February 13, 2018

As we’ve seen in the past, dangers abound even in ostensibly innocent-seeming,documents that appear for all the world to be legitimate. Even documents that seem to be the kind a professional would expect to receive could be harboring some hidden dangers – macros that are embedded in a document that security systems, as thorough as they are, generally cannot uncover and analyze. .

The latest exhibit of such an attack comes in the form of a document that is being passed around Eastern Europe, outlining in map form the Ukraine-Russia conflict (which, despite its fading from the headlines in recent months, is still very much ongoing). The attack comes in the form of a set of maps that are embedded in a Word document, and contains an added “surprise.”

Statically inspecting the document, we see it’s title “Аналіз ГШ ЗСУ бойовихдійнасходіУкраїни в ходізимовоїкампанії” which translates to “Analysis of the Armed Forces  of Ukraine in the battlefields of Ukraine in the course of the campaign”.

The document’s header, “Зміст містить динамічні елементи зображення,вам необхідно включити макрос для перегляду повного вмісту”, translates to “The content contains dynamic image elements, you need to enable the macro to view the full content” – which is a subtle twist on the good old “Please enable content to view” social engineering scheme.

The document surfaced a few days ago, was uploaded to VirusTotal from the Ukraine under the name “Аналіз ГШ ЗСУ бойових дій.doc” (Analysis of the GAS of the Armed Forces of Battle Actions.doc)

While the final purpose of this campaign is yet unknown, we’ve come to the conclusion this was a campaign targeting Ukrainians.

Infection details

The objective of the attack, it appears, is to gain persistence on the victim’s machine.

In order to do so, the attacker uses a cool trick to slip past common security solutions.

Usually, a macro has some sort of a command hardcoded that gets executed on the victim’s machine. In this case, there was no hardcoded command; instead, the attacker crafted document property (labeled “Keywords”), which the macro had extracted and manipulated in order to assemble the command payload.

The executed command (discovered by the research team at cyber-security firm ClearSky) copies a file called Keys.bin from the TEMP folder to the APPDATA folder and renames it Key.dll, uses the Attrib command to add the values System File and Hidden File to the new Key.dll file, pings IP address, and adds a Registry value to load the new Key.dll file at startup. To what end? That’s not clear (yet), but it’s certainly not to a good one.

How did Keys.bin end up on the Temp folder to begin with?

That’s another clever trick by the attacker; The macro iterates over all embedded objects in the document. If the object type is an image, it will move along to the next object, but if it encounters an OLE embedded object, it will tell it to perform one of its available verbs, as defined in the OLEFormat DoVerb method. This causes the embedded file to be dropped at the user’s TEMP folder.


Kudos to the ClearSky team for figuring this out, because it takes a real group of experts to uncover this level of stealth. Here is the campaign’s layout, as discovered by ClearSky:

There is only one technology that can catch this kind of attack – and that is Content Disarm and Reconstruction (CDR) technology, which we here at Votiro offer our customers. CDR acts as a buffer between a user and infected documents. It breaks down files into their code components, examining all aspects of a document, including macros, separately. Rogue code that is discovered is thrown out,  and the document is reconstructed, sans the threat, and with its functionality intact. With CDR, it doesn’t much matter what hackers throw our way, or how sneaky they try to be; CDR is the virtual, practically impenetrable wall that will keep the vicissitudes of Eastern Europe, or any other excuse hackers come up with for an attack, far away from our computers and networks.

Indicators of compromise

filename: Аналіз ГШ ЗСУ бойових дій.doc (Analysis of the GAS of the Armed Forces of Battle Actions.doc)

MD5 3a45c20e7900fd9e419a6319dc89de96

SHA-256 a7e710394629a9952dcbdccffc66141945c050a804140bd14d2e782d948f6aa7

filename: Keys.dll

MD5 51b257938f8a0c8eb45f34520b80ca83

SHA256 698f333140dab675d9f90a4c25ec3a52c6342c9cd8d6048a2cf5e91e8bba11e1


We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy