Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Evasive URLs in Spam: Part 2

A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.

The spams in this campaign have a PowerPoint Add-in attachment which contains a malicious macro. When the PowerPoint file is closed, it accesses a URL via the Windows binary mshta.exe, and this leads to different malware being installed into the system. This routine is not unusual for macro downloaders. However, we find the obfuscation used on the URL interesting and worthy of further investigation.

Email_sample
Figure 1: The spam containing a PowerPoint Add-in and the PowerPoint’s process tree
 
Ppt_hiew
Figure 2: The PowerPoint attachment and its macro code where the initial malicious URL is formulated

 

The domains associated with this campaign are already known to host malicious files and obfuscated malicious data. To trick the email recipient, and avoid being flagged by email and AV scanners, the cybercriminals behind this campaign employed a semantic attack on these URLs.

A URI may have an Authority component and below is its structure. If the Userinfo subcomponent is present, it is preceded by two slashes and followed by an “@” character.

authority = [userinfo@]host[:port]

Userinfo is rarely used, and as such, can be used to try and fool a casual observer. In this campaign, dummy userinfo is incorporated on the URLs. The bad guys are attempting to make the domains unnoticeable yet still conforming with the generic URI syntax.

Url_flow
Figure 3: The URL flow

 

The initial URL shown in the image above has the domain j[.]mp – a URL shortening service offered by Bit.ly, a URL shortener too. To avoid being characterized as a short URL and eventually evading detection signatures, the string “%909123id” is repeatedly used in the userinfo. Since the URL j[.]mp/kassaasdskdd (shortened from Figure 3) does not require a userinfo to gain access to any resources, the userinfo data will be ignored when the URL is accessed. The first URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin.

Vbscript
Figure 4: The obfuscated script on Pastebin and its de-obfuscated data
 
RegistryJPG
Figure 5: The registry entry created by the VBScript on Figure 4

 

The VBScript, contained in the 2nd URL in Figure 3, is a dropper. It writes a PowerShell downloader into the registry and sets its persistence. The PowerShell downloads and processes the raw data on two more Pastebin URLs, and then executes the output binaries.

The third and the fourth URLs are Pastebin URLs too. Both contain dummy userinfo as well which will be ignored by the Pastebin URLs. The content at the third URL pastebin[.]com/raw/uhMtv3Bk (shortened from Figure 3) contains an obfuscated PowerShell code. The PowerShell executes 2 DotNet compiled DLLs – the first DLL bypasses the Anti-Malware Scan Interface (AMSI) and then loads a DLL injector into the memory. The fourth URL pastebin[.]com/raw/Nz1mPUdT (shortened from Figure 3) contains an obfuscated malware Lokibot sample. This will be injected to a legit process notedpad.exe by the DLL injector mentioned earlier.

Summary

We found it interesting that the attackers were using URIs in this way, which essentially is an attack on the user’s preconceived notion of what a URI should look like. It may also defeat security solutions, which may be expecting URIs in a certain format.

Trustwave Secure Email Gateway has added protection for this threat for our customers. As advised by my colleague in the blog, be cautious with URLs received from external emails – investigate links before clicking.

IOCs

 Email Attachment
    REQUEST FOR OFFER 08-20-2020.ppt (82944 bytes) SHA1: 01A3399F8A075137CD4F68A2B247C509FCEAB21F

DLL Injectors
    WindowsFormsApplication68.dll (49664 bytes) F8E91A3A407235583058DF06C2C2CCDE73194A03
    Guwav.dll (20480 bytes) SHA1: 70b45d01eea4156610583c8b3dfcab89eeb6f113

Obfuscated VBScipt from pastebin[.]com/raw/XZxTT7Xy
    (3346 bytes) SHA1: FC050B623983B10D60ED4557771609C9D10F3C3A
Obfuscated PowerShell from pastebin[.]com/raw/uhMtv3Bk
    (525125 bytes) SHA1: 047D7516EF672AE882B322F1E3E9DF2BDF7F4583
Lokibot deobfuscated from pastebin[.]com/raw/Nz1mPUdT
    (104.0KB) SHA1: A988B692581A76A6220A641037F7AA254C1F293F
Lokibot Setting URL
    hxxp://195[.]69[.]140[.]147/[.]op/cr[.]php/SczbkxCQZQyVr
Lokibot C&Cs
    kbfvzoboss[.]bid/alien/fre[.]php
    alphastand[.]trade/alien/fre[.]php
    alphastand[.]win/alien/fre[.]php
    alphastand[.]top/alien/fre[.]php

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More