{"id":22390,"date":"2025-03-31T16:27:47","date_gmt":"2025-03-31T19:27:47","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22390"},"modified":"2025-03-31T16:27:47","modified_gmt":"2025-03-31T19:27:47","slug":"utilizacao-de-macros-obfuscados-em-excel-para-distribuir-malware","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/03\/diversos\/utilizacao-de-macros-obfuscados-em-excel-para-distribuir-malware\/","title":{"rendered":"Utiliza\u00e7\u00e3o de macros obfuscados em Excel para distribuir malware"},"content":{"rendered":"\n<p><strong>Ghostwriter: Campanha Belarusiana utiliza macros obfuscados em Excel para distribuir malware<\/strong><\/p>\n<p>Ataques cibern\u00e9ticos vinculados a grupos de amea\u00e7as associados \u00e0 Belarus continuam a visar ativistas da oposi\u00e7\u00e3o e entidades governamentais ucranianas. Recentemente, pesquisadores da SentinelOne identificaram uma nova campanha utilizando documentos maliciosos do Excel com macros obfuscados para distribuir uma variante do malware\u00a0<strong>PicassoLoader<\/strong>.<\/p>\n<p style=\"text-align: justify;\">O grupo, conhecido como\u00a0<strong>Ghostwriter (TA445, UNC1151)<\/strong>, est\u00e1 ativo desde 2016 e tem alinhamento com interesses de seguran\u00e7a russos. A campanha atual, em andamento desde meados de 2024, utiliza t\u00e9cnicas sofisticadas de evas\u00e3o, incluindo\u00a0<strong>Macropack<\/strong>\u00a0para ofuscar macros VBA e\u00a0<strong>ConfuserEx<\/strong>\u00a0para embaralhar c\u00f3digo .NET.<\/p>\n<p style=\"text-align: justify;\">Neste artigo, exploramos a amea\u00e7a e apresentamos dois scripts em Python que podem ajudar na mitiga\u00e7\u00e3o de ataques similares.<\/p>\n<p>\u00a0<\/p>\n<p><strong>T\u00e9cnicas utilizadas pelo Ghostwriter<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Macros obfuscados em Excel<\/strong><\/p>\n<ul>\n<li>\n<p>Os atacantes distribuem arquivos Excel maliciosos via Google Drive ou e-mails de phishing.<\/p>\n<\/li>\n<li>\n<p>As macros, ofuscadas com\u00a0<strong>Macropack<\/strong>, s\u00e3o ativadas quando a v\u00edtima habilita o conte\u00fado.<\/p>\n<\/li>\n<li>\n<p>Um arquivo DLL \u00e9 escrito no disco, carregando o\u00a0<strong>PicassoLoader<\/strong>\u00a0ou outros payloads.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Download de Payloads Adicionais<\/strong><\/p>\n<ul>\n<li>\n<p style=\"text-align: justify;\">Ap\u00f3s a infec\u00e7\u00e3o inicial, um arquivo Excel leg\u00edtimo \u00e9 exibido como isca, enquanto malware secund\u00e1rio \u00e9 baixado.<\/p>\n<\/li>\n<li>\n<p style=\"text-align: justify;\">Em alguns casos, o malware \u00e9 escondido em imagens JPG (<strong>esteganografia<\/strong>) para evitar detec\u00e7\u00e3o.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Uso de LibCMD para Execu\u00e7\u00e3o de Comandos<\/strong><\/p>\n<ul>\n<li>\n<p style=\"text-align: justify;\">Uma DLL maliciosa chamada\u00a0<strong>LibCMD<\/strong>\u00a0\u00e9 carregada na mem\u00f3ria para executar comandos via\u00a0<code>cmd.exe<\/code>.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhyg5lfBdD94Hk7yNdfOJlAq0spxK7TQtLWvZiWaniFJx25lvU0CZmNaXHHk58Au5zYdtjd4z0DIiqp0oC5lujsfMbV9wRL-JrXYzsS6rutknUeRN8hnDcz_nkO9WIhhvbzRceY-K8zGIFYGPhoUIkjX49sYEWTPVXmkDShx7EXPAdDvPcysJdF0hw6E8Ai\/s728-rw-e365\/xls.png\" width=\"595\" height=\"482\" \/><\/p>\n<p>\u00a0<\/p>\n<p><strong>Mitiga\u00e7\u00e3o com Python<\/strong><\/p>\n<p>Abaixo, apresentamos dois scripts em Python que podem ajudar a detectar e mitigar amea\u00e7as similares \u00e0s utilizadas pelo Ghostwriter.<\/p>\n<p>\u00a0<\/p>\n<p><strong>1. Analisador de macros em arquivos Office (detec\u00e7\u00e3o de VBA malicioso)<\/strong><\/p>\n<pre><span class=\"token keyword\">import<\/span> olefile\n<span class=\"token keyword\">import<\/span> re\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">analyze_macros<\/span><span class=\"token punctuation\">(<\/span>file_path<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span>\n        ole <span class=\"token operator\">=<\/span> olefile<span class=\"token punctuation\">.