Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Leveraging Disk Imaging Tools to Deliver RATs

Authors: Diana Lopera, Joshua Deacon, and Fahim Abbasi

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

A disk image is a software copy of a physical disk. It saves the entire data from the disk, including the file structure and all files and folders, in a single file and thus often serves as a full backup. Disk imaging software includes formats like ISO, IMG, VHD, VDI, VMDK, VHD and DAA etc.

In this blog, we will present two recent malspam campaigns that utilize disk image formats in delivering malware through phishing links and as attachments.

 

Disk-image-malware-blog (1)

Figure 1: Attack flow illustrated here shows disk imaging software like ISO or DAA files are sent as an email attachment or hosted at a site pointed to via a link in an email to infect victims with RATs.

Fake French FedEx Campaign

The first campaign was a fake FedEx shipment email message targeting some of our European customers. The message tricked the victims to click on a link that downloaded an ISO archive containing a single executable of the Nanocore RAT.

An ISO file (often called an ISO image), is a well-known archive file of optical discs like CD/DVD. They are often used for backing up optical discs, or for distributing large file sets. Malware authors have started abusing these archives by re-purposing them to deliver malware. Recent versions of Microsoft Windows 10 and Windows 8 have the built-in ability to mount .ISO disc image files when they are opened, hence making them a hot commodity for scammers.

 

Fedex-ISOFigure 2: Screenshot of the email message as displayed to a victim

 

The email was drafted in the French language, hence targeting French speakers. The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address.

Translation

Figure 3: Google Translate used to translate the message to English

 

Clicking on the link (hxxp://madridbg[.]com/FedEx,pdf.iso) downloaded an ISO archive called “FedEx,pdf.iso”. The ISO archive had a relatively low detection on VirusTotal (18/70). This ISO contains a single binary executable in it called “fedex,pdf.exe”, this binary was disguised with a PDF logo as shown in Figure 4.

Exeiniso

Figure 4: Executable inside the ISO using a fake PDF logo and PDF extension

 

Payload Analysis

The Downloaded ISO

Upon opening the ISO, we were presented with an executable file “fedex,pdf.exe”. Analyzing the executable file with DiE (Detect it Easy) suggests that the file was likely packed due to the unusual imports, and lack of strings.

Detectiteasy

Figure 5: Detect It Easy tool assessment on the executable “fedex,pdf.exe”

 

Upon execution of the file “fedex,pdf.exe”, the executable creates a new process of the Windows CLI tool “RegAsm” and injects a malicious payload into it leading to networking communication with the C2 Boki0419[.]duckdns[.]org on port 9900.

Regasm

Figure 6: The network activity of RegAsm process via Process Hacker tool

 

Looking at the assembly around the call to CreateProcessInternalW, we can see the string “PE” located at “[ebp-4]”. Typically, when we see this “PE” string, we can expect to see a PE file in the allocated region of memory where “[ebp-4]” is within. By following “[ebp-4]” in the memory dump view and browsing the top region of the memory, the infamous MZ signature and DOS stub of a PE file can be seen. The PE file is a .NET executable packed with “Eazfuscator”.

Debug

Figure 7: x64 DBG disassembly view of CreateProcessInternalW and dump view of PE file in memory section

 

Detectiteasy-unpacked

Figure 8: Detect It Easy tool identifies the dumped PE to be packed with Eazfuscator

 

Using De4Dot to remove the “Eazfuscator” obfuscation, the executable “fedex,pdf.exe” is verified to be the malware NanoCore RAT client through the project name after decompilation of the deobfuscated malware and various other strings.

Obfus-deobfus

Figure 9: The de-obfuscated copy of the dumped PE file in DnSpy

 

Many in-depth analyses on the NanoCore client are available online, and we will not go into detail here. But a high-level overview of the NanoCore client's functionality is as follows:

  • File Execution
  • Mouse Control
  • Shutdown/Restart
  • Keylogging
  • Password Recovery
  • Video/Audio Capture
  • Lock a System with Custom Encryption
  • Reverse Proxy
  • Open CD Tray
  • Open Webpages
  • File Browsing
  • View Running Processes
  • Registry Editor
  • Reverse Shell

The executable “fedex,pdf.exe” contained in the downloaded ISO is Nanocore version 1.2.2.0. Cracks for this version are available online.

Hiew-nanocore-config

Figure 10: Memory dump of the RegAsm process where the NanoCore code was injected

 

FedEx.pdf.exe IOCs:

Files

Persistence

C2

C:\Users\<username>\AppData\Roaming\tygh\iuhje.exe.exe 

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs

boki0419[.]duckdns[.]org, port 9900

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs

 

Abokijob[.]hopto[.]org, port 9900

 

This is the VBS Script used to execute the malware at each system startup (iuhje.exe.vbs):

Nanocoreexescript

Figure 11: Screenshot of the Nanocore VBS execution script

 

This script simply executes the file located at the path of the malware. Because this file is in the “Startup” folder, it will be executed each time the operating system starts.

Malware Invoices with DAA

After analyzing the ISO image case above, we hunted around for similar campaigns that use other disk image formats and found a recent one. This campaign spammed fake invoices through an email attachment – this time with the disk image format DAA.

The sender domain in the emails were spoofed from actual businesses, however we noticed that the display name used in From address often didn’t match the name or local-part of the email address (e.g. From: “John Doe” <bruce.wayne@wayneenterprises.com> ) suggesting random scripts being used by the scammers. In addition to the header, the content in the email body like company email templates, physical and post addresses, contact numbers and employee names, seem to be randomly selected details of legit businesses. The text in the email body directs the recipient to open the DAA attachment.

