Introduction Malicious spam (malspam) impersonating eFax is old news, yet we still occasionally see it. Earlier this week, someone sent the ISC an example of eFax-themed malspam with an attached Word document. Those eFax-themed malspam containing Word documents are not new [1], but the person submitting the example thought it might be Dridex. But I haven't seen much Dridex since key players behind Citadel and Dridex were arrested in late August 2015 [2]. Was this another wave of Dridex? In this diary, we investigate. The result? It wasn't Dridex. It was just another Word document --> enable macros --> Pony downloader --> follow-up malware. From what I can tell, the malware we found is being used in other themed malspam campaigns, not just eFax-themed. I like to document these, if only to remind people the spammers and botnets are still pushing out this sort of malware. Our thanks to Wayne who provided the sample. (You know who you are!) The malspam example Below is a screenshot from the malspam example Wayne sent us. Links in the email all went to the appropriate eFax URLs. The attached Word document is the only malicious part of the message.
Looking at the email headers, you'll find the recipient's email server received the message from a Unified Layer IP address at 67.222.39.168.
The malicious Word document The Word document has macros. If macros are enabled, the document will try to drop malware and infect the Windows host.
Using OfficeMalScanner, we can extract the malicious macro from the Word document.
Once you've got the macro extracted, you can review it with a text editor. This gives you some idea on what the macro does. For example, in the image below, you might be able to determine that 300.rtf, 301.rtf, and pm4.exe are created in the user's AppData\Local\Temp folder (the "TEMP" environment).
Traffic from the infected host Infecting a host using this Word document didn't generate a lot of traffic. There was only a Fareit/Pony-style check-in followed by the follow-up malware being downloaded. By the time I reviewed the malware on Wednesday 2015-10-07, all hosts for the Fareit/Pony-style check-in traffic didn't resolve in DNS. I had to use a pcap from a Hybrid-Analysis.com report to see the check-in traffic.
Below are indicators of compromise (IOCs) for the malware associated with this malspam:
Below are alerts generated from the Hybrid-Analysis.com's pcap when I used tcpreplay on Security Onion with the EmergingThreats (ET) open signature set.
Preliminary malware analysis Attachment name: fax_message_326-816-3257.doc
Malware dropped by the document: C:\Users\username\AppData\Local\Temp\pm4.exe
Other files noted in the user's AppData\Local\Temp directory:
Malware downloaded to infected host: m.exe stored as C:\Users\username\AppData\Local\[random name]\[random name].exe
Final words Overall, we found nothing really new with the malspam, but we had fun checking it out. If you have any suspicious files (emails, malware, pcaps, etc.) you'd like us to investigate, use our site's contact link. You can attach a file to the contact form and leave us a note about it. We can't always get to everything submitted, but we like to see what people are able to share. --- References: [1] http://threattrack.tumblr.com/post/50992552536/malicious-efax-corporate-spam |
Brad 435 Posts ISC Handler Oct 8th 2015 |
Thread locked Subscribe |
Oct 8th 2015 6 years ago |
Hi Brad
there are currently Dridex word and excel macro downloaders being delivered concurrently with the Upatre embedded word or excel malspam Dridex examples from the last few days: http://myonlinesecurity.co.uk/copy-of-invoices-hammondsofknutsford-co-uk-word-doc-malware/ http://myonlinesecurity.co.uk/red-funnel-ferries-confirmation-5838547-word-doc-malware/ http://myonlinesecurity.co.uk/scanned-document-from-mx-2600n-excel-xls-spreadsheet-malware/ http://myonlinesecurity.co.uk/your-invoices-incident-support-group-ltd-excel-xls-spreadsheet-malware/ http://myonlinesecurity.co.uk/chelsee-gee-ucblinds-please-print-word-doc-malware/ Upatre emebedded droppers http://myonlinesecurity.co.uk/infobogoroch-com-has-sent-you-a-file-via-wetransfer-word-doc-malware/ http://myonlinesecurity.co.uk/anz-bank-securemail-you-have-1-new-message-word-doc-malware/ Hope this helps to clarify Derek |
