Automated Malware Analysis

Cuckoo Sandbox 2.0.5: Office DDE

  • December 03, 2017
  • Jurriaan Bremer

We've come a long way with our recent 2.0.4 release and will soon find ourselves with the long awaited 2.1.0 release featuring a completely new and rewritten version of zer0m0n, our Windows kernel driver.

In the meanwhile we've worked on support for malicious documents abusing Office DDE (Office Dynamic Data Exchange) and are doing a quick 2.0.5 release so our users may benefit to the fullest from these recent developments.

Office DDE Case Study

With the uprise of Office DDE malicious documents lately we decided to take a proper look at these files - their structure, how to analyze 'em, and what information may be extracted statically.

During this case study we've encountered a number of different techniques and approaches to the same goals. We also ran into some other non-DDE samples for which we've added support too.

Note: if you have related samples for us that for some reason don't work as expected in the new version of Cuckoo, please share & let us know so that we can investigate!

Basic DDE Layout

So DDE information, including the command-line script (i.e., PowerShell) to execute, is embedded in the word/document.xml file inside the Zip archive that makes up a Microsoft Office Word document. As the file extension suggests, this is an XML file.

Simply looking for the following XML tag <w:instrText ...> will provide you with the right tag to extract information from. The to-be executed command-line is then located as inner text of this XML tag. This may look as follows (please keep in mind that the long line has been split into multiple lines - originally there'd be a space between DDE and "C:\\Program..." and the rest would be concatenated without spaces).

<w:instrText xml:space="preserve">
    DDE
    "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\
    ..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\
    powershell.exe ..."
</w:instrText>

In order to extract the PowerShell command-line information statically, we've added support for implementing Yara rules & Extractor plugins on specific files in Office archive files. In this case, see also the OfficeDDE1 rule in dde.yar and Extractor plugin in dde.py. Together this rule and plugin are able to effectively extract the plaintext PowerShell command as it'd be executed during the analysis.

The extracted PowerShell command may then be (automatically) further analyzed by matching it against other Yara rules & Extractor plugins that, e.g., extract IOCs from PowerShell scripts. A little bit more information on this was provided in our Cuckoo 2.0.4 release blogpost. Simply put, these plugins identify known PowerShell payloads and extract their dropper URLs.

Also note that both DDE and DDEAUTO are used throughout the various in-the-wild samples. These are functionally the same.

Concatenated DDE commands

While processing through a couple thousand samples we noticed a lot of samples didn't have just one <w:instrText ...> tags, but multiple that are required to be concatenated in order to get the full command-line text. This has also been implemented in the OfficeDDE1 logic. An example may look as follows:

<w:instrText xml:space="preserve">DDE</w:instrText>
<w:instrText xml:space="preserve">AUTO</w:instrText>
<w:instrText xml:space="preserve">C:\\Windows\\System32\\</w:instrText>
<w:instrText xml:space="preserve">cmd</w:instrText>

Note that in the real-life XML documents there exist also a number of XML tags in-between the <w:instrText ...> tags, these don't add any value to the PowerShell command-line though and may therefore be ignored.

XML Attribute DDE commands

We've also seen cases where the DDE command isn't inside the inner text of a <w:innerText ...> tag, but in the w:instr attribute of a <w:fldSimple ...> tag. In the OfficeDDE2 logic (located in the same dde.yar & dde.py files) we demonstrate the extraction of such PowerShell commands. Such XML may look as follows:

<w:fldSimple w:instr=" DDEAUTO C:\\Windows\\..." />

It should be noted that, due to XML encodings, any double quotes would be replaced by &quot; and alike. Since we use an XML parser in OfficeDDE2, this encoding is already decoded for us.

.LNK shortcut inside Office Word documents

Unrelated to Office DDE we also noticed samples where .LNK shortcuts are embedded to lure users to click on the shortcut (which is actually just a clickable image in the Word document). Upon doing so, this shortcut would then execute a command specified by the attacker, usually using similar PowerShell payloads as seen in other types of malicious Microsoft Office documents.

In order to deal with statically extracting the PowerShell commands from such Microsoft Office documents we've added Yara rules & Extractor plugins to extract files from OLE containers inside Office documents (ole.yar & ole.py) as well as for identifying and unpacking .LNK files extracted there automatically (filetypes.yar & filetypes.py).

It should be noted that Cuckoo currently does not correctly analyze such samples dynamically - we have to further investigations into clicking at the right spot and/or enabling additional features in Microsoft Office.

Other fixes and features in this release

  • Resolve .NET AnyCPU injection issues on 64-bit Windows VMs. This age old bug basically prevented the execution of a large part of .NET executables.
  • We've put out a dashboard for Distributed Cuckoo. This dashboard may be used to more easily monitor the progress of Cuckoo nodes & their tasks and see if a Cuckoo node isn't performing correctly.
  • The Cuckoo Agent now better handles permission denied situations (which occur when using Linux VMs as Guests without running the Agent as root).
  • Usage of PID files, allowing Cuckoo to abort early when being ran twice (for both the Cuckoo daemon as well as Cuckoo processing instances).
  • Support for .hwp files, used by the Hangul Word Processor (thanks Jack2).
  • Fix race condition in the reporting stage of an analysis (thanks Bas van Sisseren).
  • Better and more Javascript extraction from PDF files.

Conclusions

Thanks to our team we're going stronger than ever and we hope to release many more awesome updates in the upcoming months.

Upgrade to the latest version of Cuckoo Sandbox by running pip install -U cuckoo followed by upgrading your Cuckoo Community plugins by running cuckoo community.

Interested in consultancy services on Cuckoo or situated in the Netherlands and looking for a low-level / backend development / reverse engineering job? Please leave us a message on our enterprise form which you'll be able to find through the downloads page.

  • December 03, 2017
  • Jurriaan Bremer

Cuckoo Sandbox 2.0 -