We've come a long way with our recent 2.0.4 release and will soon find
ourselves with the long awaited
2.1.0 release featuring a completely
new and rewritten version of
zer0m0n, our Windows kernel driver.
In the meanwhile we've worked on support for malicious documents abusing
Office DDE (Office Dynamic Data Exchange) and are doing a quick
2.0.5 release so our users may benefit to the fullest from these
Office DDE Case Study
With the uprise of Office DDE malicious documents lately we decided to take a proper look at these files - their structure, how to analyze 'em, and what information may be extracted statically.
During this case study we've encountered a number of different techniques and approaches to the same goals. We also ran into some other non-DDE samples for which we've added support too.
Note: if you have related samples for us that for some reason don't work as expected in the new version of Cuckoo, please share & let us know so that we can investigate!
Basic DDE Layout
So DDE information, including the command-line script (i.e., PowerShell) to
execute, is embedded in the
word/document.xml file inside the Zip
archive that makes up a Microsoft Office Word document. As the file extension
suggests, this is an XML file.
Simply looking for the following XML tag
<w:instrText ...> will
provide you with the right tag to extract information from. The to-be executed
command-line is then located as inner text of this XML tag. This may look as
follows (please keep in mind that the long line has been split into multiple
lines - originally there'd be a space between
"C:\\Program..." and the rest would be concatenated without spaces).
<w:instrText xml:space="preserve"> DDE "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\ ..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\ powershell.exe ..." </w:instrText>
In order to extract the PowerShell command-line information statically, we've
added support for implementing Yara rules & Extractor plugins on specific
files in Office archive files. In this case, see also the
rule in dde.yar and Extractor plugin in dde.py. Together this rule and
plugin are able to effectively extract the plaintext PowerShell command as
it'd be executed during the analysis.
The extracted PowerShell command may then be (automatically) further analyzed by matching it against other Yara rules & Extractor plugins that, e.g., extract IOCs from PowerShell scripts. A little bit more information on this was provided in our Cuckoo 2.0.4 release blogpost. Simply put, these plugins identify known PowerShell payloads and extract their dropper URLs.
Also note that both
DDEAUTO are used throughout the
various in-the-wild samples. These are functionally the same.
Concatenated DDE commands
While processing through a couple thousand samples we noticed a lot of samples
didn't have just one
<w:instrText ...> tags, but multiple that are
required to be concatenated in order to get the full command-line text. This
has also been implemented in the
OfficeDDE1 logic. An example may look
<w:instrText xml:space="preserve">DDE</w:instrText> <w:instrText xml:space="preserve">AUTO</w:instrText> <w:instrText xml:space="preserve">C:\\Windows\\System32\\</w:instrText> <w:instrText xml:space="preserve">cmd</w:instrText>
Note that in the real-life XML documents there exist also a number of XML tags
<w:instrText ...> tags, these don't add any value to
the PowerShell command-line though and may therefore be ignored.
XML Attribute DDE commands
We've also seen cases where the DDE command isn't inside the inner text of a
<w:innerText ...> tag, but in the
w:instr attribute of a
<w:fldSimple ...> tag. In the
OfficeDDE2 logic (located in the
same dde.yar & dde.py files) we demonstrate the extraction of such
PowerShell commands. Such XML may look as follows:
<w:fldSimple w:instr=" DDEAUTO C:\\Windows\\..." />
It should be noted that, due to XML encodings, any double quotes would be
" and alike. Since we use an XML parser in
OfficeDDE2, this encoding is already decoded for us.
.LNK shortcut inside Office Word documents
Unrelated to Office DDE we also noticed samples where
are embedded to lure users to click on the shortcut (which is actually just a
clickable image in the Word document). Upon doing so, this shortcut would then
execute a command specified by the attacker, usually using similar PowerShell
payloads as seen in other types of malicious Microsoft Office documents.
In order to deal with statically extracting the PowerShell commands from such
Microsoft Office documents we've added Yara rules & Extractor plugins to
extract files from OLE containers inside Office documents (ole.yar &
ole.py) as well as for identifying and unpacking
extracted there automatically (filetypes.yar & filetypes.py).
It should be noted that Cuckoo currently does not correctly analyze such samples dynamically - we have to further investigations into clicking at the right spot and/or enabling additional features in Microsoft Office.
Other fixes and features in this release
- Resolve .NET AnyCPU injection issues on 64-bit Windows VMs. This age old bug basically prevented the execution of a large part of .NET executables.
- We've put out a dashboard for Distributed Cuckoo. This dashboard may be used to more easily monitor the progress of Cuckoo nodes & their tasks and see if a Cuckoo node isn't performing correctly.
- The Cuckoo Agent now better handles permission denied situations (which
occur when using Linux VMs as Guests without running the Agent as
- Usage of PID files, allowing Cuckoo to abort early when being ran twice (for both the Cuckoo daemon as well as Cuckoo processing instances).
- Support for
.hwpfiles, used by the Hangul Word Processor (thanks Jack2).
- Fix race condition in the reporting stage of an analysis (thanks Bas van Sisseren).
Thanks to our team we're going stronger than ever and we hope to release many more awesome updates in the upcoming months.
Upgrade to the latest version of Cuckoo Sandbox by running
install -U cuckoo followed by upgrading your Cuckoo Community plugins by
Interested in consultancy services on Cuckoo or situated in the Netherlands and looking for a low-level / backend development / reverse engineering job? Please leave Hatching a message through the Partners page.