Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Down the Rabbit Hole: Extracting Maliciousness from MSG Files Without Outlook

Email As Infection Vector

Recently, we noticed a spam email with a Message (.MSG) file attached with it. As you may know, MSG file is a file format for storing Microsoft Outlook and Exchange message files.

This spam email claims to be a Tax Notification from Canada Revenue Agency, and of course the "statement file" is attached with it for the recipient to "find out". As you can see, the .MSG file is an attachment to the spam message.

9536_5f1bb005-c6d5-4796-87f4-b0714262f21f

Extracting The Malware

The objective of this analysis is to extract the malicious object from the .MSG file without the help of MS Outlook. So first things first, let's verify if the .MSG file (MD5: b14b5b1bda41f27976050357f5a59e5a) is indeed an OLE2 (Object Linking and Embedding) compound file – a file format used for storing MS Office documents.

9825_6dea2cf4-b4bf-4d24-bbc3-e42216da2c72

At first glance, we can see that the magic header "d0cf11e0"is there. So yes! it seems to be a legitimate OLE compound file. However, it doesn't seem to have any malicious macros, exploits or whatsoever.

So the next step is to extract the .MSG file. I used the 7zip utility which can surprisingly extract OLE containers. By renaming the file extension from .msg to .zip, we can extract the message file with 7zip. You may also use the Microsoft's DocFile viewer - DFVIEW.EXE (which is shipped with MS Visual Studio) to extract the file.

9114_4ab3b6ca-ab2f-4478-8fd1-e2d379879ff7

And here's a screenshot of the extracted stream objects:

8116_18947bd1-de13-4cc5-855c-7a0c7c82a9b3

 

The extracted streams contain email properties, headers, body and attachments. The stream object we are interested are inside the "__attach_version*" folders. Most likely, this is where the (malicious) attachments are stored.

Let's take a look at the attachment streams inside those folders:

Folder #1: __attach_version1.0_#00000002
Extracted stream attachment:

__substg1.0_37010102 – image of a PDF file screenshot in .PNG format

Image screenshot:

11966_d284b67b-de96-4e26-a514-7883d3c002cb

 

 

Folder #2: __attach_version1.0_#00000001
Extracted stream attachment:

__substg1.0_37010102 – image of a PDF file screenshot in .EMF format

Image screenshot: 11867_cd50a966-d18f-414b-bdb6-c5b96ecdba44

 

 

Folder #3: __attach_version1.0_#00000000
Extracted stream attachment __substg1.0_37010102 - Zlib compressed binary data
Binary screenshot 8796_3aa46a31-f99b-4fb4-8be0-5b47a3dd563e

 

 

As you can see under Folder #1 and #2, it contains an image of a spoofed PDF file, it also uses a spoofed filename "case_645461.pdf". The extracted stream under Folder #3 is the stream __substg1.0_37010102. This is the file we are most interested in. While it is compressed, we can deflate it using ZLIB compression library. The image below shows the compressed data starts at offset \x04 with the Zlib signature [\x78 \x9C]

12611_f0be4b72-ec26-4b95-87e9-7af8074498fb

To accomplish this task, I chose to use Python's ZLIB library to deflate the stream.

import zlib #let's import zlib module
compressed_data = file("__substg1.0_37010102","rb").read() #let's read the compressed data
layer2 = zlib.decompress(compressed_data[4:]) #decompress data from offset\x04
f = open("layer2.bin","wb") #and save it to a file
f.write(layer2)
f.close()

Now that we saved the deflated stream to the disk, let's inspect what it looks like:

9115_4ab4c793-42aa-4527-9b1d-2cdaebe424d6

Hmmm, that's another layer of OLE File. Let's extract it once again with 7Zip.

12163_dd0ee1ca-7460-484b-9153-809ace677533

In the image above, we can see that OLE file contains yet another layer of compressed data. Again we need to deflate it with the help of our previous Python code.

Below is the deflated stream from the OLE file, It contains a bunch of JavaScript code, let's investigate it!

8992_44f18412-0a04-402d-b35b-8d6ddb68d1b3

The Payload

The JavaScript is heavily obfuscated and, when run, it downloads a malicious executable from the domain "tradestlo.top"

9272_5157cfbe-c66b-4a4f-adc2-8abf5df0cda8

The downloaded executable appears to be a Trojan downloader called Terdot. This Trojan injects its code to Windows Explorer (explorer.exe) process and downloads another banking Trojan Zbot

The Zbot Trojan attempts to connect to the domains: aspect.top and prispectos.top (96.9.244.111) and download its configuration file.

10564_8fab68f1-2670-48ab-b6cd-9e4d729958c6

Zbot is a well-known banking Trojan that has a capability to intercept network traffic and steal system information, online banking credentials and passwords.

Conclusion

We don't often see malicious files embedded in .MSG file attachments. It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect. As you can see in the screenshot below, only handful of security product detects the .MSG file.

9074_48d1e718-a1f6-4040-8f1a-79ad4f214288

For end-users, be wary of opening .MSG file attachments that arrive via email. By default, Outlook will prompt users with a warning, so always verify with your sender if what they send is trustworthy.

8503_2cb31b86-34cb-459f-95e1-4df6bb5fb60c

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More