Netskope Threat Research Labs has discovered another campaign of URSNIF-dropping SPAM. The attack is designed to evade security products such as IPS and Sandboxes. Though in the past, we have blogged about similar campaigns, this iteration uses enhanced evasion techniques. The attack begins as an email with password protected Word file attachments, which is detected as Backdoor.Spamdoccryptd.BC, and results in the URSNIF family of data theft malware, detected as Backdoor.Generckd.5086438 by Netskope Threat Protection.
Initial Stage of Attack
The attack originates as a spam message containing a password protected attack attachment. This encrypted attachment would be detected by Netskope Threat Protection as Backdoor.Spamdoccryptd.BC. An example of the attack spam can be seen in Figure 1.
Figure 1: SPAM email containing password protected Microsoft Word document file.
Analysis of Malicious Word Document
The malicious Word document is password protected, a frequently used trick designed to bypass antivirus and sandbox inspection engines. On entering the password, the document asks to enable edit mode as shown in Figure 2.
Figure 2: Password protected malicious word document
In the current iteration of this campaign, the attachment doesn’t use macros but instead uses 3 embedded objects which look like word documents. When the user double clicks on them, it activates malicious OLE packages as shown in Figure 3.
Figure 3: Obfuscated VB script code hidden inside OLE package.
In the Figure 3, one can see, the attacker deliberately inserted spaces between the actual filename and extension to evade static scan engines that rely on URL extraction.
On execution of the embedded script, it tries to query URL’s to download encrypted URSNIF payload as shown in Figure 4.
Figure 4: Malicious script downloads image file as a payload
The script will attempt to download encrypted version of the final payload such that the file, in transit will not appear as an executable. The URLs used, hxxp://91[.]247[.]36[.]92/132957927[.]bmp, and hxxp://www[.]librairiescdd[.]be/sp[.]png themselves appear as images to a cursory scan.
The encrypted payload is saved to “C:\Users\Windows7\AppData\Roaming\96599659.wDV” and decrypted to “C:\Users\Windows7\AppData\Roaming\965996599659.SXF”. At this point, the backdoor is a valid executable, as shown in Figure 5, but does not have a .exe extension.
Figure 5: Encrypted and decrypted URSNIF payloads
The decrypted payload is a DLL (dynamic link library) file that is launched using RUNDLL32.EXE with function name (rundll32 DLL_FILEPATH, DllRegisterServer) by the script as shown in Figure 6.