Introduction Malicious spam (malspam) using attached password-protected Word documents to evade detection is nothing new. I've documented it as early as March 2017, and this style of malware distribution started years before then. This particular campaign has pushed a variety of malware, including IcedID (Bokbot), various types of ransomware, and Nymaim. This diary from 2018 has a list of different types of malware seen from this campaign during that year. At times, this resume-themed malspam can disappear for several weeks, but I always see it return. This most recent wave began as early as Wednesday 2019-08-28. When I checked on Tuesday 2019-09-03, this infection chain pushed Remcos RAT. Today's diary reviews characteristics of this infection chain. Malspam Recent malspam looks similar to a diary I wrote in March 2019 and a blog I posted almost two months later in May. This time, the sending addresses were all probably spoofed, and they all end with @t-online.de. Attachment names all end with resume.doc. I've pasted the dates, times, sending addresses, subject lines, and attachment names here.
I was not able to find an example of the malspam from this most recent wave of emails; however, the image below shows what these emails typically look like.
Attached Word documents The attached Word documents use 123 as the password. These Word documents have macros, and the visual template looks remarkably similar to previous examples I've reviewed.
Infection traffic Infection traffic was similar to what I've seen before from this campaign. First was an HTTP request that returned a Windows executable file. In this case, the initial URL ended in .jpg. This was followed by post-infection traffic over TCP ports 2404 and 2405. When I ran the same Word document through an Any.Run sandbox, it also generated two DNS queries not seen during my infection traffic.
Forensics on the infected Windows host The initial Windows executable (EXE) file was saved to the user's AppData\Local\Temp directory. It generated an EXE that was slightly over 400 MB, which kept Remcos RAT persistent on the infected Windows host. This Remcos RAT sample also updated the Windows registry to stay persistent after a reboot.
Indicators of Compromise (IoCs) Infection traffic:
Associated files: SHA256 hash: 932505acc15faede0993285532ed6d5afb27ce1c591a0819653ea5813d11cd55
SHA256 hash: fa9a94b32f7fa1e1e3eef63d3fb9003fda8d295e1f1a3e521691725e4c7da9f3
SHA256 hash: c866c269cd1617ee739216e24ba7cd1b392684b441bcdf10a6c0fdba073fbc28
Final words Remcos RAT is not the only malware distributed by this campaign. In previous months, other families of malware have been seen from this malspam, most recently IcedID (Bokbot). Detection rates on the attached Word documents are very low, since they are encrypted and use password protection. However, spam filters and proper system administrative practices like Software Restriction Policies (SRP) or AppLocker will easily prevent these types of infections on Windows-based systems. Pcap and malware for this diary can be found here. --- |
Brad 433 Posts ISC Handler Sep 4th 2019 |
Thread locked Subscribe |
Sep 4th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!