Morphisec Prevents Major Malspam Campaign - Again

Posted by Michael Gorelik on Oct 13, 2016 11:11:24 PM
Michael Gorelik
Find me on:

Morphisec Prevents Major Malspam campaign - Again

In our report at the beginning of September about a large-scale malspam campaign discovered and stopped by Morphisec, we pointed out the central role that malware spam plays for hackers and the difficulties signature-based and behavioral security products can have in coping with them in real-time.

During October 10-12, 2016, Morphisec stopped yet another malspam campaign that again showed an extremely low detection rate on VirusTotal.

Below we analyze the campaign, focusing on this campaign’s use of MSScriptControl.ScriptControl. The use of script control is not new and has been used several times during the past two years. Although the technique is known, it remains a highly effective way to hide the script, as the script is activated directly from memory.

A good example of the effectiveness of this evasion technique is a very similar attack that is already 3-months (!) old (579f569a70a874c496bb1e843c44d7cd6fcc71eb93a33bb2c8984a1299395e2c), which at the moment of this blog posting, still has a very low detection rate of 4/54 on VirusTotal.

The sample under analysis was downloaded from https://www.reverse.it/sample/7dcaddb007c8f24dd7a8c08c12aecfd0ffd358211df94e21b7ce08fea853977d?environmentId=100  (2/54). (For those interested, we list additional samples that participated in the campaign at the end of this post):

Malspam1

Technical Analysis:

 

  • The campaign detected by Morphisec involves a standard email with an attached Word doc of the type “order_inv_<random_number>.doc”: Recipients, as always, need to be convinced to open the macro so the VB script code will be activated:

  • Below we see how the MSScriptControl.ScriptControl is initiated. As a matter of fact, the outer script is not particularly obfuscated.
 
  • The inner JavaScript, however, is much more interesting. It is activated by the script control and runs through a list of domains while trying to download an executable that is activated immediately. Note also the option (currently not active) to activate a dll using rundll32 (similar to the Zepto variant).

     

  • Eventually the tree of processes that is activated by the executable – with the goal of gaining persistency by injecting into explorer.exe - is as follows:

  • The info stealer executable also has a very low detection ratio at the time of writing this post: 6/54 VT  (19639.exe, sha256 1c857f54f9ddf8b7cf14a886a9e758a21103095b19c2a3aaf5b176d7461a2d1c)

 

Additional Information:

Doc files:

6dfeac453b12b28d05cb8e97453cf909d26d71d6fe99e0b0951f23725deeac07

7dcaddb007c8f24dd7a8c08c12aecfd0ffd358211df94e21b7ce08fea853977d

aae79d53c8946aa8e9daede8c24896aad98a3348c89dd7e95953c749bbba2e5b

efe1d1d43c3b2a8e2ca606f3f64529c7e27c8536f1ea079573f119ba8c4c664e

e5319e5e9ac676f30d6aa690af90600f611a4c4272dc91bdb0a92c5e65a913ce

8374d4f20d23891aa22d26fd5548036f601dc58ba75dd5d7f7c26213f3ed32c0

Artifacts:

44070f56171b997ed4c76a5955d410b5388cf8b04f5983ef8f0e4c2ffd8d40db

1c857f54f9ddf8b7cf14a886a9e758a21103095b19c2a3aaf5b176d7461a2d1c

Domains:

hxxp://williamstrainingacademy[.]com/wp-content/themes/twentysixteen/st1[.]exe

hxxp://www.crumbscakeart[.]com.au/wp-content/plugins/espresso-social/st1[.]exe

hxxp://kingofcarts[.]net/wp-includes/st1[.]exe

hxxp://diferenciatedelresto[.]com/wp-content/plugins/wp-super-cache/plugins/st1[.]exe

hxxp://intateks-energo[.]ru/wp-content/themes/twentyeleven/st1[.]exe

hxxp://yurlog[.]ru/wp-content/themes/twentytwelve/st1[.]exe

hxxp://itsmemary[.]com/wp-content/themes/itsmemary2014/st1[.]exe

hxxp://www[.]wereorganized[.]net/blog/wp-content/themes/twentythirteen/st1[.]exe

hxxp://www[.]holisticwellnessbiz[.]com/wp-includes/st1[.]exe

hxxp://ericrobertanderson[.]com/wp-includes/st1[.]exe

hxxp://cyperritheck[.]ru

New Call-to-action

 

 

 

 

Topics: Endpoint Security, Ransomware, cybersecurity, Attack Analysis

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....