DVK01 21 Posts |
Quote |
Oct 8th 2015 6 years ago |
Sanesecurity 3rd Party ClamAV signatures are picking these up,
using phish.ndb and the new badmacro.ndb databases. Here's an example hit rate... http://sanesecurity.blogspot.co.uk/2015/10/macro-malware-vs-sanesecurity-signatures.html Cheers, Steve Sanesecurity.com |
Sanesecurity 21 Posts |
Quote |
Oct 8th 2015 6 years ago |
Hi Brad,
thanks for the great post! We've seen these DOC's been spammed out since at least October 2nd: 2015-10-02 / "Internal ONLY" / Form_3108835.doc (w1.exe) 2015-10-05 / "Delivery failed for parcel # 940192" / usps_label_940192.doc (q2.exe) 2015-10-05 / "Delivery failed for parcel # 940192 x3" / usps_label_940192.doc (q2.exe) 2015-10-06 / "You have a new Secure Message" / SecureMessage.doc (n1.exe) 2015-10-06 / "Delivery failed for parcel # 8390171" / usps_shiplabel_8390171.doc (pm4.exe) I've analysed one of these samples: usps_label_940192.doc / MD5: 88c69cd7738b6c2228e3c602d385fab3 The two dropped RTF files (300.rtf, 301.rtf) contain an exploit, which drops the EXE file. The EXE then is started from the macro of the sample DOC. > "Overall, we found nothing really new with the malspam..." This is indeed something new that I haven't seen before. It seems to be dropping Pony / Fareit which downloads Vawtrak (so I heard, haven't gotten that myself). dropped exe: q2.exe / MD5: 15c2b82e45ed7977e5ae133b6876fecf Open question: I'm not sure yet if the RTF exploit is CVE-2012-0158 or a newer exploit which is very similar. Cryptam analysis of dropped RTF files: https://www.malwaretracker.com/docsearch.php?hash=b3f58747914cc1a1a6d6000ad6bd54f6 https://www.malwaretracker.com/docsearch.php?hash=d168250b239b92f657a939ac6a4a0710 Cheers, Tom (@c_APT_ure) |
TomU 8 Posts |
Quote |
Oct 8th 2015 6 years ago |
DONT PANIC!
(Please imagine the bright red color of the letters yourself) As usual, this malspam/malware is MOSTLY HARMLESS. Enable SAFER a.k.a. software restriction policies and deny execution in %USERPROFILE% and below, or set the default level to "Deny" and allow execution only in %SystemRoot% and below and %ProgramFiles% and below. As alternative add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "Deny execution of all files in this directory and all subdirectories for everybody" to %USERPROFILE% (and %ALLUSERSPROFILE% plus %ProgramData% too). |
Anonymous |
Quote |
Oct 8th 2015 6 years ago |
We saw this as well. <<Feel free to delete company references if appropriate>> [our IDS] tripped on the callout ID-ing it as Fareit.
destination IP: 80.78.253.48 Examining the header of the email we found the following information: X-Barracuda-Envelope-From: tribesmanpi67@ranelson.com X-Barracuda-Apparent-Source-IP: 14.177.73.68 Message-Id: <77C38804-4BD5-64CD-EE8C-940424CB904E@ranelson.com> Technical analysis showed that when the document is opened the user is prompted to enable Macros which, if done, the code is executed. Then, the malware, which is called 13.exe, is executed on the system, injected into svchost.exe, and then it deletes itself from the 'temp' directory leaving remnants of the prefetch file 13.EXE-297DB084.pf. RTF Filename: E403CD17.doc MD5: 8e450873205f9f882d28b9d5faafaaf5 SHA1 ad1e32d62a0dc8776c54d4467c43ac66fe5b53e3 Embedded Dropper: 13.exe MD5: 4D75377FED6F0F32A9FF0FFD66E6EAFF SHA1: 10e93e07aa52bb49e34ad20f0e15e7f17b2f0cc3 Location: C:\Users\%InfectedUser%\AppData\Local\Temp\13.exe Original Filename: Consider Fyi.exe Size: 217KB Microsoft had a good article on Fareit: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fareit |
Anonymous |
Quote |
Oct 8th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!