Sunday, September 16, 2018

Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
MD5
02b6f049f4d8246ee982d8c34a160311
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.
MD5
736de7cd6a9c76bd7df49e6b3df6000e
SHA-1
1315994222d45410c8508cf614378e35c4f56c94


As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
MD5
1261b8382cfa2b905f0f52a3aef49ce4
SHA-1
e80c07f700cf817a1eca1f8186f820492f8a2fbc
Order.exe = (34 of 68 on VirusTotal
MD5
57b430ea422d1f33fef19f02fb85c7f0
SHA-1
60a64400207fd9835899189aa0c3cbca027fe8cf

MD5
0fa8876252c632b64afad8fd7fa6344f
SHA-1
ab372d169743758bb81abaa4bc303d5303f6d913

ogo.exe = (44 of 68 on VirusTotal
MD5
f321b38b171a3cbc1eff4a41ac5bbe47
SHA-1
da61f88e2e95a23e58d96cf845c523fd10023cb7

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.

Update

Monday morning, back to work!  Sure enough, we checked the rollboat directory for fresh files this morning:

VirusTotal 19 of 65
MD5
793a3a5e434add85d24df212bf3a72d0
SHA-1
cedcb4b74baf0ba7b39aeea1983bd2f48586e9a4



MD5
d13f100887011e3110b224779c11594b
SHA-1
22971ed9a43f7f8e9b8b55de9d28406bb83cffb1



VirusTotal 20 of 67 
MD5
de1a7961917537084aa383fd398beac5
SHA-1
a52e447bfe24760c31142f9a3b0efc90cd7c2366

I'll also note that this morning on my Windows 10 machine running current Chrome, the file downloads were prevented - marked "This file is dangerous, so Chrome has blocked it."  When I told Chrome to let me download one any way, Windows Defender stopped it.  Sharing information DOES help!







No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.