Malicious Email campaign targets Russian-Speaking companies

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

The campaign was discovered by Trend Micro that has been active for last 2 months and is targeting Russian-speaking firms.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

201708-backdoor-email-1

The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

Their limited distribution and specificity in social engineering lures are red flags that may indicate they are a spear-phishing campaign.

Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.

“The exploit code downloads what is supposedly an XLS file from  hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.

“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”

The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.

The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.

“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application white-listing protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”

Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.

The analysis states that “This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system.It tries to connect to it’s C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:

  • d&exec = download and execute PE file
  • gtfo = delete files/startup entries and terminate
  • more_eggs = download additional/new scripts
  • more_onion = run new script and terminate current script
  • more_power = run command shell commands”

While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.

 

Advertisements

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s