Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET
/
/
NOFORN
Pique Analysis Report
20150828-268-CSIT-15078-Ski
p
p
er
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 28 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report summarizes a CrowdStrike Tipper report on a multi-component malware
sample known as “Skipper.” The malware attack vector is apparently spear phishing email
campaigns with malicious document attachments. The malicious document observed embedded a
VBA macro that requires the victim to initiate via social engineering. Once the VBA macro is
executed it reads the last four bytes from the end of the document to get the size of the embedded
executable, de-obfuscates it, and copies it to %APPDATA%\Microsoft\Word\MSWord.exe.
(S//NF) MSWord.exe is Skipper’s dropper, which uses minimal library code and APIs. The
dropper doesn’t contain a main() or WinMain() function, using its entry point address only.
(S//NF) Similar to the initial infection document, the MSWord.exe dropper reads the last four
bytes of its file to get the size of the encrypted data to be processed. The decrypted data structure
contains three files:
A decoy document
An inner dropper (randomly named)
A JavaScript file that deletes the dropper
(S//NF) Skipper’s inner dropper is responsible for extracting 8 additional files to the user’s
temporary directory:
ntlm.exe a loader
msvcp.dll a utility that checks for browsers installed on the target
msvci.exe a 64-bit injector
msvci.dll a 32-bit version of the msvci.dll 64-bit injector
msvck.dll the main implant
msvck60.dll 64-bit version of the main implant
msvct60.dll 64-bit utility responsible for contacting the command and control (C2) server
msvct.dll 32-bit utility responsible for contacting the command and control (C2) server
(S//NF) Once installed, the implant attempts to contact the C2 server and if unsuccessful, will re-
try contact with the C2 server every 28 minutes. If contact with the C2 server is successful, it
requests the actions it should take next.
(S//NF) The implant has a simplistic list of commands it supports and does not provide any
obfuscation, which leads the authors of this report to speculate that Skipper is a first stage
implant used to download and install additional tools. There is nothing unique, novel, or
interesting about how Skipper is unpacked and installed.
(S//NF) There is, however, an interesting and clever persistence technique used. After the inner
dropper writes the 8 files to disk it enumerates all shortcuts on the victim’s desktop and copies
them to a directory named “links” under the victim’s temporary path. It then changes the existing
shortcuts to point to ntlm.exe, which is run with an argument corresponding to the original
shortcut’s target. We recommend this technique be developed as a PoC.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh