What’s behind the virus in “debt collection” emails that attacks the devices of users?

142

After issuing a warning on a virus that is distributed via “debt collection” emails on the previous May 15, CyRadar’s malicious code analysis specialists had given an in-depth analysis on the transmittance of this new kind of malicious code.

1. The basics

Get Shellcode (cobalt strike) from C2 & Carryout on mem => Take control of the device
Open the contents of the .doc file

2. In-depth

The two files’ information as users extract the .rar are as followed:

2.1 Analysis on file Noi dung de nghi thanh toan. Cong hoa xa hoi chu nghia Viet Nam Doc lap tu do hanh phuc.exe

VirusTotal identifies that this is a standard WINWORD.EXE file.

Hackers can therefore use this “clean” WINWORD.EXE file to install malicious codes using the popular DLL SideLoading technique to bypass AVs. DLL SideLoading is an attacking technique, where a fake DLL file can be added to the application’s memory, leading to the running of external codes against the users’ will.

2.2 Analysis on file wwlib.dll

This is a DLL file posing as Microsoft Library, and cannot be found on Virustotal.com. We can conclude that the hackers of this attack are using an entirely new malicious code.

How the malicious code works

The DLL SideLoading Technique is used in the installation of the malicious code.

WINWORD. EXE -> wwlib.dll in the same folder?
.Yes -> LOAD wwlib.dll (fake) -> Run malicious code
. No -> LOAD the read wwlib.dll)

In particular, when the victim opens the .exe file in the same folder as the fake wwlib.dll, the fake file will be run and malicious actions can be carried out.

Wwlib.dll is installed into mem and run as the victim opens winword.exe

First, the malicious code will issue a .doc file in folder TEMPT, then run that file to fool the users.

Next, the malicious code will create a new mem region, then copy the decrypted shellcode in that region before running.

These steps are continuously repeated.

After all of those, it will create the new thread with the newly copied mem and shellcode. Then. The malicious code will continue to decrypted the C&C address in order to receive data from the main server.

C2: hxxps://api.ciscofreak[.]com/jZHP

It later reads all the data on C2 and saves into mem.

Data taken from C2 by the malicious code.

SHA1 code: 5AF7A8D128C859BC78F57B855AF30C299C58D8AB

Looking to the first bytes, this is likely to be another shellcode taken by the hackers.

Shellcode begins to decrypt.

After decrypting a new PE file.

SHA1: E4A84461D81341981E3BF04DE6CFB30BC0D901BC

Analysis on the shellcode pushed down by hackers

The analysis is based on the strings in the decrypted shellcode.

From the previous analysis, we can derive that this is a familiar payload in the hack tool cobalt strike, frequently used by hackers in APT attacks.

The malicious code can carry out different actions according to orders from C&C.

There is a total of 76 orders that hackers can issue to this code, including:

  • Read, record, add to or delete any file on the system;
  • Carry out remote commands on the system;
  • Install other malicious codes;
  • Remote control of the devices;
  • Spy actions such as stealing accounts and eavesdropping;
  • Transmit the code to other systems in the network.

Images of orders from the malicious code:

At the moment, most firms have not been able to identify this attack.

III. IOCs (Indicator of compromise)

Below are IOCs that are related to these attacks. Since these models haven’t been identified by most, businesses and organizations’ network management can still use these to detect and prevent attacks.

Files:

  • Hoa don tien no.rar: A826AC55E7383A40572F7596AEE8BDB35AD1CF2D
  • dll: 69079F50DD579A7F6801F297CE7D6CF4FE436FD0
  • Shellcode-A:5AF7A8D128C859BC78F57B855AF30C299C58D8AB
  • Shellcode-B:E4A84461D81341981E3BF04DE6CFB30BC0D901BC

C&C:

  • ciscofreak[.]com
  • hxxps://api.ciscofreak[.]com/jZHP
  • hxxps://api.ciscofreak[.]com/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
  • hxxps://api.ciscofreak[.]com/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4

Related articles HERE.

Ha Truong – CyRadar

Related posts: