The Distant Entry Device (RAT) is likely one of the malware varieties we regularly encounter with our Safety E-mail Gateway (SEG). Late final 12 months, we seen spam campaigns resulting in RATs through disk picture recordsdata by means of attachment and hyperlink. Extra lately, we got here throughout 2 RATs encrypted, packed, and hidden in PNG recordsdata – utilizing disk picture recordsdata once more and redirectors as arrival vectors.
Determine 1: Spam campaigns’ assault circulate
Faux Harassment Video Spam
The primary spam marketing campaign is about pretend harassment. The sender, claiming to be a faculty president, is informing his colleague that an nameless e mail with video, supposedly within the attachment, reveals sexual harassment occurred on their premises.
Determine 2: Trustwave SEG console displaying the mail physique of the harassment spam
The attachment CONFIDENTIAL0056.zip is a ZIP archive. Inside it’s a disk picture file CONFIDENTIAL0056.iso which is the Common Disk Format (UDF) file system format. UDF is managed by Optical Storage Expertise Affiliation (OSTA) and is a more recent disk picture format in comparison with ISO. UDF is acknowledged in Home windows therefore could be mounted when double-clicked.
The picture file CONFIDENTIAL0056.iso accommodates a RAR self-extracting archive (RARSfx) file PRIORITY.scr. As soon as launched, the RARSfx will silently drop and set up Three recordsdata within the %temp% folder. First, a shortcut file Xnekm.lnk can be created. It factors to and subsequently runs an executable Zhknjdc.exe which is in a folder with the identical identify because the LNK file. Saved with the EXE file is a picture file Zhkn.png.
Determine 3: The attachment in Determine 2 has a UDF disk picture file CONFIDENTIAL0056.iso which accommodates a RARSfx file PROIORITY.scr.
Wanting into the dropped picture Zhkn.png, its filesize is nearly on par with the dropped executable file. It’s because the PNG has additional information appended at its finish of picture marker. The additional information begins with a marker “766..;” instantly adopted by the encrypted information. The EXE file Zhknjdc.exe, a Delphi compiled executable, will search for the picture Zhkn.png in the identical listing. As soon as the PNG is situated, the EXE file will search for the marker and decrypt the information after it within the reminiscence. The decrypted information is a DLL – additionally compiled in Delphi.
Determine 5: The decryption routine for the encrypted information in Determine 4
The decrypted DLL has Three main features:
- Create a replica of the RARSFX’s dropped recordsdata;
- Put together the system for the arrival of the primary malware by disabling some system utilities;
- Run the primary malware.
The associated recordsdata for the primary perform can be dropped on the %userprofile% folder. A folder with the identical identify because the PNG Zhkn.png can be created and it’ll host the copies of the stated PNG and the EXE file contained contained in the RARSfx. As well as, two additional recordsdata, an HTA and a VBScript, that are used within the persistence of the EXE file, are additionally created. The filename of the EXE, HTA, and VBScript can be appended with hardcoded strings, as under.
Determine 6: The hardcoded strings to be appended with the PNG’s identify “Zhkn” are “asx.exe”, “_eno.hta”, and “wen.vbs” for the dropped recordsdata EXE, HTA, and VBScript respectively.
On the %public% folder, 2 binaries and a pair of batch recordsdata can be dropped to carry out the 2nd perform – to arrange the contaminated system for the arrival of the primary malware. The binaries, perfmon.exe and SSPICLI.dll, can be extracted from the decrypted DLL’s RCData useful resource whereas the batch recordsdata Runex.bat and Clear.bat are from the DLL’s information part. They’ll disable some system utilities like Home windows firewall, system restore, notification heart, auto-update, and Home windows Defender and can be deleted afterward.
The third and the final perform is to execute the primary malware. The identify of the useful resource the place the encrypted primary malware is saved is obtained from the “DVCLAL” useful resource, which accommodates a string, which when reversed, factors to the useful resource the place the primary malware is saved.
Determine 8: One of many RCData sources of the decrypted DLL, “B__1165184990”, accommodates the encrypted information
The principle malware can be decrypted and injected to one of many following processes. On this pattern, the primary malware is the most recent model of Remcos RAT (v2.5.zero Professional) filled with Morphine.
Determine 9: The vertical var delimited record of C&Cs, port, and key obtained from one the processes Remcos was injected into
Faux Buy Spam
A day after the primary spam marketing campaign, a associated spam marketing campaign was noticed – pretend buy emails. The attachment PO-1109017834665.xlsx.html, disguised as an order slip, is an HTML redirector. It accommodates a META refresh tag that results in the obtain of a RAR file. The HTML additionally has a hidden paragraph tag with random phrase padding inflicting the massive file dimension of the attachment.
