Malware emails 2: Russian boogaloo

Today I got yet another malware email. They just won’t leave me alone. I suspect it has to do with the upcoming US election, based on all the CISA alerts I’ve seen over the last couple days.

However, after going down the rabbit hole with this malware I do suspect that whatever is behind it is more sophisticated than a simple ransomware gang. I won’t speculate too much, but because of its highly distributed and evasive design it could be the work of a larger enterprise.

The email itself is pretty basic:

Job Application
From:Stephenie Schmuff <Stepheni.Schmu@mail.com>
To:Noah Bailey <imadumbrobot@nbailey.ca>
Date:Friday, October 23rd, 2020 at 14:50

Dear,

I'm very interested in applying for a position you advertised on the employment portal recently.

Please take a minute to review my attached Resume and Cover letter Documents:

- Up-To-Date Resume
- Customized Cover Letter

It would be a great pleasure to hear back from you soon to discuss this exciting opportunity.
Thank you.

Pretty dumb, considering I have zero employees and have never posted any jobs anywhere. What would an employee of mine do exactly? Wash my dishes? Feed my cats? All I ask is that these hackers do a little due diligence!!

Regardless, I grabbed a zip of the attachments and fed it through a few sandboxes.

Stage 1: Excel macros

First was to feed the excel sheet directly into Hybrid-Analysis (CrowdStrike):

https://www.hybrid-analysis.com/sample/0bd62462edc5ca217ba2cdc54e717b951a0eec461705f1d2c28f382dd63b77b2?environmentId=120

Sadly, it was unable to perform a proper analysis marking it as ambiguous.

JoeSandbox did a lot better, finding some interesting results:

https://www.joesandbox.com/analysis/303332/0/html

Namely, it extracts a macro that downloads a file from a remote server: hxxp://205.185.113.20/cXQT5g

According to public whois data, that IP belongs to FranTech Solutions. Attempting to access the site gives this message:

*   Trying 205.185.113.20:80...
* Connected to 205.185.113.20 (205.185.113.20) port 80 (#0)
> GET / HTTP/1.1
> Host: 205.185.113.20
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Fri, 23 Oct 2020 20:37:33 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 26
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0
< Expires: 0
< Last-Modified: Fri, 23 Oct 2020 20:37:33 GMT
< Pragma: no-cache
< Vary: Accept-Encoding
< 
* Connection #0 to host 205.185.113.20 left intact
Default campaign not found

Based on the ‘Default campaign not found’ text, I suspect that this is a compromised webserver that is being used to distribute the malware.

Stage II: The Trojan

This analysis was based largely on these sandbox reports:

• https://www.hybrid-analysis.com/sample/e37e83f6d5e73a831beed5fe4375bd70caecdad3ef39c579e398f66a75ea4d5a/5f9334560fe6bd4de0557ee0
• https://www.joesandbox.com/analysis/303342/0/html

After the macro runs, this payload is downloaded and run in the background.

According to the scanner reports, it has two URLs on the server, though they are the exact same file:

• hxxp://205.185.113.20/files/2.dll
• hxxp://205.185.113.20/cXQT5g

When executed, the payload contacts an additional IP, 91.203.192.40:80 which appears to be the C2 server.

Next, msiexec is triggered by the dll file. This appears to be the piece that installs the persistent trojan.

During this stage of execution, there are some additional domains contacted by this malware:

donburitimesofindia.com. 600    IN      A       91.203.192.40
celtictimesofkarishan.com. 600  IN      A       91.203.192.40
wingtonwelbemdon.com.   600     IN      A       91.203.192.40
myworld2002020999.com  # NXDOMAIN
welcometothehotelsoflifes.com # NXDOMAIN
wheredidtheelllcctoncsgo.com # NXDOMAIN

When I attempted to map out the C2 server it appeared to be offline:

*   Trying 91.203.192.40:80...
* Connected to 91.203.192.40 (91.203.192.40) port 80 (#0)
> GET / HTTP/1.1
> Host: 91.203.192.40
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
< 
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0

Nmap reveals some interesting information:

PORT    STATE    SERVICE      VERSION
22/tcp  open     ssh          OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 de:50:0c:82:bd:b9:a0:f0:82:7c:bd:ce:b1:10:b9:0f (RSA)
|   256 51:38:7c:76:e5:31:e4:30:88:cc:49:bf:fe:c5:c8:e8 (ECDSA)
|_  256 45:6d:45:fe:4c:94:e2:f8:28:dc:07:2e:c2:95:20:10 (ED25519)
25/tcp  filtered smtp
80/tcp  open     http-proxy   HAProxy http proxy 1.3.1 or later
|_http-title: Site doesn't have a title (text/html).
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https?
445/tcp filtered microsoft-ds
Service Info: OS: Linux; Device: load balancer; CPE: cpe:/o:linux:linux_kernel

Likewise, according to whois data it is registered to a Russian ISP:

organisation:   ORG-GL395-RIPE
org-name:       Garant-Park-Internet LLC
org-type:       LIR
address:        Trofimova st., 1/17
address:        115432
address:        Moscow
address:        RUSSIAN FEDERATION
admin-c:        KV3284-RIPE

After examining the reports, I tried some different URLs but didn’t make any progress mapping out the C2 server:

$ curl -XPOST http://donburitimesofindia.com/web/post.php -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36' -vvv
*   Trying 91.203.192.40:80...
* Connected to donburitimesofindia.com (91.203.192.40) port 80 (#0)
> POST / HTTP/1.1
> Host: donburitimesofindia.com
> Accept: */*
> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 23 Oct 2020 21:33:47 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 2
< Connection: close
< 

Despite my efforts, I can’t seem to decode the ‘magic string’ that the malware POSTs to this server:

[g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r

Nonetheless, this is virulent and malicious software that we must fight back against.

Sysadmin’s Revenge

To protect the community, I have taken the following actions:

• Contacted mail.com support to report the account for abuse
• Contact the admin at FranTech regarding the compromised webserver (205.185.113.20)
• Submitted an abuse ticket to NameCheap for the three active domains, and to potentially blacklist the three unregistered domains

So, within the next hours and days this operation will hopefully be shut down and inactive.