Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This looks new and slipped by the Gmail filters this morning.


  • Please log in to reply
15 replies to this topic

#1 zerodamage

zerodamage

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 21 April 2015 - 11:13 AM

I received the email this morning and since I've been working out of this email account for my consulting gig, I thought it was probably fake but wanted to make sure. I loaded up a Windows 7 VM and then opened the doc and enabled content (macros) and it got busy. It spawned some new processes and launched several hidden cmd.exe processes. I killed it after that but wanted to see what it initially did and what the document did.  The analysis at malwr.com doesn't seem to automate the enabling of macros.

 

The return address is info@navystars.net.  The subject is Cancelled Automated Clearing House (ACH) transaction W4423096
 

The file downloads from a dropbox at: hxxps://www.dropbox.com/s/xnhkqx5kokcc7l7/ACH_transfer9839.doc?dl=1
 

 

Here is the malwr.com analysis: https://malwr.com/analysis/NjJmMWQyNzI3YjRiNDc1OTg1YTdkMzhmNGE5NWM1MTU/

 

 

Let me add that I am impressed with the word document itself. An average user would probably not know that the warning that opens up is the actually word document itself. 

 

 

Edit: Grammar. Should have proof-read. 


Edited by zerodamage, 21 April 2015 - 11:29 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 21 April 2015 - 11:42 AM

Hi zerodamage :)

Is it possible for you to archive that malicious file in a .zip (the one you got in attachment), upload it to ge.tt and PM me the download link? I'm sure that Didier or White Hat Mike would also like to take a look at it.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 zerodamage

zerodamage
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 21 April 2015 - 11:49 AM

Hi zerodamage :)

Is it possible for you to archive that malicious file in a .zip (the one you got in attachment), upload it to ge.tt and PM me the download link? I'm sure that Didier or White Hat Mike would also like to take a look at it.

 

Done.  Sent as a 7zip file.  Let me know if a zipped file is required.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 21 April 2015 - 12:03 PM

I submitted it to Hybrid-Analysis.com, which can actually test document files with embedded macros and also extract information from them.

https://www.hybrid-analysis.com/sample/e843b790fe2e0012ec41890b88a90213862923e89b30eb4671e751877e21b85e?environmentId=1

Proceeding to download all these files. Also, it looks almost FUD on VirusTotal right now. It seems that there's at least two domains with the two same files on each, in case one goes down I imagine.

https://www.virustotal.com/en/file/e843b790fe2e0012ec41890b88a90213862923e89b30eb4671e751877e21b85e/analysis/1429635125/

It downloads a text file (1623782.txt) that is encoded in Base64, here's the results once decoded.

http://pastebin.com/YGEsLCn4

The lns.txt file it downloads contains the Dropbox URL:
 
https://www.dropbox.com/s/3nn9bgugqf654xa/r0.gif?dl=1
The Dropbox URL downloads a .gif file called r0.gif. The gif cannot be opened, but it have interesting detections on VirusTotal. Even the .gif is malicious.

https://www.virustotal.com/en/file/14750c1ea4940d1bab5b1d6237f2eff08f468bafae0cdbbb4de6ecdbe66185ac/analysis/
https://www.hybrid-analysis.com/sample/14750c1ea4940d1bab5b1d6237f2eff08f468bafae0cdbbb4de6ecdbe66185ac?environmentId=1

It also have a link to a picture of the Google logo:
 
http://savepic.su/5574915.png
Nec3Tvx.png

It'll download and execute at one point a .vbs and a .bat script. Trying to find them, but it's hard since I don't have Microsoft Office on my VM.

Embedded macro:

http://pastebin.com/6spGu1N0

One of the domain contacted is:


http://79.174.131.210/
However, it looks like it has already been suspended.

I0g6Uxs.png

Edited by Aura., 21 April 2015 - 12:33 PM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 zerodamage

zerodamage
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 21 April 2015 - 12:40 PM

Let me add that Webroot is not on the Virustotal list and it did not detect anything either. 



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 21 April 2015 - 12:42 PM

I've been told that one of BleepingComputer Security Expert is currently working on the sample, so I'll leave the scene to him since he's way more skilled than I am :P

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 zerodamage

zerodamage
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 21 April 2015 - 12:54 PM

I've been told that one of BleepingComputer Security Expert is currently working on the sample, so I'll leave the scene to him since he's way more skilled than I am :P

 

You did a fantastic job with what you did do. I am a consultant and didn't have time to do what little I did do. I wanted to bring this seemingly unknown sample to light since only two vendors on VT seem to be detecting it and this site (Bleeping) to me is the best at this kind of thing.


Edited by zerodamage, 21 April 2015 - 12:54 PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 21 April 2015 - 02:59 PM

And these two vendors aren't part of the vendors that dominates the market too. I'm about to install Office 2013 in my VM (had to transfer the .iso somehow), so I'll run the Word file in it to try to grab the .bat and .vbs files that are dropped and their content.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 zerodamage

zerodamage
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 21 April 2015 - 03:29 PM

I am seeing that this is a variant of that Dridex malware that targets banking accounts. SANS Diary has a new entry up about this as well.



#10 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:05 PM

Posted 21 April 2015 - 03:51 PM

I already posted a comprehensive analysis of the Dridex Trojan.  Spread via the same e-mail phish campaign leveraging the same methods (pastebin).


http://www.bleepingcomputer.com/forums/t/572650/another-look-at-the-dridex-banking-trojan/

 

EDIT -- This one is slightly different, but likely delivers the same end payload but just modified to avoid AV detection.  Just to clarify.  Haven't looked at the sample(s) specifically associated with the OP's e-mail.  Took a long time to normalize / deobfuscate / analyze the other one so not gonna go through it again with this one since I'm pretty sure they both lead to Dridex.


Edited by White Hat Mike, 21 April 2015 - 03:55 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 22 April 2015 - 03:27 AM

It's the same as with pastebin, but pastebin has been replace by a compromised site.

 

https://isc.sans.edu/forums/diary/The+Kill+Chain+Now+With+Pastebin/19569/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:05 AM

Posted 22 April 2015 - 02:36 PM

Regarding post#4 : How can a .gif be malicious. GIF's are image files, they shouldn't be able to execute anything or cause any damage. Is this GIF exploiting a vulnerability or something?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 22 April 2015 - 02:42 PM

Files can be specially crafted in order to exploit the program in which they are open. This includes .gif as well.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 psloss

psloss

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 22 April 2015 - 02:59 PM



Regarding post#4 : How can a .gif be malicious. GIF's are image files, they shouldn't be able to execute anything or cause any damage. Is this GIF exploiting a vulnerability or something?

It's not a GIF, it's a (Windows) executable file with a GIF file extension.  File extensions are part of a naming convention, but they aren't a guarantee of a file's content.  Just as it is possible for a zero-byte "empty" file to not really be anything it is named.

 

As an exercise, open a command prompt in a temporary location (like %TEMP%).  Copy the Calculator executable to that directory as a "GIF" and then "execute" the GIF file.  For example:

copy %windir%\system32\calc.exe .\t.gif
t.gif

In a default configuration, that should start a copy of Calculator rather than opening an image viewer/editor.

 

A common trait of downloader malware is to "break" naming conventions for executable file extensions and content type, since a common way that content filters look for executables is by checking that "metadata."


Edited by psloss, 22 April 2015 - 02:59 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 PM

Posted 22 April 2015 - 05:10 PM

A common tactic of malware writers is to disguise malicious files by hiding the file extension or adding spaces to the existing extension as shown here (click Figure 1 to enlarge).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users