Leveraging Disk Imaging Tools to Deliver RATs

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

A disk image is a software copy of a physical disk. It saves the entire data from the disk, including the file structure and all files and folders, in a single file and thus often serves as a full backup. Disk imaging software includes formats like ISO, IMG, VHD, VDI, VMDK, VHD and DAA etc.

In this blog, we will present two recent malspam campaigns that utilize disk image formats in delivering malware through phishing links and as attachments.

Figure 1: Attack flow illustrated here shows disk imaging software like ISO or DAA files are sent as an email attachment or hosted at a site pointed to via a link in an email to infect victims with RATs.

Fake French FedEx Campaign

The first campaign was a fake FedEx shipment email message targeting some of our European customers. The message tricked the victims to click on a link that downloaded an ISO archive containing a single executable of the Nanocore RAT.

An ISO file (often called an ISO image), is a well-known archive file of optical discs like CD/DVD. They are often used for backing up optical discs, or for distributing large file sets. Malware authors have started abusing these archives by re-purposing them to deliver malware. Recent versions of Microsoft Windows 10 and Windows 8 have the built-in ability to mount .ISO disc image files when they are opened, hence making them a hot commodity for scammers.

Figure 2: Screenshot of the email message as displayed to a victim

The email was drafted in the French language, hence targeting French speakers. The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address.

Figure 3: Google Translate used to translate the message to English

Clicking on the link (hxxp://madridbg[.]com/FedEx,pdf.iso) downloaded an ISO archive called “FedEx,pdf.iso”. The ISO archive had a relatively low detection on VirusTotal (18/70). This ISO contains a single binary executable in it called “fedex,pdf.exe”, this binary was disguised with a PDF logo as shown in Figure 4.

Figure 4: Executable inside the ISO using a fake PDF logo and PDF extension

Payload Analysis

The Downloaded ISO

Upon opening the ISO, we were presented with an executable file “fedex,pdf.exe”. Analyzing the executable file with DiE (Detect it Easy) suggests that the file was likely packed due to the unusual imports, and lack of strings.

Figure 5: Detect It Easy tool assessment on the executable “fedex,pdf.exe”

Upon execution of the file “fedex,pdf.exe”, the executable creates a new process of the Windows CLI tool “RegAsm” and injects a malicious payload into it leading to networking communication with the C2 Boki0419[.]duckdns[.]org on port 9900.

Figure 6: The network activity of RegAsm process via Process Hacker tool

Looking at the assembly around the call to CreateProcessInternalW, we can see the string “PE” located at “[ebp-4]”. Typically, when we see this “PE” string, we can expect to see a PE file in the allocated region of memory where “[ebp-4]” is within. By following “[ebp-4]” in the memory dump view and browsing the top region of the memory, the infamous MZ signature and DOS stub of a PE file can be seen. The PE file is a .NET executable packed with “Eazfuscator”.

Figure 7: x64 DBG disassembly view of CreateProcessInternalW and dump view of PE file in memory section

Figure 8: Detect It Easy tool identifies the dumped PE to be packed with Eazfuscator

Using De4Dot to remove the “Eazfuscator” obfuscation, the executable “fedex,pdf.exe” is verified to be the malware NanoCore RAT client through the project name after decompilation of the deobfuscated malware and various other strings.

Figure 9: The de-obfuscated copy of the dumped PE file in DnSpy

Many in-depth analyses on the NanoCore client are available online, and we will not go into detail here. But a high-level overview of the NanoCore client's functionality is as follows:

• File Execution
• Mouse Control
• Shutdown/Restart
• Keylogging
• Password Recovery
• Video/Audio Capture
• Lock a System with Custom Encryption
• Reverse Proxy
• Open CD Tray
• Open Webpages
• File Browsing
• View Running Processes
• Registry Editor
• Reverse Shell

The executable “fedex,pdf.exe” contained in the downloaded ISO is Nanocore version 1.2.2.0. Cracks for this version are available online.

Figure 10: Memory dump of the RegAsm process where the NanoCore code was injected

 FedEx.pdf.exe IOCs:

This is the VBS Script used to execute the malware at each system startup (iuhje.exe.vbs):

Figure 11: Screenshot of the Nanocore VBS execution script

This script simply executes the file located at the path of the malware. Because this file is in the “Startup” folder, it will be executed each time the operating system starts.

Malware Invoices with DAA

After analyzing the ISO image case above, we hunted around for similar campaigns that use other disk image formats and found a recent one. This campaign spammed fake invoices through an email attachment – this time with the disk image format DAA.

The sender domain in the emails were spoofed from actual businesses, however we noticed that the display name used in From address often didn’t match the name or local-part of the email address (e.g. From: “John Doe” <bruce.wayne@wayneenterprises.com> ) suggesting random scripts being used by the scammers. In addition to the header, the content in the email body like company email templates, physical and post addresses, contact numbers and employee names, seem to be randomly selected details of legit businesses. The text in the email body directs the recipient to open the DAA attachment.

Figure 12: Invoice spam containing DAA attachment

DAA stands for Direct Access Archive. Unlike ISO files, DAA files are not recognized by Windows, hence, they will not be mounted when double clicked. Only Windows machines with installed disk image editing applications like PowerISO, UltraISO, and WinArchiver can open these files.

Figure 13: PowerISO software used to open the DAA attachment and extract the executable

The DAA attachments observed from this campaign contains only one executable file, which follows the filename of the parent DAA but with .com and .exe as file extensions. The executables are the latest version of Remcos RAT v2.5.0 Pro.

Invoice 0947523.daa -> Invoice 0947523.com
Purchase Order 7854-02536.daa -> Purchase Order 7854-02536.exe

Remcos is one of the popular remote access tools today, mostly because it can be easily obtained. Also, this RAT gets updated frequently. Around 3 months ago, we saw a campaign leading to the then latest Remcos RAT version 2.4.7 Pro. Now, the latest version 2.5.0 Pro is being spammed.

The Remcos executables contained in the DAA attachments both connect to a free dynamic DNS Johnsonmullaly[.]ddns [.] net on port 8486. It logged the users activity on %appdata%\remcos\logs.dat

Figure 15: Registry and log file creation of the Remcos RATs

Remcos v2.5.0 Pro has a new feature and this is clearing logins and cookies of the browsers. As RATs are used to take control of the compromised system, we believe this feature could be used to clear any traces of the attacker’s malicious activities from the web browsers.

Figure 16: Memory dump of “Purchase Order 7854-02536.exe” showing the strings related to the Remcos v2.5.0 Pro

Conclusion

We observed a significant shift in malicious spam this year where cybercriminals are experimenting more with disk image archives like .ISO and .DAA for packaging their malware attachments, in an attempt to evade detection from email scanning gateways.

Most email gateways block all attachments with executables. Cybercriminals are finding innovative ways to conceal such executables inside containers to evade detection at the gateway. We looked back on spam messages containing disk image attachments we received this year and observed that the majority of malware contained in them were RATs like Remcos and Nanocore, while other samples included info-stealers like Lokibot.

Comparatively, ISO is a more popular disk image format than DAA and is supported by several archiving tools like the latest version of 7Zip (19.00) and WinRar (5.80). On the other hand, DAA archives are only accessible through proprietary software like PowerISO, UltraISO, and WinArchiver. We believe that due to better unpacking support, the ISO format has become a more popular archiving tool for cybercriminals, enabling them to use such attachments for spray and pray operations, while DAA archives are more likely to be used for targeted attacks. The malicious archives that are easier to unpack have relatively have higher AV detections compared to archives like DAA where unpacking may present a challenge.

Although the attack campaigns analyzed here do have some similarities, based on the information we have it is difficult to conclude whether the perpetrator is a single threat actor or different groups. Some similarities are listed here

• Both campaigns use Invoice or PO email lures with random legit company templates and addresses to infect their victims.
• Both campaigns use a disk imaging software archive with a single packed executable.
• Both campaigns used free dynamic DNS as C&C such as duckdns and ddns

Finally, for customers of our Trustwave Secure Email Gateway (SEG), we’ll add that the SEG effectively detects these sorts of threats bundled inside disk imaging containers using a combination of its unpacking engine and its multi-layered threat detection technology.

Hashes and IOCs