Last Updated: 2019-01-24 04:58:01 UTC
by Brad Duncan (Version: 1)
On Wednesday 2019-01-23 I ran across several hundred items from a wave of malicious spam (malspam). These emails had an attached Word document with malicious macro code. Opening the attached Word document and enabling macros would infect a vulnerable Windows host.
The macro code in these Word documents uses Powershell to run a script retrieved from 162.244.32[.]180. This script is designed to steal system information and other sensitive data, sending it back to 162.244.32[.]180.
There is no mechanism for persistence. This infection did not survive a reboot or even logging out of an infected user's account.
Today's diary examines the emails and associated infection traffic from this wave of malspam seen on Wednesday 2019-01-23.
Emails from this wave of malspam used a fake invoice or payment document. A typical example is shown in the image below.
Opening the Word document and enabling macros on an infected host ran Windows Powershell on a Windows 7 host in my lab. This script initially generated an HTTPS traffic to 162.244.32[.]180 ending with ".png" for the URL. Network traffic generated by this infection did not generate any alerts for me. However, certificate data for the HTTPS traffic was unusual. Someone used "WW" for all of the fields to identify the certificate issuer.
Base64 strings from the Powershell script
I noticed two very long base64 strings in the script returned from hxxps://162.244.32[.]180/[seven random letters].png. Decoding these base64 strings revealed two files. One was a gzip archive that contained a DLL file (tools.dll) run from system RAM. The other file was text-based script that gathered information from the system, including data from Microsoft Outlook profiles.
Indicators of Compromise (IoCs)
The following are indicators for emails from this wave of malspam. Any malicious URLs, IP addresses, and domain names have been "de-fanged" to avoid issues when viewing today's diary.
Date/time of the emails:
- Wednesday 2019-01-23 as early as 09:50 UTC through at least 11:40 UTC
- Customer's service complaint
- Immediate payment requested
- Various email addresses, probably spoofed
- complaint (1).doc
- complaint (2).doc
- complaint (3).doc
- complaint (4).doc
- complaint (5).doc
- complaint (6).doc
- complaint (7).doc
- complaint (8).doc
- complaint (9).doc
- complaint (10).doc
- complaint (11).doc
- invoice (1).doc
- invoice (2).doc
- invoice (3).doc
- invoice (4).doc
- invoice (5).doc
- invoice (6).doc
- invoice (7).doc
- invoice (8).doc
- invoice (9).doc
- invoice (10).doc
- invoice (11).doc
- statement (1).doc
- statement (2).doc
- statement (3).doc
- statement (4).doc
- statement (5).doc
- statement (6).doc
- statement (7).doc
- statement (8).doc
- statement (9).doc
- statement (10).doc
- statement (11).doc
7 examples of SHA256 hashes for these attached Word documents:
Powershell command after enabling macros on Word document (de-fanged):
SHA256 hash of malicious script returned from hxxps://162.244.32[.]180/[seven random letters].png caused by the above powershell command:
SHA256 hash of gzip archive from base64 string in above Powershell script:
SHA256 hash of DLL file (tools.dll) extracted from the above gzip archive:
SHA256 hash of more script from base64 string in the above Powershell script:
Example of HTTPS infection traffic (de-fanged):
- hxxps://162.244.32[.]180/pxnbtoe.png (the seven letters before .png are random)
HTTPS/SSL/TLS certificate issuer data from 162.244.32[.]180:
Pcap and malware/artifacts associated with today's diary can be found here.
brad [at] malware-traffic-analysis.net
If you have more information or corrections regarding our diary, please share.