MS Word Documents Spreading .Net RAT Malware


A malicious MS Word document named “eml_-_PO20180921.doc,” has been discovered. According to researchers at Fortinet’s FortiGuard Labs, the document contains auto-executable malicious VBA code.

The Danger that Lies Ahead

Those who receive and open the document are shown a security warning stating that macros have been disabled. If the user clicks “enable content”, the NanoCore remote access Trojan (RAT) software is then installed onto the victim’s Windows system.

According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite it continuing to be used, the author was convicted by the FBI and sentenced to just under 3 years in prison. This latest version (1.2.2.0) was captured, which uses NanoCore to execute its malicious behaviour.

How the Malware Works

Making its way through phishing campaigns that trick victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.

“I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them,” wrote researcher Xiaopeng Zhang.

To trace the main functions, researchers loaded the CUVJN.exe with the .Net debugger dnSpy. It also found that it loads, puts together and then decrypts multiple data blocks from its resource section for the purpose of getting to a new PE file.

The Analysis

“According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules,” Zhang wrote.

Unfortunately, .dll is a daemon process. According to Zhang, he was unable to kill it due to the “ProtectMe” class that it has. However, he does have steps for removing the malware.

Join us for ESRM 2019

Whitehall Media’s prestigious biannual 10th ESRM conference is set to discuss how enterprises are identifying risks and measuring threats. What’s more, it will discuss establishing mitigation plans, managing incidents, and developing remediation practices. The event offers unrivalled networking opportunities and insights on how to design, implement and embed deliverable action plans that balance risk mitigation with the pursuit of business growth.