Wednesday, 15 April 2020

Outlook Calendar File (ICS file format) used for Wells Fargo Phishing

Attackers are always trying to find ways to evade security detection mechanisms. Even for credential phishing attacks, attackers find ways to evade the URL detection mechanisms used in security products.

One such method is embedding URLs in different file formats such as PDF, MS Office files such as doc, xls and so on.

Today I found an instance of a phishing attack where the attackers embedded a malicious phishing URL inside an ICS file. ICS file is the Outlook calendar format and it corresponds to an entry on the calendar appointment.

MD5 hash of the ICS file: 0986e7cbdef080dada8dee9c55542c37

At the time of writing there are 0 detections on VT for this file.


Figure 1: 0 detections on VT.

The malicious URL is present inside the calendar appointment.

Below are the different stages in this attack.

Stage 1: Calendar invitation opened and displayed in MS Office Outlook.


Figure 2: ICS file opened in MS Office Outlook.

Stage 2: The URL is present inside the Calendar appointment.


Figure 3: Phishing URL present inside calendar appointment.

Sharepoint Phishing URL: hxxps://223311212676-my.sharepoint.com/:b:/g/personal/admin_223311212676_onmicrosoft_com/Ee6Cn6nNUw9CiQdaKJrlfcgBhJdzIxckDoe7Ao31xHjzBw?e=X3ZJqd

Stage 3: Sharepoint site is used to host the phishing content as shown below.


Figure 4: Sharepoint page hosting the content and phishing link.

The contents of this page pretends to be from the Fraud Prevention Team of Wells Fargo that requires the user to click on a link to take further action.

Stage 4: When the user clicks on the link in the above page, it redirects to the URL: hxxps://storage.googleapis.com/awells-coldfinch-761618318/index.html

Contents of the page are shown below.


Figure 5: Wells Fargo phishing page.

This page requests several sensitive information from the user such as username, password, email address, 4 digit cards PIN and Account Number details.

Conclusion: Users should pay extra attention while opening Calendar invitations and security products should take essential measures to scan ICS files. As can be seen, there are 0 detections on VT for this file format even though it contains a live phishing URL.

c0d3inj3cT

Saturday, 11 April 2020

VBScript using Coronavirus theme to execute njRAT

Recently we have observed many samples in-the-wild using the coronavirus theme to spread different types of trojans and Remote Administration Tools (RATs).

I came across one such interesting sample today. It is a VBScript which drops and executes njRAT binary embedded in it.

SHA256 hash: 1e18414968c0317cc5fefc5f25de845eba5566fcb236b9e4bdd84f0a82902c30
Filename: Covid19.vbs

The encoded VBScript is as shown below.


This script has funny variable names which makes the code interesting to read as well :)

For example, the below code section:

        If (Covid = 0) Then
            Do Until ebula = Len(winter)
                ebula = ebula + 1
                coldflue = coldflue & ChrW(AscW(Mid(winter, ebula, 1)) - spring + Len(corrona))
            Loop
        End If
        If (Covid = 0) Then
            wscript.sleep(3000)
            Execute(coldflue)
        End If

The coldflue variable contains the decoded VBScript which is shown below.


The Base64 encoded blob in this VBScript decodes to an njRAT binary which is then dropped to the system to the path: C:\Users\sasithar79\AppData\Roaming\Microsoft\Invisible Server Process\1.0.0.0\covid19.exe and executed as shown below.


SHA256 hash of the decoded njRAT binary: 59ebc1d6ef4c1dcd1e69abf55e7ea166b29a3dd208f286699345583b992ff068

Indicators of Compromise

Network IOC

Connects to: covid19.gotdns.ch and port 15152

c0d3inj3cT

Thursday, 9 April 2020

XLM Hidden Macrosheets used for Evasion

Recently we have observed an increase in the usage of XLM based macro files which use Excel 4.0 macros and hidden macrosheets by attackers. I think threat actors will start leveraging this format even more in the near future. The advantage of using this format for attacks is that they don't use standard VBA macros. Most of the open source OLE VBA tools don't have the capability to extract the macros from them.

On April 9th 2020, I started observing a lot of XLS samples in the wild which used XLM Excel 4.0 hidden macrosheets for performing malicious activities.

This blog is a quick writeup to capture more information about this ongoing campaign.

All the files followed the naming convention: <Person's Name Resume>.xls

Examples:

Filename: James Johnson Resume.xls
MD5 hash: 18ddf82706bcc79d12d0033df6991271

Filename: William Smith Resume.xls
MD5 hash: 971dcb961e8a894ed395a007965c7408

Filename: Maria Hernandez Resume.xls
MD5 hash: f5cf86e2acd65772a078c73fbbb70429

Interestingly all these samples have a detection of 0 on VT at the time of writing this blog as shown below.


Now, let us look at the macro code.

For the purpose of analysis, we will check the XLS file with MD5 hash: f5cf86e2acd65772a078c73fbbb70429

The contents of the file look like shown below.


It uses Social engineering to ask the user to enable macros so that the content of the file can be viewed. Unlike regular macro based XLS files used in spam campaigns, this one does not have a VBA macro which can be extracted easily.

It uses hidden macrosheets which have to be unhidden manually as shown below.



The macro code itself can be accessed by opening these hidden macrosheets. This an Excel 4.0 macro and the code can be seen in different cells of the worksheet as shown below.


The macro upon execution will connect to the C2 server to download a DLL which will be loaded dynamically using rundll32 to continue the malicious activities.

The network connection and response are shown below:


From whois lookup, it can be seen that the callback domain: march262020.com was registered on March 26th 2020.

I'll add more details of the campaign as they are discovered in this blog.

Indicators of Compromise

URLs hosting the Zloader DLL:

march262020[.]com/files/april8.dll

MD5 hashes of the XLM files:

18ddf82706bcc79d12d0033df6991271
971dcb961e8a894ed395a007965c7408
f5cf86e2acd65772a078c73fbbb70429
6119caae6f7ca97b5ebff0d0a51fa3cc
1173d6eb89e9b3d8549a9c786065990c

c0d3inj3cT