Friday, 7 February 2020

Spam campaign targeting Australian Users [Feb 7th 2020]

On Feb 7th 2020, I saw a couple of emails targeted towards Australian users. The malware delivery method consisted of ZIP files containing malicious VBScript files sent as email attachments.

Below is a quick analysis of this attack chain:

An example of Malicious email:

Attachment Analysis:

ZIP MD5 hash: 03383063f3fbdb51d142d7f022d52858
MD5 hash: 6d12aa34c3aa515ea909aaf5b6567316
Filename: GXIBV5537344461902.vbs

The ZIP file contained a malicious VBScript with an unusually large size of 1.7MB. Usually in spam campaigns we see VBScripts of a smaller size.

The script also contains an interesting obfuscation method as shown below:

Once the VBScript is executed, it displays a Pop Up message for social engineering purposes as shown below:

Rest of the execution sequence is:

1. Delays the execution (look for High CPU Usage).

2. Drops a DLL with TXT extension in the %temp% directory path with the name: Wv.txt

Note: A filetype and file extension mismatch for a dropped file is a good indicator for malicious file detection.

3. Executes the dropped DLL file using rundll32 as shown below:

rundll32.exe C:\Users\<username>AppData\Local\Temp\<name>.txt,DllRegisterServer

4. Creates several directories with random names in the path: %appdata%\Roaming\

5. Copies the dropped DLL file to the path: %appdata%\Roaming\<random_folder_name> with a random name.

6. Injects malicious code in msiexec.exe process and further malicious activities are performed in the context of msiexec.exe

Network communication performed in the context of msiexec.exe process is shown below:

Network IOCs:

File IOCs:

ZIP File Attachments:


VBS files:



Dropped DLL Files:


The SSL certificates used by the callback domains  are issued by: Internet Widgits Pty Ltd

SSL Certificate Serial Numbers: