Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.

As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
Order.exe = (34 of 68 on VirusTotal



Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.

Article Link: http://garwarner.blogspot.com/2018/09/dangerous-invoices-and-dangerous.html