Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).
This afternoon I saw a tweet from one of my friends on Twitter:
@MalwareMustDie Phishing Campaign http://t.co/ecm0urGFpv #malwaremustdie
— Jim Kesselring (@RazorEQX) November 5, 2013
Not many moments later I had received the mail in my inbox. Here's what it looked like:
 |
| UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581 |
Mail seems to come from:
auto-notify@ups.com or
auto@ups.com
Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or
View@enviosuperfast.info
Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result
Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report
Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).
What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)
 |
| Submission to Malware Tracker revealed CVE-2012-0158 |
Let's perform some static analysis as well. Using our favorite tool Notepad++:
 |
| Clues in yellow indicating it's indeed an .rtf file (font used: Calibri) |
What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.
When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.
Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.
We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333
When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 |
| Word crashing & malicious process(es) spawning |
Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.
A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report
Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.
The malware creates persistence by:
- injecting into explorer.exe
- Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf
It also recreates itself in:
- %ApplicationData%
- %CommonApplicationData%
It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com
... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result
The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.
Payload
The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.
Prevention
- Upgrade to the latest version of Microsoft Word (and Office as a whole). If that's not possible;
- Install ALL your Windows Updates! These exploits are long patched by Microsoft.
- Improve security for your Office files. This means disabling ActiveX, disabling macros and blocking external content. Useful links:
Enable or disable ActiveX controls in Office documents
Enable or disable macros in Office documents
Block or unblock external content in Office documents - Block ALL the IP's mentioned above in my post.
- Install a proper antivirus & antimalware solution. In a company: you better have a spamfilter!
Disinfection
- Look for suspicious Run keys (examples here) and delete the associated file(s).
- Run a full scan with your installed antivirus product.
- Run a full scan with another antivirus and/or antimalware product.
- In a company: warn your network administrator immediately!
Conclusion
One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.
Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)
Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.
Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:
7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120
In my examples the two files dropped were the same, i.e.
ReplyDelete\Local Settings\Temp\WINWORD.EXE
\All Users\Application Data\baebadcaacbfcbcdsacfsfdsf.exe
Were two copies of the same file.
Spammers are luring victims through well-crafted emails that appear to be legitimate that ask the recipient to click on a link which leads them to a hacked website. Code that has been inserted on that website by hackers then redirects them to a landing page which houses the exploit and drops the malware. Often times there is more than one level of redirection involved, so a hacked site will forward to another hacked site, which will then redirect to the actual exploit site.
ReplyDeleteHey!
ReplyDeleteHow did you get the shellcode manually?
Really good post btw!
Hey! You first need to extract OLE objects from the file using RTFscan for example. Then you can use hachoir or hexdump to take a look and dump the .bin file you extracted from the OLE object... That's how I found it.
DeleteThere are 2 great posts on SANS about this subject:
https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF+again/8506
https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092
Let me know if you have any other questions!
> The malware creates persistence by:
ReplyDelete> injecting into explorer.exe
> Creating a key as follows: HKU\%S-ID-User%\SOFTWARE\eccbcffbaaedfcsacfsfdsf
Creating a Registry key as you describe does not make the malware persistent...Windows does not automatically load/run the contents of random keys.
Also, if the malware uses the key that you mention for persistence, how does the recommendation of "Look for suspicious Run keys..." help disinfect the system?
DeleteI'm just curious...thanks.
Hi Harlan,
DeleteYou're right, obviously this must have been the Run key for the currently logged on user:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Thanks, I have changed it in the article.