Gatefy detects advanced email attack using Word file as a bait

Updated at: Sep 21, 2020
By Gatefy

Malicious Word file.

Gatefy's security team detected and mapped a malicious email attack involving a dangerous Microsoft Word file as a bait. The attack is quite sophisticated and uses a persuasive approach to social engineering coupled with technology, which makes detection based on traditional approaches difficult.

At first, the attack works just like any other malware spreading campaign. The hacker sends a malicious file by email and asks the victim to execute it.

What draws attention, however, is how the malware works after it has already infected the victim's computer.

As soon as the malware infects the device, it accesses the victim's email and, then, reads and uses his contact list and emails received and sent.

That is, the malware uses the victim's legitimate content, which is available in his email, to apply scams. In other words, the attack turns the victim's device into a zombie, which sends malicious messages to people with whom the victim has contact.

As we can see, this is an advanced social engineering scam. The worst thing is that acting in this way, the malicious code creates a scam that is very difficult to detect and block, with huge chances of infecting new devices.

In the email blocked by Gatefy, the malicious Word file contained a VBScript (Visual Basic Script) which, in fact, was a payload or an artifact of the type VB.EmoDldr, which is a Trojan-type malware.

The threat can be categorized as a dridex, in which the hacker uses Microsoft Office scripts to write malicious code that is capable of changing almost every type of configuration on the victim's computer.

This is a type of threat that became famous due to banking credential theft, including cryptocurrencies, and as a way of spreading ransomware.

Incident response

When the malware accesses the victim's device, it tries to contact 3 domains:

  • _ldap._tcp.dc._msdcs.scl3.dc
  • isatap.scl3.dc
  • wpad.scl3.dc

MITRE ATT&CK® indicators

technique id technique description tactic description matched malicious indicators count matched suspicious indicators count matched informative indicators count
T1204 User execution Execution 0 1 1
T1179 Hooking Persistence 0 0 3
T1137 Office applicaation startup Persistence 1 0 0
T1179 Hooking Privilege Escalation 0 0 3
T1112 Modify registry Defense Evasion 0 0 1
T1179 hooking Defense Access 0 0 3
T1010 Application window discovery Discovery 0 0 1
T1114 Email collection Collection 0 1 0

 

Indicators of malicious activity

1. The file has extra data, which exceeds the last FAT sector of the “Microsoft Compound File Binary Format” file. It’s not a common situation when a file is saved by Microsoft Word. This usually happens when a malicious payload is “manually” attached to the end of an MS Office file on purpose.

When the file is opened in MS Word, the first stage of the malware is triggered by a VBA macro, an OLE (Object Linking Embedding) in the document. This code finds the data from the second stage at the end of the file, using a specific marker or knowing the size of the data, saves it to another file on disk and executes it. It’s similar to a steganography technique.

2. The file contains VBA Macros with keywords that indicate self-executing behavior. For example, “Document_Open” was found in it, which indicates that the code must be executed when the file is opened.

This indicator comes from MITRE ATT&CK ID T1137 - Office Application Startup.

3. The malicious code creates mutants. In Windows, a mutant is a kernel object that allows programs to synchronize events between them. The malware generally uses a named mutant to ensure that it doesn’t reinfect the same machine, and runs only a single copy of the malware.

"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-70237"

"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-70237"

"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"

"Global\552FFA80-3393-423d-8671-7BA046BB5906"

"Local\x64_10MU_ACBPIDS_S-1-5-5-0-70237"

"Local\x64_10MU_ACB10_S-1-5-5-0-70237"

Suspicious indicators

1. A string with malicious potential was found in the email address in the binary file in memory. Mitre t114.

2. The malicious process tried to connect random domains.

3. VBA Macro had suspicious keywords, which may indicate that specific strings should be obfuscated, where it should create OLE objects and indications of where it should hide the application.

Persistence

1. The artifact loads edit control libraries. These libraries can be used in methods of capturing user data to obtain credentials or collect information. During normal use of the system, users often provide credentials for several different locations, such as login pages and portals or system dialogs. MITRE T1179.

"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at E5800000

2. The artifact also removes Office resiliency keys. Hackers can write code to interact with the infected machines' Windows registry to hide configuration information in registry keys, remove information as part of cleaning or as part of other techniques to ensure persistence.

3. The malicious file tries to obtain a list of open applications. This list can convey information about how the system is used or give context to the information collected.

4. It creates files in the Windows folder.

"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"

"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"

"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"

"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"

"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"

"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"

"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"

"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"

"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"

"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"

"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"

"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"

"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B139C51A-B13E-45F4-9AB3-0AD4B34D1E2F}.tmp"

"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"

"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"

"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"

"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"

"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B139C51A-B13E-45F4-9AB3-0AD4B34D1E2F}.tmp"

5. A URL was found in the binary file in memory.

Malicious process name

WINWORD.EXE

File name

MENSAGEM.doc

Size

171365 bytes

HASH SHA256

735d344181fff3c321e0dd5358a7819eb52cd2458dbae3d8aafbc8fd780e45bc

Extracted files

File name

overlay_a0db5f1a664c58b276ecf68d60dab5cffd2f56b1f7614827f1b2f363dd70d28f

Hash SHA256

a0db5f1a664c58b276ecf68d60dab5cffd2f56b1f7614827f1b2f363dd70d28f

File name

~WRS_B139C51A-B13E-45F4-9AB3-0AD4B34D1E2F_.tmp

Hash SHA256

4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

File name

~_Normal.dotm

Hash SHA256

3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d