<\/span>OleFileIO<span class=\"token punctuation\">(<\/span>file_path<span class=\"token punctuation\">)<\/span>\n        <span class=\"token keyword\">if<\/span> ole<span class=\"token punctuation\">.<\/span>exists<span class=\"token punctuation\">(<\/span><span class=\"token string\">'Macros\/VBA'<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"[!] Macros encontradas no arquivo!\"<\/span><span class=\"token punctuation\">)<\/span>\n            macro_data <span class=\"token operator\">=<\/span> ole<span class=\"token punctuation\">.<\/span>openstream<span class=\"token punctuation\">(<\/span><span class=\"token string\">'Macros\/VBA'<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span>read<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span>decode<span class=\"token punctuation\">(<\/span><span class=\"token string\">'latin-1'<\/span><span class=\"token punctuation\">)<\/span>\n            \n            <span class=\"token comment\"># Padr\u00f5es suspeitos (obfusca\u00e7\u00e3o, shellcode, URLs)<\/span>\n            suspicious_patterns <span class=\"token operator\">=<\/span> <span class=\"token punctuation\">[<\/span>\n                <span class=\"token string\">r\"Shell\\(\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">r\"CreateObject\\(\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">r\"URLDownloadToFile\"<\/span><span class=\"token punctuation\">,<\/span>\n                <span class=\"token string\">r\"chr\\(\\d+\\)\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">r\"eval\\(\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">r\"Execute\\(\"<\/span>\n            <span class=\"token punctuation\">]<\/span>\n            \n            <span class=\"token keyword\">for<\/span> pattern <span class=\"token keyword\">in<\/span> suspicious_patterns<span class=\"token punctuation\">:<\/span>\n                <span class=\"token keyword\">if<\/span> re<span class=\"token punctuation\">.<\/span>search<span class=\"token punctuation\">(<\/span>pattern<span class=\"token punctuation\">,<\/span> macro_data<span class=\"token punctuation\">,<\/span> re<span class=\"token punctuation\">.<\/span>IGNORECASE<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n                    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"[ALERTA] Padr\u00e3o suspeito encontrado: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>pattern<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n                    <span class=\"token keyword\">return<\/span> <span class=\"token boolean\">True<\/span>\n        <span class=\"token keyword\">else<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"[+] Nenhuma macro detectada.\"<\/span><span class=\"token punctuation\">)<\/span>\n        ole<span class=\"token punctuation\">.<\/span>close<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span>\n    <span class=\"token keyword\">except<\/span> Exception <span class=\"token keyword\">as<\/span> e<span class=\"token punctuation\">:<\/span>\n        <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"[ERRO] Falha ao analisar o arquivo: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>e<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n    <span class=\"token keyword\">return<\/span> <span class=\"token boolean\">False<\/span>\n\n<span class=\"token comment\"># Uso:<\/span>\nfile_path <span class=\"token operator\">=<\/span> <span class=\"token string\">\"malicious_document.xlsm\"<\/span>\n<span class=\"token keyword\">if<\/span> analyze_macros<span class=\"token punctuation\">(<\/span>file_path<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"Arquivo potencialmente malicioso! Investiga\u00e7\u00e3o necess\u00e1ria.\"<\/span><span class=\"token punctuation\">)<\/span>\n<span class=\"token keyword\">else<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"Arquivo parece seguro.\"<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<p><strong>Como funciona?