Morphisec Prevents Major Malspam campaign - Again
In our report at the beginning of September about a large-scale malspam campaign discovered and stopped by Morphisec, we pointed out the central role that malware spam plays for hackers and the difficulties signature-based and behavioral security products can have in coping with them in real-time.
During October 10-12, 2016, Morphisec stopped yet another malspam campaign that again showed an extremely low detection rate on VirusTotal.
Below we analyze the campaign, focusing on this campaign’s use of MSScriptControl.ScriptControl. The use of script control is not new and has been used several times during the past two years. Although the technique is known, it remains a highly effective way to hide the script, as the script is activated directly from memory.
A good example of the effectiveness of this evasion technique is a very similar attack that is already 3-months (!) old (579f569a70a874c496bb1e843c44d7cd6fcc71eb93a33bb2c8984a1299395e2c), which at the moment of this blog posting, still has a very low detection rate of 4/54 on VirusTotal.
The sample under analysis was downloaded from https://www.reverse.it/sample/7dcaddb007c8f24dd7a8c08c12aecfd0ffd358211df94e21b7ce08fea853977d?environmentId=100 (2/54). (For those interested, we list additional samples that participated in the campaign at the end of this post):
- The campaign detected by Morphisec involves a standard email with an attached Word doc of the type “order_inv_<random_number>.doc”: Recipients, as always, need to be convinced to open the macro so the VB script code will be activated:
- Below we see how the MSScriptControl.ScriptControl is initiated. As a matter of fact, the outer script is not particularly obfuscated.
- Eventually the tree of processes that is activated by the executable – with the goal of gaining persistency by injecting into explorer.exe - is as follows:
- The info stealer executable also has a very low detection ratio at the time of writing this post: 6/54 VT (19639.exe, sha256 1c857f54f9ddf8b7cf14a886a9e758a21103095b19c2a3aaf5b176d7461a2d1c)