Finally, as shown in Figure 3 it will compile and execute this C# source code using the Microsoft Windows built-in csc.exe utility. ![]() It then base64-decodes the embedded C# source code as shown in Figure 2 and writes it to the C# file path previously generated. Additionally, we have added comments to explain what is happening, as well as the un-obfuscated strings that are found within the macro.įigure 2 Portion of malicious macro containing base64-encoded source codeįigure 3 Portion of malicious macro responsible for compiling and executing embedded source codeĪs a quick recap of what the malicious macro is doing, it begins by generating two paths-a path to a randomly named executable, and randomly named C# file in the %APPDATA%\\Microsoft folder. ![]() Note that we have prefixed the function names with ‘xx_’ to make it easier for the reader to understand what is going on. We observed the following example macro in the most recent sample. We are calling these delivery documents the Carp Downloader, as they make use of a specific technique of compiling and executing embedded C# (CshARP) language source code that acts as a simple downloader. The malware from start to finish exhibits the following high level operations as shown in Figure 1:įigure 1 Malware execution flow Carp DownloaderĪs previously mentioned, we have observed Cardinal RAT being delivered using a unique technique involving malicious Excel macros. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. It has a very low volume in this two-year period, totaling roughly 27 total samples. Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |