Malicious spam (malspam) using attached password-protected Word documents to evade detection is nothing new. I've documented it as early as March 2017, and this style of malware distribution started years before then. This particular campaign has pushed a variety of malware, including IcedID (Bokbot), various types of ransomware, and Nymaim. This diary from 2018 has a list of different types of malware seen from this campaign during that year.
At times, this resume-themed malspam can disappear for several weeks, but I always see it return. This most recent wave began as early as Wednesday 2019-08-28. When I checked on Tuesday 2019-09-03, this infection chain pushed Remcos RAT.
Today's diary reviews characteristics of this infection chain.
Recent malspam looks similar to a diary I wrote in March 2019 and a blog I posted almost two months later in May. This time, the sending addresses were all probably spoofed, and they all end with @t-online.de. Attachment names all end with resume.doc. I've pasted the dates, times, sending addresses, subject lines, and attachment names here.
I was not able to find an example of the malspam from this most recent wave of emails; however, the image below shows what these emails typically look like.
Attached Word documents
The attached Word documents use 123 as the password. These Word documents have macros, and the visual template looks remarkably similar to previous examples I've reviewed.
Infection traffic was similar to what I've seen before from this campaign. First was an HTTP request that returned a Windows executable file. In this case, the initial URL ended in .jpg. This was followed by post-infection traffic over TCP ports 2404 and 2405. When I ran the same Word document through an Any.Run sandbox, it also generated two DNS queries not seen during my infection traffic.
Forensics on the infected Windows host
The initial Windows executable (EXE) file was saved to the user's AppData\Local\Temp directory. It generated an EXE that was slightly over 400 MB, which kept Remcos RAT persistent on the infected Windows host. This Remcos RAT sample also updated the Windows registry to stay persistent after a reboot.
Indicators of Compromise (IoCs)
Remcos RAT is not the only malware distributed by this campaign. In previous months, other families of malware have been seen from this malspam, most recently IcedID (Bokbot). Detection rates on the attached Word documents are very low, since they are encrypted and use password protection. However, spam filters and proper system administrative practices like Software Restriction Policies (SRP) or AppLocker will easily prevent these types of infections on Windows-based systems.
Pcap and malware for this diary can be found here.
Sep 4th 2019
3 months ago