Introduction

Twitter user @0xToxin has reported seeing malicious emails impersonating DocuSign with HTML attachments this past week or so.  Samples are available here.

Very little public information exists on this specific campaign, so today's diary reviews information on it.

Image 1:  Flow chart for the infection chain.

HTML Attachments

Although, Twitter user @ffforward has stated this campaign started sometime in 2022, I can only confirm confirm one additional date based on the HTML template, file name, and post-infection traffic from @0xToxin's publicly-shared samples.

I collected the following data from VirusTotal and confirmed it is the same campaign.

From 2023-05-10:

SHA256 hash: 064ee9cc4256a4e004d3c6e74e1a4cc2d686f82a7e22640aa718167b5af40a29

• File name: May10-Invoice-DocuSign-6345036.html

SHA256 hash: 1b1ee0937147d8867227ea72654d3aa7acb54d5bc1d31b7922586f12a30beeb4

• File name: May10-Invoice-DocuSign-945225.html

SHA256 hash: efbb83a531b88d0820d36410356cc4c8deef25deaa8da351a963dd51eadf8048

• File name: May10-Invoice-DocuSign-91218.html

Downloaded zip name: May10-Invoice-DocuSign.zip
Extracted .js name: May10-Invoice-DocuSign.js

From: 2023-05-25:

SHA256 hash: 418c0706510868bf2afad98bfb66d7492fdb594ca8d477aba89f471ca00d70fd

• File name: Invoice DocuSign May 25 2023 6841006.html

SHA256 hash: d075b86f23ea2f16db1bbbe5d8b141fde60b1655fc48b46335bb8554235bac32
File name: Invoice DocuSign May 25 2023 34261.html

Downloaded zip name: Invoice-DocuSign-May25-2023.zip
Extracted .js name: Invoice-DocuSign-May25-2023.js

Preliminary analysis indicates all HTML file attachments for a specific day of spamming generate the same file hash for the downloaded zip archive and extracted .js file.

Images From An Infection

Image 2:  HTML attachment opened in a web browser presents a zip archive to download.

Image 3:  The zip archive contains an obfuscated script file.

Image 4:  The infection is kept persistent through a scheduled task that contains the C2 URL.

Image 5:  The persistent VBS is merely a WScript command to run PowerShell, and it uses parameters for the C2 from the scheduled task command.

Traffic From An Infected Windows Host

Traffic from this infection occurs using HTTP GET and POST requests to 159.65.42[.]223 over TCP port 80.  The initial HTTP GET request returns script to gather information about the infected Windows host.  The second HTTP request is a POST that sends the collected information to the C2 server.  After that initial POST request, the infected Windows host checks in to the C2 server approximately once every minute.

The 16-character string at the end of the C2 URL is unique for each infected host.

I let the infection run in my lab for over an hour, but I saw no follow-up activity.  Only the check-in traffic every minute.

Image 6:  Traffic from the infection filtered in Wireshark.

Image 7:  Initial HTTP GET request returns script to gather info on the infected Windows host.

Image 8:  The initial HTTP POST request sends collected data to the C2 server.

Image 9:  The infected Windows host then checks in approximately once every minute.

Final Words

This campaign may have started sometime last year.  C2 traffic is based on the scheduled task as shown above in Image 4.  This script-based malware sends information about the infected host to a C2 server.  At some point, this would probably lead to further malware.

So far, the collected malware is available on Malware Bazaar using the tag 159-65-42-223, at least until the threat actor decides to change C2 servers.

If anyone knows further information on this campaign, feel free to share in the comments!

---
Brad Duncan
brad [at] malware-traffic-analysis.net