obviously targets Japanese users:
The macro code is triggered once the workbook is opened:
The evasion check is directly performed in the Workbook_Open function:
Application.International(
xlCountrySetting) returns the Country/Region version of Microsoft Excel. Here is an incomplete list of version numbers:
' Application.International(xlCountryCode) =
'
'Arabic 966 (Saudi Arabia)
'Czech 42 (Czech Republic)
'Danish 45 (Denmark)
'Dutch 31 (The Netherlands)
'English 1 (The United States of America)
'Farsi 98 (Iran)
'Finnish 358 (Finland)
'French 33 (France)
'German 49 (Germany)
'Greek 30 (Greece)
'Hebrew 972 (Israel)
'Hungarian 36 (Hungary)
'Indian 91 (India)
'Italian 39 (Italy)
'Japanese 81 (Japan)
'Korean 82 (Korea)
'Norwegian 47 (Norway)
'Polish 48 (Poland)
'Portuguese (Brazil) 55 (Brazil)
'Portuguese 351 (Portugal)
'Russian 7 (Russian Federation)
'Simplified Chinese 86 (People's Republic of China)
'Spanish 34 (Spain)
'Swedish 46 (Sweden)
'Thai 66 (Thailand)
'Traditional Chinese 886 (Taiwan)
'Turkish 90 (Turkey)
'Urdu 92 (Pakistan)
'Vietnamese 84 (Vietnam)
81 stands for Japan. This small code ensures that only Japanese computers are affected. In addition, the code prevents sandbox and dynamic malware analysis systems from analyzing the payload which usually runs on computers with US or Western European environments.
Version 2.0
A month later we detected a new variant MD5: d71eaf0ad33a749b8fe3fb8dff56a474. This time the check was split into functions:
The country code is being used by the functions
kille and
congamerat. Simply changing digitt would not do the job anymore:
Version 3.0
A couple of days later we found a new variant MD5: 894f2f2b7489052f9fe258f0ea70be6d. This time the Boolean check had been made more complicated:
The check includes arithmetic calculation. In addition, it uses built-in Excel constants such as
xlTickLabelPositionHigh. The expression to query the country code is split into two statements:
While most of the sheets we found target Japanese users, we also found some which target Italian users (MD5 d0c862c57819f417b852cb1cd308ffa2 and d0c862c57819f417b852cb1cd308ffa2):
Version 4.0
Some days ago we found another variant, MD5: aacb83294ca96f6713da83363ffd9804. There are multiple changes. First of all, Workbook_Open is no longer used but rather Frame1_Layout:
Frame_Layout is triggered whenever Excel redraws the workbook. The country code check has not changed, it uses calculation and built-in constants:
What is more interesting is the second country check: Function
tuff creates a currency format. E.g. for US dollar it creates $0.00. For Japan, it would create 0¥.
The size of the currency format is then later used to decrypt and deobfuscate the command line string passed to
Shell:
Fighting country-aware Malware
As this blog demonstrates, attackers constantly improve their code base to make the detection more difficult.
Bonus:
Application.International(xlCountrySetting) and Format(0, "currency") are not the only ways to build country aware malware. Just recently we found a sample MD5 6a9eda3eb0bfc222ab46725829faaec7 which uses GetLocaleInfo: