Breaking Dridex Malware with Excel Macro Password Exploit

[Ronnie] recently posted a new chapter in his adventures in malware deconstruction. This time the culprit was an infected Excel spreadsheet file. The .xls file was attached to a phishing email claiming to be related to a tax rebate. With tax season in full swing, this type of phishing message would be likely to be opened by an inexperienced user.

[Ronnie] saved the file to a virtual machine to prevent his real workstation from getting infected. He then opened it up in Excel and noticed that it immediately attempted to run macros. A macro is essentially visual basic scripting that runs inside of the spreadsheet file. You can use it for simple automation, cell formatting, or do even more complicated tasks like reach out to external websites and pull information. This malware focused on the latter.

[Ronnie] used the alt + F11 shortcut to view the macros. Unfortunately the attackers had password protected them. [Ronnie] wouldn’t be able to view the macro code without knowing the password. Luckily, he learned of a surprisingly simple trick to completely bypass the macro password. He opened up the .xls file in Notepad++ and located three keys; CMG, DPB, and G. [Ronnie] then created and saved a new blank .xls document and password protected the macros with his own password. He opened up this new file in Notepad++ as well, and located those same three keys. He copied the keys from the new file into the old one, and saved the old file. This effectively changed the password of the malware file to the new one he had set for his new file. This is a nifty trick that apparently only works on the older .xls formats, not the newer .xlsx format.

After loading the macros, [Ronnie] quickly noticed that most of the code was obfuscated to make it difficult to analyze. There were, however, three named modules that reference possible sandbox evasion techniques. The malware first invokes these functions to detect the presence of a virtual machine or other type of sandbox. If it detects nothing, then the rest of the malware program is decoded and executed. [Ronnie] removed these checks and then executed the macro to verify that his change had worked.

The next step was to try to view the decoded instructions. The decoded gibberish was saved to a variable. The simplest way for [Ronnie] to view the contents of the variable was to have the program create a pop-up box that displayed the contents of that variable. After making this change and running the program again, he was able to see exactly what the malware was doing. The code actually invoked Powershell, downloaded a file from the Internet, and then extracted and executed that file. In the full write-up, [Ronnie] goes even further by downloading and analyzing the executable.

Writing A Virtual Machine In Excel

[Ádám] participates in a competition called KöMaL. It’s a 9-times-a-month journal for junior high and high school students featuring math and physics problems. [Paul Erdős], one of the most published mathematicians of all time, was a huge participant and by far the most notable student to crack open a copy of KöMaL in its hundred-year history. [Ádám] was trying his hand at a problem in Excel, but the official rules prohibit the use of Excel macros. In a daze, he came up with one of the most clever uses of Excel: building an assembly interpreter with the most popular spreadsheet program.

This is a virtual Harvard architecture machine without writable RAM; the stack is only lots and lots of IFs.  The instructions – mostly load, MOV, JNZ, INC, and CMP solves this problem, examining two inputs to see if they multiples of each other. If you’re wondering, an example cell from [Ádám]’s Excel sheet looks like this:

=F6
   INDEX($C$2:$C99999,$G2,1),
   IF(AND(INDEX($B$2:$B99999,$G2,1)="JZ",$I2=0),
      INDEX($C$2:$C99999,$G2,1),
         IF(AND(INDEX($B$2:$B99999,$G2,1)="JNZ",$I2<>0),
         INDEX($C$2:$C99999,$G2,1),
         G2+1
         )
      )
   )
)

[Ádám] has provided his Excel solution to the problem, available on the hackaday.io. It’s in Hungarian which really shouldn’t matter since it’s basically Excel and a pseudo-x86 instruction set. but the column labels will require a bit of Google Translate.

Trinket EDC Contest Entry: Can I Borrow a Feeling?

We got a case of the Mondays just reading about [Sascha]’s work environment. Get this: every morning, first thing, the whole team gets together to check in and share how they’re all feeling. And they can’t even be candid about it—there’s actually an approved list of feeling descriptors, both good and bad. It’s an admittedly big list that includes, interestingly enough, both ‘tortured’ and ’embarrassed’. Yeah. We think something like group t’ai chi on the roof each morning sounds a lot more relaxing. Since [Sascha] is between a rock and a hard place on this one, it was time to let chance take over. He raised his HaD-imprinted Trinket skyward and Can I Borrow a Feeling? was born.

The gist is simple: [Sascha] abstracts his disposition out to either ‘good’ or ‘bad’ and pushes the corresponding button. The Trinket accesses an array and returns a randomly selected feeling to the LCD. Since the official list of feelings is about 300 words long, [Sascha] has to push the data into PROGMEM. He used good old Excel to split the list in twain, and her formulas came in very handy for centering the result on the LCD. Once [Sascha] knew how it would all fit together, he designed a cool enclosure in CorelDRAW and turned on the laser cutter. See the Spreadsheet of Acceptable Words for yourself on GitHub, and pick up the code and enclosure file while you’re there.

There’s still time to enter the Trinket Everyday Carry Contest.  The main contest runs until January 2, but we’re having random drawings every week! Don’t forget to write a project log before the next drawing at 9pm EST on Tuesday, December 30th. You and all of the other entrants have a chance to win a Teensy 3.1 from The Hackaday Store!

Using Excel to Watch Movies at Work

The Excel subreddit exploded earlier this week when redditor [AyrA_ch] shared his custom spreadsheet that allowed him to play video files on a locked-down work computer. How locked down? With no access to Windows Media Player and IE7 as the only browser (all plugins disabled, no HTML5), Excel became the unlikely hero to cure a 3-hour boredom stint.

Behind the cascade of rectangles and in the land of the Excel macro, [AyrA_ch] took advantage of the program’s VBA (Visual Basic for Applications) functions to circumvent the computer’s restrictions. Although VBA typically serves the more-complex-than-usual macro, it can also invoke some Windows API commands, one of which calls Windows Media Player. The Excel file includes a working playlist and some rudimentary controls: play, pause, stop, etc. as well as an inspired pie chart countdown timer.

As clever as this hack is, the best feature is much more subtle: tricking in-house big brother. [AyrA_ch]’s computer ran an application to monitor process usage, but any videos played through the spreadsheet were attributed to Excel, ensuring the process usage stayed on target. You can download it for yourself over on GitHub.

USB Datalogging with Arduino using V-USB

Adding USB functionality to your Arduino projects used to be a pain, but thankfully, the V-USB project came along and gave your ATMEGA328 the ability to control the USB lines directly and mimic simple (low-speed) USB peripherals. [Ray] shows an implementation of the V-USB project by logging the status of the Arduino’s I/O pins to an open Excel spreadsheet

V-USB (Virtual USB) is especially useful for those of us who build standalone Arduino projects with the ATMEGA328. Unlike the Arduino Leonardo and its ATMEGA32U4, the ATMEGA328 does not have a built-in USB controller. The circuit required to tie into the USB lines is made up of just a few basic components, and [Ray] provides a reference schematic and BOM to get you started. The Arduino is programmed to mimic a keyboard, so the datalogging is achieved by allowing the Arduino to ‘type’ the data into an open Excel spreadsheet. In this example, the status of 8 digital pins and all 6 Analog Input pins are logged.

For those of you who prefer the PIC microcontroller and are in a similar position of not having a built-in USB controller, there is the 16FUSB project to help you out.

A Simple (and Dirty) Bill of Materials and Stock Management Utility

As many readers may already know, when I’m not featuring your projects or working on the mooltipass I try to make simple things that may be useful to electronics enthusiasts. My latest creation is a simple bill of materials generation tool, which can also do simple stock management. Unfortunately for Linux users, this utility is made using Visual Basic functions in an Excel file.

It works fairly simply: just enter your schematics’ components references in the excel sheet, along with the corresponding Digikey webpage address. Click on the “fetch” button and the script will automatically get all your component characteristics from the internet and tell you the component costs depending on the number of prototypes you want to make. Then click the “sort BoM” button and your BoM will automatically be sorted by component type and value. Another functionality allows you to check that all the components present in your BoM are also present on the (very simple) Kicad generated one. Finally, using another Excel sheet containing your current stock, the Bill of Materials will let you know if you have enough components for the assembly stage. A video of the tool in action is embedded after the break, and you can download the BoM template here (.XLSM file) and the corresponding stock file there (.XLSM file).

Continue reading “A Simple (and Dirty) Bill of Materials and Stock Management Utility”

Lots of spinning POV goodness

[Retrobrad’s] spinning POV display has long been our favorite. When it popped up on our radar again this morning we were surprise to see we never ran a feature on it! But now there’s so much more to share. Hit the projects icon at the top of his page and you’ll not only get the 8×85 RGB display’s build instructions, but he’s also built a 32×64 pixel spinning display.

Even if you’re not going to make one of these, he explains some pixel-graphics techniques that are useful in other instances. Check out his video on using spreadsheets for creating the hex arrays necessary for each frame the 8×85 display. It’s embedded after the break along with demos of the two displays.

Continue reading “Lots of spinning POV goodness”