API tools faq
paste
Advertisement
TexasCarryCourse

Online Texas LTC Class

TexasCarryCourse
Jan 13th, 2021
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.40 KB | None | 0 0
raw download clone embed print report
  1. Recent Malicious Email Campaign – Password Protected .docx
  2.  
  3. http://texascarrycourse.com/
  4.  
  5. Summary
  6. Since April 2017, an ongoing malicious email campaign has been observed that utilizes password protected Microsoft Word .docx files as the main delivery vector. It appears that this technique has been used for multiple reasons. It is a tactic to attempt to make the attachment seem more trustworthy or legitimate to persuade more users into opening the document. The password protected also decreases the likelihood of detection by appliances and automated file analysis tools.
  7.  
  8. Technical Details
  9. It has been confirmed that this malicious email campaign has targeted multiple organizations in different industries. This may indicate that it is a general blanket campaign. This is a common tactic by malicious actors. By increasing the number of overall recipients, they also increase the number of victims.
  10.  
  11. Characteristics:
  12. Since this campaign was first detected is has undergone multiple changes to attempt to evade any previous preventative measures.
  13.  
  14. Initially the campaign used targeted users email address in the attachment filename as an attempt to make it seem more legitimate. Since then, many changes have occurred. Specifically, the email subject, body content and attachment filename have consistently changed. These changes occurred for each wave of the campaign, but also items such as the body content of the email has been unique for each targeted user even within the same wave of the campaign.
  15.  
  16. Since the email attachment is a .docx utilizing password encrypting each file has a unique hash do to the uniquely generated password. In addition, with each observed wave of the campaign the filename also changes. The evolving content and the unique hash of file attachments can make it more difficult for security teams to implement long-term preventative measures.
  17.  
  18. After opening the .docx file and decrypting the email attachment (.docx file) with the password provided in the email body, there are three Object Linking and Embedding (OLE) links to the same malicious Visual Basic script (VB script) package in the document (see figure 1). The embedded files are .bin file extension.
  19.  
  20. Link to Embedded links screenshot: http://imgur.com/9CqVuVm
  21.  
  22. The embedded OLE links is the one constant so far in the two-month campaign. The document has aesthetically looked the same throughout the entire campaign. In the most recent observed campaign the hash of the embedded file has changed which indicates some of the file contents have been changed.
  23.  
  24. If one of the OLE links are clicked it generates a security dialog box (see figure 2) which allows the user to cancel or continue (“OK”)
  25.  
  26. Link to warning screenshot: http://imgur.com/dTho0yp
  27.  
  28. Inspecting the .bin files reveals that all three are identical (same SHA256 hash). In addition, the file has padding text (Lorem ipsum type content) and the code is heavily obfuscated.
  29.  
  30. Upon successfully clicking the link and executing the code the wscript.exe service is utilized. This is a typical Windows service to execute VB script files. (when a device is compromised, wscript.exe is sometimes wrongly considered the culprit when it is the .vbs file instead.
  31.  
  32. Finally, it appears that the malicious actor(s) behind this campaign only keep the C2 server up for a limited time. Within two hours it was no longer available. This is likely a tactic to reduce indicators that can be obtained from the analysis of related activity since the campaign is using the same Delivery, Exploitation, Installation and Command and control TTPs each time.
  33.  
  34.  
  35. Indicators:
  36.  
  37.  
  38. Email Senders:
  39. • jbay@indra.com
  40. • maci10@bex.net
  41. • manatsas@happyland.co.th
  42.  
  43.  
  44. Observed Email Subjects:
  45. • Specific User’s name (First MI Last)
  46.  
  47.  
  48. Attachment File Names:
  49. • Attached file: [string of 9 – 20 random non-alphanumeric characters].docx
  50. • As previously discussed the attachment hash will differ due to the unique password for each attachment / email
  51.  
  52.  
  53. Embedded File Names:
  54.  
  55.  
  56. File Name
  57. SHA256 Hash
  58. oleObject1.bin
  59. a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
  60. oleObject2.bin
  61. a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
  62. oleObject3.bin
  63. a2e97aad3b39edbf5d4fd2ff81fd2d612fda9a2944cbe1e4a69df3537cb462ec
  64.  
  65.  
  66. Network Indicators:
  67. • 46.17.40.22
  68. • http://46.17.40.22/hyey.pnj
  69. • http://inshaengineeringindustries.com/head.pkl
  70.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!