Introduction On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as:
An example of the message text: Check the payment report created for [recipient's email address] as you just ordered. You may need Doc Passcode: [string of alphanumeric characters] [fake sender's name] The attached Word documents were approximately 70 kB in size and password-protected. The document file names started with the string of alphanumeric characters from the subject line followed by the recipient's email address. File names all ended with the .docx file extension. This diary documents my investigation into this wave of malspam. We're always thankful for people who submit samples of emails and malware like this to the ISC. The email The email appeared somewhat common for most malspam we see. People sometimes think if malsapm has the recipient's name in the email, it must be targeted. However, that's often not the case. This type of malspam is easily automated, and it can seem convincing when the recipient's email address is formatted as firstname.lastname@company.com.
The attachment The document would only open after using the password from malspam it was attached to. This tactic typically allows the document to bypass detection in anti-virus tools. Searching VirusTotal for the Word document showed 0 of 56 detections when I checked the file later that day.
The document had three embedded objects that were supposedly Word documents. Dragging and dropping the objects onto the desktop revealed these were the same Visual Basic Script (VBS) file. The file name had several spaces before the .vbs file extension in an attempt to hide the true nature of the file.
The VBS script was obfuscated, so its purpose was not immediately apparent.
The traffic Executing the VBS file on a Windows host in my lab generated HTTP traffic. This is typically an attempt to download additional malware like a Windows executable or DLL file. Unfortunately, by the time I checked it, the URL returned a 404 Not Found error.
I searched reverse.it (also available as Payload Security on hybrid-analysis.com) and found 21 items submitted on Monday 2017-03-20 associated with the domain. Most were other documents from the same type of malspam. Two were attempts to analyze an extracted .vbs file. One was a query to the callback URL. None of these examples made it any farther than I did. NOTE: Getting these search results on reverse.it requires a login. The accounts are free and only require a name, email, and password.
Indicators of compromise (IoC) The following indicators are associated with today's malspam example: Password-protected Word document:
Word document with password-protection removed:
VBS file embedded in the Word document:
Traffic generated by the VBS file:
Final words Last week, someone at cysinfo.com blogged about similar malspam designed to infect Windows hosts with an Ursnif banking Trojan. This type of password-protection technique in malspam attachments is nothing new. I've certainly seen it before, and some creative Google searching will reveal this started years ago. However, I haven't seen much about this in public forums lately. Most security professionals assume we all know about it, so it doesn't usually make any headlines. I advise people this is still a thing. Of course, properly-administered Windows hosts are far less vulnerable to this type of infection. The hosts I use in my lab environment are a different story. If anyone knows of someone who was actually infected from one of these password-protected documents, please share your tale in the comments. --- |
Brad 435 Posts ISC Handler Mar 21st 2017 |
Thread locked Subscribe |
Mar 21st 2017 5 years ago |
Thanks for the post. I have seen a wave of this particular malspam recently as well. I have been capturing it daily for the past couple of weeks.
|
Anonymous |
Quote |
Mar 21st 2017 5 years ago |
According to MS Documentation of OpenXML when a password is used the file is encrypted.
https://technet.microsoft.com/en-us/library/cc179125.aspx As you mentioned each file (and we can assume password too) is customized per payload per email, hence classifying one email or document as malicious in a IDS/IPS/firewall / email filtering system or VirusTotal does not help identify other malicious payloads, because they look completely different. |
Anonymous |
Quote |
Mar 21st 2017 5 years ago |
Quoting Anonymous:According to MS Documentation of OpenXML when a password is used the file is encrypted. That's a good point. The encrypted version is certainly a different set of bytes than the unencrypted version. |
Brad 435 Posts ISC Handler |
Quote |
Mar 21st 2017 5 years ago |
Hi Brad,
If you can share what Lab Env. you set up to execute Malicious documents so that we can have the similar set up. Thank you |
Anonymous |
Quote |
Mar 21st 2017 5 years ago |
We've been seeing more of these over the last couple weeks. Initially they were getting through Mimecast's attachment protection, but we quickly modified our policy to hold all encrypted attachments. But it seems like a good way for the bad guys to get around email protection if you're not paying attention.
By the way, Brad, I saw your presentation at the EISC a couple weeks ago. Good stuff. |
Jeff 2 Posts |
Quote |
Mar 21st 2017 5 years ago |
@Anonymous: Unfortunately, I cannot share the details of my lab environment, especially in a public forum.
@Jeff: That's a good policy to set for inbound email. Thanks for the kind words! |
Brad 435 Posts ISC Handler |
Quote |
Mar 21st 2017 5 years ago |
Brad,
I've got a sample from a few weeks ago. I believe it's ransomware. |
m0nst3r 2 Posts |
Quote |
Mar 21st 2017 5 years ago |
Quoting m0nst3r:Brad, @m0nst3r, if you submit it through our contact page, someone might be able to look at it. Thanks! |
Brad 435 Posts ISC Handler |
Quote |
Mar 22nd 2017 5 years ago |
Each time I need to analyze something, I just spin up vm's in isolated test areas I have set up in Google Compute or AWS. After I am done I destroy the vm's and move on.
|
Anonymous |
Quote |
Mar 22nd 2017 5 years ago |
Okay cool, is a VT URL sufficient or would you like the downloaded payload zipped and password protected?
|
m0nst3r 2 Posts |
Quote |
Mar 22nd 2017 5 years ago |
@m0nst3r, a VT URL will work.
|
Brad 435 Posts ISC Handler |
Quote |
Mar 22nd 2017 5 years ago |
They're back
From: Random name and email address To: 3wsoolwe.user@domain.com (random string to start on all) Subject: invoice (also saw bill and IOU) from Random Name Hi This email (user@domain.com) [email address always matched recipient] was used as the addressee of the payment. Please find the invoice (also saw bill or IOU) enclosed with this msg Payment will be posted in 30 minutes. File Passcode: 2SljM4i2Bs2X Thanks Name of sender |
Anonymous |
Quote |
Mar 28th 2017 5 years ago |
Is there a way to safely remove the password requirement without having to open the word document assuming you know the password? Any CLI/CMD commands to run that would do this?
|
Anonymous |
Quote |
Apr 17th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!