March 18, 2017

The Evolution Of a Recent Attack Campaign.

Case Study

By Perception Point Research

How hackers can make variations within one campaign –
as seen in a recent customer attack we blocked.

On Wednesday 3.21.2018 one of our customers received a series of malicious emails across their organization. While it is not clear whether the attacks were coordinated, they seemed like part of a larger campaign executed by criminals interested in financial profit. Our platform blocked all of these attempts before they reached the end user – however had they reached the users, the varying methods used may have easily tricked someone.

The attackers started the campaign with a simple attempt to send an executable file to several employees in the organization. After failing the first time, they progressively enhanced their techniques, adding complexity in order to bypass traditional cyber security solutions.

Here is a brief overview of each step in the campaign:

Phase 1.

An executable file attached to an email.

While sending a “.exe” file as an email attachment is prohibited by most email servers, sending it inside an “iso” file is apparently allowed (specifically in Office365). This requires minimal effort from the attackers and since Windows 10 automatically mounts an ISO file as a virtual DVD drive, it is very easy for an unskilled user to run the file. Once the user runes the file it installs a malicious trojan on their computer.
In the below screenshot of the original email, you see the file name tries to look like a pdf and the email is pretending to be a DHL package notification.


Similar emails were sent to several employees in a short period of time, all attempting to deliver a variant of the same executable file. Here are hashes of such iso & exe files:
3829238055 ,pdf.iso
PO 5302,pdf.exe

On the same day, we encountered the exact same trojan files in another customer in which we were conducting a trial, indicating a possible widespread campaign.

Phase 2.

An obfuscated macro inside a word document.

After a few unsuccessful attempts with the first technique, the attackers switched to using a link instead of an attachment to deliver the malicious trojan. Again, the email posed as a package tracking notification sent allegendly by DHL, and contained a link to a fake receipt doc file.

Analyzing the doc file, we found that it includes a VB script macro that is designed to be invoked automatically as soon as the victim opens the document on Microsoft Word. It was quite easy to understand that this macro script is suspicious because it was fully obfuscated. Code obfuscation is basically a usage of some programming language utilities, such as string manipulations or mathematical operations, in order to hide the malicious code by making it scrambled, unclear and unreadable. Sometimes the goal is just to make it difficult to understand by human researchers.

More importantly, it is used to prevent static engines from detecting the malicious patterns of the code, like new process execution, file dropping, registry operations, and other exploitation techniques.

Detected by only 3 of 60 static engines in VirusTotal at the time the email was sent, this tells us that the obfuscation was pretty successful. Showing once again that code obfuscation techniques easily bypass static analysis based detection engines.

A snippet from the original obfuscated macro script:
Sub AutoOpen()
   On Error Resume Next
     For Quvpsd = oRGOz To WtXAuP
       bbsfc = ZpEHB * Int(pMZrj / CDate(GWlDi) / 18706 - Atn(21542)) + (21268 + Sin(PVwvKX) * LpBPMT - Int(8443) + 27253 / JErJYz / ownsi + sjURo)
     Application.Run "ajUttOlrHcNt", RzwPOEsX
     For TFMrz = AkpTrn To XTYET
       MSTKw = iSowS * Int(vivuiw / CDate(rQXNM) / 39797 - Atn(11203)) + (803 + Sin(HETiAQ) * rzuNUV - Int(51246) + 23475 / XYvIXc / crbkoE + psWDL)
End Sub
view rawf.vbs hosted with by GitHub

Under all of the aforementioned obfuscations, this macro script extracts an encrypted Powershell command, which runs an executable file downloaded from a remote HTTP server. Analysing this file, reveals that this is a trojan called Emotet, designed to collect financial information from the infected computer.


The executable hash is f759bedc1953d63c131d1cbbf641ceb1.
Some of the servers that downloads the exe files are:

Phase 3.

A fake source pretending to be DocuSign.

One day after the previous incidents, the same customer got an email from a fake source pretending to be DocuSign. A Word document file was attached to this email, and once again it had an obfuscated macro script that downloads and executes another banking trojan.


The executable hash is 4598fe6c73be9f241006dfb35a76704a and it is probably a variant of Trickbot(banking trojan).

Quote from the customer.

“Integrating Perception Point’s platform into our Office365 instance was quick and seamless with absolutely no impact to our email delivery service levels, and in less than a month they’ve already blocked a potentially damaging attack that could have easily tricked our users and caused a serious disruption. It’s rare that I see immediate returns that quickly”
James Rutt, CIO/CISO Dana Foundation.

Want to know more?

Contact Us.