[ TECHNICAL TEARDOWN: DBS MalSpam Attack – Bank Fund Transfer ]

Previously, we have written about MalSpam attack in Japan.

Recently, we have found several emails that are being sent out targeting DBS users.

[ Sample used in the analysis ]
MD5: 0a7150f13a5ad4e496992374082232f8
SHA256: d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f

[ Part 1 : Getting Started ]
For those who want to follow along, this is a link to the .eml file d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file(271-20170627-55147_109.doc).

We can also see the contents of that email.
Dear Customer,

This attached Advice is sent to you for information only.

This is an automatically generated notification.

Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.

Yours Sincerely,
DBS Bank Ltd

However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.

As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:

As you can see here, the VBA will attempt to download the payload from
– http://wallpaperbekasi[.]co[.]id/bankadvise/271-20170627-55164_45PDF.exe

The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.

So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.

Now you can step through it and eventually you will reach to this point as shown in the image below.

Now right-click on “Buffer” and click on “Follow in Dump” and you can find the dropped payload at 0x037C0150

Now dump out the dropped payload.
We can see that it’s yet another Obfuscated .NET malware.

We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.

As i don’t want to bore everyone. A quick look at the deobfuscated strings, the malware is most likely AgentTesla.

The stolen credentials are sent back via email to:
username: [email protected]
password: etou01315

I’ll update this post as i find time to take it apart.

Thanks & Regards
Jacob Soo

Emails containing malicious Doc

Malicious Doc

Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE

Article Link: http://www.vxsecurity.sg/2017/07/04/technical-teardown-dbs-malspam-attack-bank-fund-transfer/