New Malspam Campaign Discovered and Prevented by Morphisec

Posted by Michael Gorelik on Sep 9, 2016 12:13:18 AM
Michael Gorelik
Find me on:

Spam is still the preferred attack vector for cyber criminals and malware spam campaigns continue to increase. According to the Symantec Internet Threat Report, 1 in 220 emails in 2015 contained malware. While this figure may seem low, consider that over 100 billion emails are sent daily and the scale of the problem becomes clear. In this type of mass attack, attackers use botnets to send emails that include malicious links or attached files with user-activated macros that download and execute malware. Attachments can be disguised as fake invoices, office documents, or other files. Malicious links may direct the user to a compromised website using a web attack toolkit to drop something malicious onto their computer. These attacks are extremely cheap and easy to commit and are commonly perpetrated not only on individuals, but also on companies. 

Today, September 8, Morphisec discovered a new, highly effective Malspam campaign that targets the mass market. The campaign automatically generates numerous variations of the document name, as seen in the technical section below, with slightly altered documents, but with the same executable payload. In addition, generic, but realistic sounding document names are chosen to lure the email recipient.

Campaigns of this kind are short lived and the download URLs are usually closed rapidly. [During the discovery of this campaign, the URL was still active.] This specific malware would be classified as highly undetectable: After identification, we uploaded it to VirusTotal and it had a very low detection rate of only 3 out 57. Morphisec stopped it dead on arrival. 

As shown below, Morphisec stopped the malware itself right in the moment of the execution start, before it could do any damage.  This is in stark contrast to the VirusTotal results, where 54 other security products did not even recognize it, and three others detected it, eventually requiring manual intervention to remediate. This is yet another clear example of Morphisec’s in-depth and rapidly expanding endpoint threat defense: from exploit prevention to in-memory attack prevention to payload prevention.

Below find the technical details of the Malspam campaign. In a follow-up post, we will provide additional analysis of the malware itself. 

Technical Details:

  • On September 8, 2016 Morphisec Cyber Lab identified a wide-spread Malspam campaign. Morphisec prevented the malware from executing its malicious code:

  • The macro activated CMD after downloading a malware executable:

  • All of the documents have a low detection rate on VirusTotal:

  • The document names are in the following format:

    SettlementFormx2520x23547.doc, Faxx2520x23041.doc, Incorrectx2520Infox2520x233299.doc, Formx2520x230246.doc, TTFaxformx2520x236574.doc, etc.…

  • The malware delivered by those documents also has a very low detection rate:

  • The name of the Trojan file is in the following format rad<random letters>.tmp.

List of artifacts:

Documents:

SettlementFormx2520x23547.doc

36ec7f76755c08324f44225459b88502

Incorrectx2520Infox2520x232143.doc

79d64b143ea8a762d0915c52e3332581

Formx2520x23349.doc

95ec51a37402f48d726cb58077d31f6d

Formx2520x230246.doc

20f51843ae1e58236d7497a91ae258a1

TTFaxformx2520x236574.doc

e315b6c6d4ae0417434eca754383632e

Faxx2520x23041.doc

e99ae173cd8678434adbd0188c2e77d4

Faxx2520x23080.doc

e69a6ce1d6bf57c7c45f1b834c7e42ae

 

Executables:

rad51831.tmp

b37a14a39fda19fa82e910f946848686

 

Topics: Endpoint Security, cybersecurity, Attack Analysis

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....