Determine 10: The pretend buy spam results in an executable with a crafted PNG within the overlay
The downloaded file PO-1109017834665.xlsx.rar is a RAR archive which accommodates 1 file PO-1109017834665.xlsx.exe – a Delphi compiled executable. The EXE’s habits is nearly the identical with the EXE file dropped by RARSfx from the primary marketing campaign, besides the related PNG is situated at its overlay, in different phrases appended to the top of the executable.
A Delphi compiled DLL may even be obtained from the PNG and executed within the reminiscence. The recordsdata extracted from this DLL are the identical as those from the primary marketing campaign apart from the primary malware.
Determine 11: The RCData sources of the decrypted DLL and its dropped recordsdata at %public% folder
Netwire is the primary malware for this second spam marketing campaign. It Can also be filled with Morphine and hidden in an RCData useful resource “B__1191860879”. This RAT can be injected into one of many following processes.
This evaluation highlights an elevated focus by the unhealthy guys on each novel file codecs and abuse of ordinary file codecs. Using the UDF strengthens our remark from our earlier weblog – malware authors try totally different disk picture codecs as containers for his or her craft. The appending of malicious information to the top of PNG now seems to be a extra widespread trick for these purveyors of RATs. The second instance takes it one step additional in a Russian doll method – malicious information appended to a PNG which itself is appended to an executable.
CONFIDENTIAL0056.iso (2,228,224 bytes) SHA1: D29E67986225DC0BA2216ECB1F0640CB0212BAE1
PRIORITY.scr.rar (1,076,461 bytes) SHA1: B6AE5C8B6D72C45220A1FC45DB7D48E252F20C2D
%temppercentXnekm.lnk (1,116 bytes) SHA1: 1F94CB181ACEA6C76C4FA018440C02BB16AB5F8E
%temppercentXnekmZhknjdc.exe (805,376 bytes) SHA1: C3B54681E8AC61E605BD399AC680AC15B5608033
%temppercentXnekmZhkn.png (608742 bytes) SHA1: 5FEC6AD1DD292AC48DB2C56D2BC5F12775312E57
%userprofilepercentZhknZhknasx.exe (805376 bytes) SHA1: C3B54681E8AC61E605BD399AC680AC15B5608033
%userprofilepercentZhknZhkn.png (608742 bytes) SHA1: 5FEC6AD1DD292AC48DB2C56D2BC5F12775312E57
%userprofilepercentZhknZhkn_eno.hta (175 bytes) SHA1: 2EFA1CAF73021DA6E94C05F881C81104B9B5D9C8
%userprofilepercentZhknZhknwen.vbs (167 bytes) SHA1: 818A158803EB1AACA1DB603E100BDE4E46380D55
%publicpercentperfmon.exe (176,640 bytes) SHA1: C3B882CEA05A0371AF48F60D01E0C5DE019E2A2C
%publicpercentSSPICLI.dll (110,792 bytes) SHA1: AADA5C5AF3232A16F7906307326673C5749E3BBB
%publicpercentClean.bat (3,810 bytes) SHA1: 82E5CA631F6756CDF514D40AF776CE07F9DB5E86
%publicpercentRunex.bat ( 222 bytes) SHA1: 92C8D3DC444E9E6C3B1A7CF94DBEE02E4C7BDA00
Dimension: 247763 bytes (241 KiB)
PO-1109017834665.xlsx.html (247,763 bytes) SHA1 :A224DB9E9F2F347587DC398CB898057CE50326F5
PO-1109017834665.xlsx.rar (877,737 bytes) SHA1: 9742AEBCE253BFCF3819E28FD5E6CA1E58C10BBF
PO-1109017834665.xlsx.exe (2,169,356 bytes) SHA1: CD24179ABA477EAF9FE41C3CC3AD13326DF0C2D8
%userprofile% PO-1109017834665.xPO-1109017834665.xsex.exe (2,169,356 bytes) SHA1: D24179ABA477EAF9FE41C3CC3AD13326DF0C2D8
%userprofilepercentPO-1109017834665.x.hta (180 bytes) SHA1: 17102B28365E47B6C12244037289842C88638992
%userprofilepercentPO-1109017834665.x.vbs (146 bytes) SHA1: 7487DBA3045AA8D45B16DBCC95CA18BF84E9948C
checker[.]rneiko-elec[.]com:11012 (C&C Netwire)