A few months ago, during my macro malware research, I came across this very interesting article from ZScaler, that sheds light on a new type of noisy yet effective macro exploit method being used in the wild. However, the article did not disclose any technical details for the exploit and was left scratching my head. After many hours of experimentation, I stumbled upon the (undisclosed?, unpatched) obscure technique that embeds macro enabled worksheets to this “persistant pop-up” effect.
In this episode of InsideMalware, we will explore how the metadata section of a word document can be weaponized to avade scantime antivirus detection. It is important to note that this technique is only possible on the older .doc structure, not the newer .docx file version.
Background of .doc structure
“Metadata” referes to all the data surrounding the data itself. The .doc structure includes allocated fields for a number of different pieces of metadata, including the Title, Author, Date created, date last edited, and comments.
Hello, and welcome back to another episode of insidemalware. sorry i haven’t been posting as much as I would like, had exams, but now i have lots of time to analyse fun malware :)
As we can see this is a .net binary (136kb) with no packing.
SHA256: 2F6FD3CD31A63EFA096DC29898E55F5F485D4A98B0AE65BD027AA471C7380465 MD5: 710F990ACAF9299D71FD43775D5C9932
Aquius miner is an XMR miner advertised on many popular infamous hacking forums, at a relatively steep $20 for a basic build, compared to it’s competitors. Sales Thread:
Quant Loader is a piece of Russian malware that originated from exploit.in during the September of 2016. It has gained notoriety in underground circles for being a stable and reliable botnet. It is priced at $550 for the full license, quite expensive for this quality, or rather lack thereof.
The first thing that Quant does is sleep for 180 seconds (og 100% fud reboot antivirus runtime bypass).
It then proceeds to decrypt all the strings at once to ensure that reversing it is very easy.