NATO-Themed Word Document Containing Malicious Macros

 

TARGET: NATO OR NATO-ASSOCIATED ORGANIZATIONS (SUSPECTED)

TOOLS: WORD DOCUMENT WITH MALICIOUS MACROS

On March 17, 2017 the Cyber Intelligence and Policy Project (CIPP) noticed an interesting Microsoft Word file pop up over at Payload Security's Hybrid Analysis site. The file (MD5: f5eccbe4b4cae9be19751eaf0bb8ceaf) bore a name of CAG-Meeting 21-22 MAR 2017-Calling Notice-FINAL.doc. Some brief analysis reveals that this document contains a malicious macro along with a decoy concerning an upcoming meeting of the North Atlantic Treaty Organization's (NATO) with reference to its Defence Planning Process which is a mechanism for NATO members to "harmonize their national defense plans with those of NATO."

                                                   Screenshot Of NATO-Themed Decoy

The malicious macro code is stored in two different streams: ThisDocument.cls and Module1.bas. The first contains Base64-encoded data and the second appears to act as a decoder for that data. The code for Module1.bas was taken from GitHub-hosted module meant to encode and decode Base64 data. 

                                                                                                          ThisDocument.cls

                                                                                                              Module1.bas

Together these macros decode data and write it to two files: MicrosoftProfile.vbs and MSOffice.ps1. The VBScript file simply executes the PowerShell file which contains code to contact a command and control (C2) at http://193.29.187.194:1011/new/$u in which the value "$u" is replaced with the victim's username appended with four digits.

                         VBScript and PowerShell Written to Victim

                            PowerShell Code Showing IP Address

The "DownloadData" string indicates the the code attempts to retrieve additional data from the C2 server, possibly additional malicious code. CIPP attempted to retrieve this second-stage data, but was unsuccessful. It is possible that the actor is using the usernames in the URLs to filter for victims of interest.

This certainly appears to be a targeted incident; however, it is unclear who is behind it. Russia's use of cyber espionage targeting NATO has been well-documented. This incident leaves little to go on. The IP address is not publicly linked to any known cyber espionage activity and the code used in this document shows no clear overlaps with known activity either.