<\/strong><\/p>\n<ul>\n<li>Extrai e analisa macros de arquivos Office (Excel, Word).<\/li>\n<li>Busca por padr\u00f5es suspeitos, como chamadas a Shell(), URLDownloadToFile, ou ofusca\u00e7\u00e3o com chr().<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>2. Monitoramento de processos suspeitos (detec\u00e7\u00e3o de cargas maliciosas em mem\u00f3ria)<\/strong><\/p>\n<pre><span class=\"token keyword\">import<\/span> psutil\n<span class=\"token keyword\">import<\/span> time\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">monitor_suspicious_processes<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    suspicious_processes <span class=\"token operator\">=<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">\"cmd.exe\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"powershell.exe\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"wscript.exe\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"mshta.exe\"<\/span><span class=\"token punctuation\">]<\/span>\n    malicious_dlls <span class=\"token operator\">=<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">\"LibCMD.dll\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"PicassoLoader.dll\"<\/span><span class=\"token punctuation\">]<\/span>\n    \n    <span class=\"token keyword\">while<\/span> <span class=\"token boolean\">True<\/span><span class=\"token punctuation\">:<\/span>\n        <span class=\"token keyword\">for<\/span> proc <span class=\"token keyword\">in<\/span> psutil<span class=\"token punctuation\">.<\/span>process_iter<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'name'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'cmdline'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span>\n                <span class=\"token comment\"># Verifica processos suspeitos<\/span>\n                <span class=\"token keyword\">if<\/span> proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'name'<\/span><span class=\"token punctuation\">]<\/span> <span class=\"token keyword\">in<\/span> suspicious_processes<span class=\"token punctuation\">:<\/span>\n                    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"[ALERTA] Processo suspeito em execu\u00e7\u00e3o: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n                \n                <span class=\"token comment\"># Verifica DLLs maliciosas carregadas<\/span>\n                <span class=\"token keyword\">for<\/span> dll <span class=\"token keyword\">in<\/span> malicious_dlls<span class=\"token punctuation\">:<\/span>\n                    <span class=\"token keyword\">if<\/span> dll<span class=\"token punctuation\">.<\/span>lower<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">in<\/span> <span class=\"token string\">\" \"<\/span><span class=\"token punctuation\">.<\/span>join<span class=\"token punctuation\">(<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'cmdline'<\/span><span class=\"token punctuation\">]<\/span> <span class=\"token keyword\">or<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span>lower<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n                        <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"[CR\u00cdTICO] DLL maliciosa detectada: <br \/><\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>dll<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\"> no PID <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n            <span class=\"token keyword\">except<\/span> <span class=\"token punctuation\">(<\/span>psutil<span class=\"token punctuation\">.<\/span>NoSuchProcess<span class=\"token punctuation\">,<\/span> psutil<span class=\"token punctuation\">.<\/span>AccessDenied<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n                <span class=\"token keyword\">continue<\/span>\n        time<span class=\"token punctuation\">.<\/span>sleep<span class=\"token punctuation\">(<\/span><span class=\"token number\">5<\/span><span class=\"token punctuation\">)<\/span>  <span class=\"token comment\"># Verifica a cada 5 segundos<\/span>\n\n<span class=\"token comment\"># Uso:<\/span>\n<span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"Iniciando monitoramento de processos suspeitos...\"<\/span><span class=\"token punctuation\">)<\/span>\n<span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span>\n    monitor_suspicious_processes<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span>\n<span class=\"token keyword\">except<\/span> KeyboardInterrupt<span class=\"token punctuation\">:<\/span>\n    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"Monitoramento encerrado.\"<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<p><strong>Como funciona?<\/strong><\/p>\n<ul>\n<li>\n<p style=\"text-align: justify;\">Monitora processos em execu\u00e7\u00e3o, como\u00a0<code>cmd.exe<\/code>\u00a0ou\u00a0<code>powershell.exe<\/code>, que podem ser usados para execu\u00e7\u00e3o de payloads.<\/p>\n<\/li>\n<li>\n<p>Detecta carregamento de DLLs maliciosas conhecidas (ex:\u00a0<code>LibCMD.dll<\/code>).<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Conclus\u00e3o<\/strong><\/p>\n<p style=\"text-align: justify;\">A campanha do\u00a0<strong>Ghostwriter<\/strong>\u00a0demonstra a sofistica\u00e7\u00e3o de grupos apoiados por Estados-na\u00e7\u00e3o, utilizando t\u00e9cnicas como\u00a0<strong>obfusca\u00e7\u00e3o de macros<\/strong>\u00a0e\u00a0<strong>esteganografia<\/strong>\u00a0para evadir detec\u00e7\u00e3o.<\/p>\n<p>Com os scripts Python apresentados, equipes de seguran\u00e7a podem:<\/p>\n<ul>\n<li>\n<p><strong>Analisar automaticamente macros em documentos Office<\/strong>\u00a0antes de abri-los.<\/p>\n<\/li>\n<li>\n<p><strong>Monitorar processos em tempo real<\/strong>\u00a0para detectar atividades maliciosas.<\/p>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">A mitiga\u00e7\u00e3o proativa \u00e9 essencial, especialmente para organiza\u00e7\u00f5es ucranianas e ativistas que s\u00e3o alvos frequentes desses ataques.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Recomenda\u00e7\u00f5es adicionais:<\/strong><\/p>\n<ul>\n<li>\n<p>Desabilitar macros por padr\u00e3o no Microsoft Office.<\/p>\n<\/li>\n<li>\n<p>Utilizar sandboxing para an\u00e1lise de arquivos suspeitos.<\/p>\n<\/li>\n<li>\n<p>Monitorar tr\u00e1fego de sa\u00edda para dom\u00ednios maliciosos (ex:\u00a0<code>sciencealert[.]shop<\/code>).<\/p>\n<\/li>\n<\/ul>\n<p>Mantenha-se vigilante e atualize suas defesas continuamente!<\/p>\n<p>\u00a0<\/p>\n<p>Fonte e imagens: <a href=\"https:\/\/thehackernews.com\/2025\/02\/belarus-linked-ghostwriter-uses.html\" target=\"_blank\" rel=\"noopener\">https:\/\/thehackernews.com\/2025\/02\/belarus-linked-ghostwriter-uses.html<\/a><\/p>\n<pre>\u00a0<\/pre>\n<pre>\u00a0<\/pre>\n<pre><span style=\"font-size: revert; color: initial; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">\u00a0<\/span><\/pre>\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>Ghostwriter: Campanha Belarusiana utiliza macros obfuscados em Excel para distribuir malware Ataques cibern\u00e9ticos vinculados a grupos de amea\u00e7as associados \u00e0 Belarus continuam a visar ativistas da oposi\u00e7\u00e3o e entidades governamentais ucranianas. Recentemente, pesquisadores da SentinelOne identificaram uma nova campanha utilizando documentos maliciosos do Excel com macros obfuscados para distribuir uma variante do malware\u00a0PicassoLoader. O grupo, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22397,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[100],"tags":[],"class_list":["post-22390","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-diversos"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22390"}],"version-history":[{"count":5,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22390\/revisions"}],"predecessor-version":[{"id":22396,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22390\/revisions\/22396"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22397"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}