Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Recent Malicious Email Campaign – Password Protected .docx
- http://texascarrycourse.com/
- Summary
- Since April 2017, an ongoing malicious email campaign has been observed that utilizes password protected Microsoft Word .docx files as the main delivery vector. It appears that this technique has been used for multiple reasons. It is a tactic to attempt to make the attachment seem more trustworthy or legitimate to persuade more users into opening the document. The password protected also decreases the likelihood of detection by appliances and automated file analysis tools.
- Technical Details
- It has been confirmed that this malicious email campaign has targeted multiple organizations in different industries. This may indicate that it is a general blanket campaign. This is a common tactic by malicious actors. By increasing the number of overall recipients, they also increase the number of victims.
- Characteristics:
- Since this campaign was first detected is has undergone multiple changes to attempt to evade any previous preventative measures.
- Initially the campaign used targeted users email address in the attachment filename as an attempt to make it seem more legitimate. Since then, many changes have occurred. Specifically, the email subject, body content and attachment filename have consistently changed. These changes occurred for each wave of the campaign, but also items such as the body content of the email has been unique for each targeted user even within the same wave of the campaign.
- Since the email attachment is a .docx utilizing password encrypting each file has a unique hash do to the uniquely generated password. In addition, with each observed wave of the campaign the filename also changes. The evolving content and the unique hash of file attachments can make it more difficult for security teams to implement long-term preventative measures.
- After opening the .docx file and decrypting the email attachment (.docx file) with the password provided in the email body, there are three Object Linking and Embedding (OLE) links to the same malicious Visual Basic script (VB script) package in the document (see figure 1). The embedded files are .bin file extension.
- Link to Embedded links screenshot: http://imgur.com/9CqVuVm
- The embedded OLE links is the one constant so far in the two-month campaign. The document has aesthetically looked the same throughout the entire campaign. In the most recent observed campaign the hash of the embedded file has changed which indicates some of the file contents have been changed.
- If one of the OLE links are clicked it generates a security dialog box (see figure 2) which allows the user to cancel or continue (“OK”)
- Link to warning screenshot: http://imgur.com/dTho0yp
- Inspecting the .bin files reveals that all three are identical (same SHA256 hash). In addition, the file has padding text (Lorem ipsum type content) and the code is heavily obfuscated.
- Upon successfully clicking the link and executing the code the wscript.exe service is utilized. This is a typical Windows service to execute VB script files. (when a device is compromised, wscript.exe is sometimes wrongly considered the culprit when it is the .vbs file instead.
- Finally, it appears that the malicious actor(s) behind this campaign only keep the C2 server up for a limited time. Within two hours it was no longer available. This is likely a tactic to reduce indicators that can be obtained from the analysis of related activity since the campaign is using the same Delivery, Exploitation, Installation and Command and control TTPs each time.
- Indicators:
- Email Senders:
- • jbay@indra.com
- • maci10@bex.net
- • manatsas@happyland.co.th
- Observed Email Subjects:
- • Specific User’s name (First MI Last)
- Attachment File Names:
- • Attached file: [string of 9 – 20 random non-alphanumeric characters].docx
- • As previously discussed the attachment hash will differ due to the unique password for each attachment / email
- Embedded File Names:
- File Name
- SHA256 Hash
- oleObject1.bin
- a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
- oleObject2.bin
- a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
- oleObject3.bin
- a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
- Network Indicators:
- • 46.17.40.22
- • http://46.17.40.22/hyey.pnj
- • http://inshaengineeringindustries.com/head.pkl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement