The Microsoft Macro remains one of the most common attack vectors used against Windows systems – an attack surface, according to Microsoft, that exceeds a billion users.
In this article we’ll explore a new and previously unreported attack that abuses Microsoft’s MsTscAx class. This is the first occurrence of this attack in the wild, and interestingly, it is not an exploit.
This unique attack can circumvent machine learning models that have not been trained on such an attack and AV engines unfamiliar with such techniques. The attack can even evade sandbox environments which are based on older OS versions (Windows 7) because the control involved in this technique was only supported from Windows 8.1 and later.
MsTscAx Class
By: Amr Elkhawas, specialist threat researcher, Avira Protection Labs
A recent wave of Macro based malicious samples have been identified that use a new technique; abusing Microsoft’s MsTscAx class.
MsTscAx (Microsoft Terminal Services Client Control) “Enables you to connect and disconnect the client control, create virtual channel objects, and send data over a virtual channel. The interface also contains methods to retrieve and set properties related to the client control.” It’s not something that would normally be found in VBA macro code, and it’s only right to be suspicious when found.
The samples (below) all have the same behaviour, leveraging Microsoft Office documents that contain an embedded VBA macro. This VBA macro runs and drops a JSE script that runs through Windows Script Host (Wscprit).
Sample 1
Sha256: e62014226eadb7da3619df789282d470432388ad0e27ec8ca27ff204944c907c,
Avira detection name: HEUR/Macro.Downloader.MRWE.Gen
When the file is first executed, the first thing seen is the infamous “Document Protected” page. This urges users to enable macros in order to “decrypt” the document:
The macro code embedded inside the document is visible:
The first section of the code is seen in everyday samples with some pop-up boxes created to deliver false warnings and a hyperlink creation function.
In the above macro snippet, other small functions and variable declarations obfuscated using simple character obfuscation are visible. For example, the function “DCeas” creates an ActiveX Object. The “MostarMensaje” procedure is used to create the Wscript object along with the “fuq.jse” which is then dropped. The “Multiplicar” function creates the “Shell.Run” command and method that will be then used to run the wscript activexobject created. The most important function is the next one in the below screenshot.
It’s common for malware authors to use AutoOpen or AutoClose to execute their malicious code in VBA macros. However this is well known, so the author had to look for new methods. One of those is to use callback functions that pose as an alternative method for execution, such as “_BeforeScriptExecute”.
However, here a new callback function “_OnConnecting “ is used. This has not been observed before in the wild with malware samples, it is a special method that is used with RDP connections. This method “OnConnecting” is called when the client control begins connecting to a RDP server to serve notification of the initiation of the connection. The provided samples do not execute on Windows prior to Windows 10, in order for this callback function to run, there has to be an embedded activeX control. On further deflation of the sample we find the Embedded Control MsTscAx.MsTscAx.9 as in the below screenshot.
On searching for this particular control we find that the minimum supported client is Windows 8.1. The execution tree is shown below in the following figure depicting the actual processes being spawned and the “fuq.jse” file executed.
Sample 2
Sha256: d9d1766fb2903138c1a0212ed11f156948c9de471479088c29b8faaad27a5bad,
Avira detection name: HEUR/Macro.Downloader.MRWX.Gen
This sample follows the same methodology as the previous, using the same callback function. However, it changes the tactic of its third stage downloader to Powershell.
Conclusion
Malware authors are constantly searching for new techniques to circumvent anti-malware solutions, whether it is on an endpoint solution or a sandbox. The technique implemented here is circumvents the detection based on older techniques or evades dynamic detection in sandboxing solutions (particularly if they are based on older versions of Windows – such as Windows 7). Using such new techniques gives the malware authors an advantage to go undetected and gain a wide infection area if security solutions fail to tackle them on time.
Indicators of Compromise (IOCs)
| Sha256 | Extension |
| e62014226eadb7da3619df789282d470432388ad0e27ec8ca27ff204944c907c | .doc |
| d9d1766fb2903138c1a0212ed11f156948c9de471479088c29b8faaad27a5bad | .doc |
| c4b215a59659e1c91fffadf971f2d9f6a0865a757e23c4ded707e894927c7837 | .doc |
| ab5ca1c323c88dfd7c816a61b6388f3ff525d6e1367d414262142b2f4238df7a | .doc |
| 0fd3b30f05280f7950d3ceb5c48a3c27d09b91a8865d400182a5b0d39b66cd30 | .doc |
| 833d5910aeeb8b1e541ba15187e04e49b6def6a5e60f47114694981d6bdef19a | .doc |
| 28418b6e2ae086810f363416b329815c60cb6d5742f17c3967bec62088b679b2 | .doc |
| 237d6021d25a9207de3f3f0a5d5029e8db8667acc5f44acdc51bfff7aa1b0e2c | .doc |
| 95031d442b7fca0c1bc922f6022afeedc4caa76f6fec9da96817fb1074181fd2 | .jse |
| 35c6141e757b226b1328b1e449fa8b14b79831b28bfbd969503da465f2c08f03 | .jse |
| 35f7aaf16c27d9d148d63e149d350d27542ff4aa6917a42004ea8df7d037c886 | .jse |
| b405e86eae0c2c8be904d0e54a73d9d8fe43d3bd76622b4767c3313b571f994f | .jse |
Tactics, Techniques and Procedures:
- Obfuscated Files or Information (T1027)
- Powershell (T1086)
- Spearphishing Attachment (T1193)
- Scripting (T1064)
- User Execution (T1204)
- Virtualization/Sandbox evasion (T1497)
Want to comment on this post?
We encourage you to share your thoughts on your favorite social platform.