Friday, 7 February 2020

Spam campaign targeting Australian Users [Feb 7th 2020]

On Feb 7th 2020, I saw a couple of emails targeted towards Australian users. The malware delivery method consisted of ZIP files containing malicious VBScript files sent as email attachments.

Below is a quick analysis of this attack chain:

An example of Malicious email:


Attachment Analysis:


ZIP MD5 hash: 03383063f3fbdb51d142d7f022d52858
MD5 hash: 6d12aa34c3aa515ea909aaf5b6567316
Filename: GXIBV5537344461902.vbs


The ZIP file contained a malicious VBScript with an unusually large size of 1.7MB. Usually in spam campaigns we see VBScripts of a smaller size.

The script also contains an interesting obfuscation method as shown below:


Once the VBScript is executed, it displays a Pop Up message for social engineering purposes as shown below:


Rest of the execution sequence is:

1. Delays the execution (look for High CPU Usage).

2. Drops a DLL with TXT extension in the %temp% directory path with the name: Wv.txt

Note: A filetype and file extension mismatch for a dropped file is a good indicator for malicious file detection.

3. Executes the dropped DLL file using rundll32 as shown below:

rundll32.exe C:\Users\<username>AppData\Local\Temp\<name>.txt,DllRegisterServer

4. Creates several directories with random names in the path: %appdata%\Roaming\

5. Copies the dropped DLL file to the path: %appdata%\Roaming\<random_folder_name> with a random name.

6. Injects malicious code in msiexec.exe process and further malicious activities are performed in the context of msiexec.exe

Network communication performed in the context of msiexec.exe process is shown below:


Network IOCs:


penaght.org/sound.php
pitinjest.org/sound.php

File IOCs:

ZIP File Attachments:

03383063f3fbdb51d142d7f022d52858 
53d5c3d7a3e75a910d7663b129896990 

VBS files:

c08bfd81217b64fe0d6aa6756574f5dd

6d12aa34c3aa515ea909aaf5b6567316


Dropped DLL Files:

15c5c74b1c5bf2285a318ba1fa430892

The SSL certificates used by the callback domains  are issued by: Internet Widgits Pty Ltd

SSL Certificate Serial Numbers:

34:A8:36:EA:5F:E1:74:9C:D7:E8:AC:11:B8:C6:86:F7:01:62:13:30
3A:44:AF:0D:DA:D0:48:C8:79:FC:A3:B0:9C:A4:98:C0:E7:E2:FF:D8

c0d3inj3cT

No comments:

Post a comment