New attacks using MsTscAx to execute malicious code

Avira Protection Labs, 4 months ago 3 min read

The Microsoft Macro remains one of the most common attack vectors used against Windows systems – an attack surface, according to Microsoft, that exceeds a billion users.

In this article we’ll explore a new and previously unreported attack that abuses Microsoft’s MsTscAx class. This is the first occurrence of this attack in the wild, and interestingly, it is not an exploit.

This unique attack can circumvent machine learning models that have not been trained on such an attack and AV engines unfamiliar with such techniques. The attack can even evade sandbox environments which are based on older OS versions (Windows 7) because the control involved in this technique was only supported from Windows 8.1 and later.

MsTscAx Class

By: Amr Elkhawas, specialist threat researcher, Avira Protection Labs

A recent wave of Macro based malicious samples have been identified that use a new technique; abusing Microsoft’s MsTscAx class.

MsTscAx (Microsoft Terminal Services Client Control) “Enables you to connect and disconnect the client control, create virtual channel objects, and send data over a virtual channel. The interface also contains methods to retrieve and set properties related to the client control.” It’s not something that would normally be found in VBA macro code, and it’s only right to be suspicious when found.

The samples (below) all have the same behaviour, leveraging Microsoft Office documents that contain an embedded VBA macro. This VBA macro runs and drops a JSE script that runs through Windows Script Host (Wscprit).

Sample 1

Sha256: e62014226eadb7da3619df789282d470432388ad0e27ec8ca27ff204944c907c,

Avira detection name: HEUR/Macro.Downloader.MRWE.Gen

When the file is first executed, the first thing seen is the infamous “Document Protected” page. This urges users to enable macros in order to “decrypt” the document:

The macro code embedded inside the document is visible:

The first section of the code is seen in everyday samples with some pop-up boxes created to deliver false warnings and a hyperlink creation function.

In the above macro snippet, other small functions and variable declarations obfuscated using simple character obfuscation are visible. For example, the function “DCeas”  creates an ActiveX Object. The “MostarMensaje” procedure is used to create the Wscript object along with the “fuq.jse” which is then dropped. The “Multiplicar” function creates the “Shell.Run” command and method that will be then used to run the wscript activexobject created. The most important function is the next one in the below screenshot.

It’s common for malware authors to use AutoOpen or AutoClose to execute their malicious code in VBA macros. However this is well known, so the author had to look for new methods. One of those is to use callback functions that pose as an alternative method for execution, such as “_BeforeScriptExecute”.

However, here a new callback function “_OnConnecting “ is used. This has not been observed before in the wild with malware samples, it is a special method that is used with RDP connections. This method “OnConnecting” is called when the client control begins connecting to a RDP server to serve notification of the initiation of the connection. The provided samples do not execute on Windows prior to Windows 10, in order for this callback function to run, there has to be an embedded activeX control. On further deflation of the sample we find the Embedded Control MsTscAx.MsTscAx.9 as in the below screenshot.

On searching for this particular control we find that the minimum supported client is Windows 8.1. The execution tree is shown below in the following figure depicting the actual processes being spawned and the “fuq.jse” file executed.

Sample 2

Sha256: d9d1766fb2903138c1a0212ed11f156948c9de471479088c29b8faaad27a5bad,

Avira detection name: HEUR/Macro.Downloader.MRWX.Gen

This sample follows the same methodology as the previous, using the same callback function. However, it changes the tactic of its third stage downloader to Powershell.

Conclusion

Malware authors are constantly searching for new techniques to circumvent anti-malware solutions, whether it is on an endpoint solution or a sandbox. The technique implemented here is circumvents the detection based on older techniques or evades dynamic detection in sandboxing solutions (particularly if they are based on older versions of Windows – such as Windows 7). Using such new techniques gives the malware authors an advantage to go undetected and gain a wide infection area if security solutions fail to tackle them on time.

Indicators of Compromise (IOCs)

Sha256 Extension
e62014226eadb7da3619df789282d470432388ad0e27ec8ca27ff204944c907c .doc
d9d1766fb2903138c1a0212ed11f156948c9de471479088c29b8faaad27a5bad .doc
c4b215a59659e1c91fffadf971f2d9f6a0865a757e23c4ded707e894927c7837 .doc
ab5ca1c323c88dfd7c816a61b6388f3ff525d6e1367d414262142b2f4238df7a .doc
0fd3b30f05280f7950d3ceb5c48a3c27d09b91a8865d400182a5b0d39b66cd30 .doc
833d5910aeeb8b1e541ba15187e04e49b6def6a5e60f47114694981d6bdef19a .doc
28418b6e2ae086810f363416b329815c60cb6d5742f17c3967bec62088b679b2 .doc
237d6021d25a9207de3f3f0a5d5029e8db8667acc5f44acdc51bfff7aa1b0e2c .doc
95031d442b7fca0c1bc922f6022afeedc4caa76f6fec9da96817fb1074181fd2 .jse
35c6141e757b226b1328b1e449fa8b14b79831b28bfbd969503da465f2c08f03 .jse
35f7aaf16c27d9d148d63e149d350d27542ff4aa6917a42004ea8df7d037c886 .jse
b405e86eae0c2c8be904d0e54a73d9d8fe43d3bd76622b4767c3313b571f994f .jse

Tactics, Techniques and Procedures:

  • Obfuscated Files or Information (T1027)
  • Powershell (T1086)
  • Spearphishing Attachment (T1193)
  • Scripting (T1064)
  • User Execution (T1204)
  • Virtualization/Sandbox evasion (T1497)

 

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
New attacks using MsTscAx to execute malicious code

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Research

Capesand. The revival of exploit kits.

Capesand. The revival of exploit kits.

In this blog we are taking a brief look at the background of exploit kits, but mainly focusing on reversing NJcrypt which is a loader for njRAT.

5 months ago 7 min read