Tuesday, November 5, 2013

Latest UPS spam runs include exploits


Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).

This afternoon I saw a tweet from one of my friends on Twitter:


Not many moments later I had received the mail in my inbox. Here's what it looked like:

UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581



















Mail seems to come from:
auto-notify@ups.com or
auto@ups.com

Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or 
View@enviosuperfast.info 

Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result

Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report

Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).

What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)

Submission to Malware Tracker revealed CVE-2012-0158

 Let's perform some static analysis as well. Using our favorite tool Notepad++:
Clues in yellow indicating it's indeed an .rtf file (font used: Calibri)
















What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.

When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.

Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.

We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333


When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 

Word crashing & malicious process(es) spawning



















Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.

A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report

Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.

The malware creates persistence by:
  • injecting into explorer.exe
  • Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf

It also recreates itself in:
  • %ApplicationData%
  • %CommonApplicationData%


It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com

... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result


The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.


Payload

The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.



Prevention



 Disinfection

  • Look for suspicious Run keys (examples here) and delete the associated file(s).
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: warn your network administrator immediately!


Conclusion

One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.

Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)

Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.

Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:

7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120

7 comments:

  1. In my examples the two files dropped were the same, i.e.
    \Local Settings\Temp\WINWORD.EXE
    \All Users\Application Data\baebadcaacbfcbcdsacfsfdsf.exe

    Were two copies of the same file.

    ReplyDelete
  2. Spammers are luring victims through well-crafted emails that appear to be legitimate that ask the recipient to click on a link which leads them to a hacked website. Code that has been inserted on that website by hackers then redirects them to a landing page which houses the exploit and drops the malware. Often times there is more than one level of redirection involved, so a hacked site will forward to another hacked site, which will then redirect to the actual exploit site.

    ReplyDelete
  3. Hey!
    How did you get the shellcode manually?
    Really good post btw!

    ReplyDelete
    Replies
    1. Hey! You first need to extract OLE objects from the file using RTFscan for example. Then you can use hachoir or hexdump to take a look and dump the .bin file you extracted from the OLE object... That's how I found it.

      There are 2 great posts on SANS about this subject:
      https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF+again/8506
      https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092

      Let me know if you have any other questions!

      Delete
  4. > The malware creates persistence by:
    > injecting into explorer.exe
    > Creating a key as follows: HKU\​%S-ID-User%\​SOFTWARE\​eccbcffbaaedfcsacfsfdsf

    Creating a Registry key as you describe does not make the malware persistent...Windows does not automatically load/run the contents of random keys.

    ReplyDelete
    Replies
    1. Also, if the malware uses the key that you mention for persistence, how does the recommendation of "Look for suspicious Run keys..." help disinfect the system?

      I'm just curious...thanks.

      Delete
    2. Hi Harlan,

      You're right, obviously this must have been the Run key for the currently logged on user:
      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      Thanks, I have changed it in the article.

      Delete