Introduction ISO files are a format used for optical disk images like CD-ROMs or DVDs. Criminals sometimes use ISO files as attachments in malicious spam (malspam) to distribute malware. Here and here are two recent examples. On Wednesday 2017-10-18, I came across HSBC-themed malspam using this technique to distribute Loki Bot, an information stealer. The malspam was easily detected by an enterprise-level security solution, so I'm not sure this technique is more effective than other methods. However, even if it's ineffective, we should be aware of current mass-distribution methods. With that in mind, today's diary examines Wednesday's Loki Bot malspam.
The emails I found eight emails in this wave of malspam. They all had the same subject line, spoofed sending address, message text, and email attachment. These emails all came from 185.61.138.132, a Netherlands-based IP address registered to a hosting provider named BlazingFast.io. The domain email.hsbc.ae is legitimate and hosted on a different IP registered to HSBC, so it's being spoofed in the email headers.
The attachment The attachment was an ISO file, which I copied to a Windows 10 host in my lab. Double-clicking the ISO file revealed a Windows executable file. Victims who receive this file from email would likely see a warning if they try to open it. The Windows executable was Loki Bot malware. Double-clicking the executable infected my Windows 10 host.
Network traffic Post-infection traffic consisted of a single HTTP POST request continually repeated from the infected host. The User-Agent string and other characteristics are somewhat unusual and easily identifiable.
Post-infection forensics The infected host had artifacts commonly associated with Loki Bot, such as a Windows registry key using non-ASCII characters. The malware moved itself to a hidden folder under the user's AppData\Roaming directory to become persistent.
Indictators Email information:
Associated malware: SHA256 hash: 1bff70977da707d4e1346cc11bccd13f3fc535aeeb27c789c2811548c6b7793a
SHA256 hash: 9022ed5070226c516c38f612db221d9f73324bb61cd4c4dc5269662c34e7a910
Post-infection traffic:
Final words As mentioned earlier, I don't find this malspam any more effective than other wide-scale email-based attacks. Potential victims still must click through a warning to get infected. And as always, it's relatively easy to follow best security practices on your Windows computer. Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring. Still, we should keep an eye on our spam filters. These blocked emails contain a variety of information on active criminal groups using mass-distribution techniques. Pcap and malware for today's diary can be found here. --- |
Brad 436 Posts ISC Handler Oct 19th 2017 |
Thread locked Subscribe |
Oct 19th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!