Daa-phish-email

Figure 12: Invoice spam containing DAA attachment

 

DAA stands for Direct Access Archive. Unlike ISO files, DAA files are not recognized by Windows, hence, they will not be mounted when double clicked. Only Windows machines with installed disk image editing applications like PowerISO, UltraISO, and WinArchiver can open these files.

Poweriso

Figure 13: PowerISO software used to open the DAA attachment and extract the executable

 

The DAA attachments observed from this campaign contains only one executable file, which follows the filename of the parent DAA but with .com and .exe as file extensions. The executables are the latest version of Remcos RAT v2.5.0 Pro.

Invoice 0947523.daa -> Invoice 0947523.com
Purchase Order 7854-02536.daa -> Purchase Order 7854-02536.exe

Remcos is one of the popular remote access tools today, mostly because it can be easily obtained. Also, this RAT gets updated frequently. Around 3 months ago, we saw a campaign leading to the then latest Remcos RAT version 2.4.7 Pro. Now, the latest version 2.5.0 Pro is being spammed.

Memdump-remcos

Figure 14: Memory dump of “Purchase Order 7854-02536.exe” showing that the sample is Remcos v2.5.0 Pro

 

The Remcos executables contained in the DAA attachments both connect to a free dynamic DNS Johnsonmullaly[.]ddns [.] net on port 8486. It logged the users activity on %appdata%\remcos\logs.dat

Process-mon

Figure 15: Registry and log file creation of the Remcos RATs

 

Remcos v2.5.0 Pro has a new feature and this is clearing logins and cookies of the browsers. As RATs are used to take control of the compromised system, we believe this feature could be used to clear any traces of the attacker’s malicious activities from the web browsers.

Memdump-remcos2

Figure 16: Memory dump of “Purchase Order 7854-02536.exe” showing the strings related to the Remcos v2.5.0 Pro

 

Conclusion

We observed a significant shift in malicious spam this year where cybercriminals are experimenting more with disk image archives like .ISO and .DAA for packaging their malware attachments, in an attempt to evade detection from email scanning gateways.

Most email gateways block all attachments with executables. Cybercriminals are finding innovative ways to conceal such executables inside containers to evade detection at the gateway. We looked back on spam messages containing disk image attachments we received this year and observed that the majority of malware contained in them were RATs like Remcos and Nanocore, while other samples included info-stealers like Lokibot.

Comparatively, ISO is a more popular disk image format than DAA and is supported by several archiving tools like the latest version of 7Zip (19.00) and WinRar (5.80). On the other hand, DAA archives are only accessible through proprietary software like PowerISO, UltraISO, and WinArchiver. We believe that due to better unpacking support, the ISO format has become a more popular archiving tool for cybercriminals, enabling them to use such attachments for spray and pray operations, while DAA archives are more likely to be used for targeted attacks. The malicious archives that are easier to unpack have relatively have higher AV detections compared to archives like DAA where unpacking may present a challenge.

Although the attack campaigns analyzed here do have some similarities, based on the information we have it is difficult to conclude whether the perpetrator is a single threat actor or different groups. Some similarities are listed here

  • Both campaigns use Invoice or PO email lures with random legit company templates and addresses to infect their victims.
  • Both campaigns use a disk imaging software archive with a single packed executable.
  • Both campaigns used free dynamic DNS as C&C such as duckdns and ddns

Finally, for customers of our Trustwave Secure Email Gateway (SEG), we’ll add that the SEG effectively detects these sorts of threats bundled inside disk imaging containers using a combination of its unpacking engine and its multi-layered threat detection technology.

 

Hashes and IOCs

Archive SHA1

filename observed

Content SHA1

Filename

Source 

Malware

f24de4ec7dd16c798edf6a4c6d48d5979be5443c

FedEx,pdf.iso

 f24de4ec7dd16c798edf6a4c6d48d5979be5443c

fedex,pdf.exe

SEG

Nanocore

39322eebe0458365ba19e826065eba5092d987fb

Purchase Order 7854-02536.daa

4941cdfd714af56204dce96a67e143929d95c0dc

Purchase Order 7854-02536.exe

SEG

Remcos

e62b862e4f4c9c22e84d453a312abe2cf66fa784

Invoice 0947523.daa

fbb9aa7648e7a560100d97fa4f0fac63b7997474

Invoice 0947523.com

SEG

Remcos

8350e157e9ba43457c19b3d3d799987ff2399430

signed contract invoice.daa

ddfe5f6e1fa91feda71aa1dd60982f1efa1a8c36

payment.exe

SEG

Remcos

1e6a3f92c95f5cb0f4dc2d9260f0e99ed647fc23

describtion.daa

6038400aca813fd64fb9835572f7f743f995c54a

DECSRIBTION.exe

SEG

Lokibot

05b9d8ab616855c4459dc9fb1934e3d4754a239e

outstanding statement - may'2019.daa

2ede56a7e12e508a40c0a5dced3a2983a370a96a

Outstanding Statement - May'2019.exe

SEG

Lokibot

84A04B5740366506867B6B74481581D69A256FB3

HKHASE9F07831-T01.daa

70DFD7DB185817620B8C559D767E3ADEC02A964D

HKHASE9F07831-T01.exe

SEG

Lokibot

04f3bedc70d73a992f90d156142b978e3827bbf4

Payment confirmation.daa

911c8e5f0dac3c10498daf4d6834b1d6ddf1a9d8

Payment confirmation.exe

VT

Remcos

fa34c8dddad18e4dbe17640b841c1a037606ab7b

DHL SHIPPING PARCEL NOTIFICATION TRACKING_INVOICE.daa

51f125dda9d56df5eb2b0f89ed1de15b62b66c0a

DHL SHIPPING PARCEL NOTIFICATION TRACKING INVOICE.exe

VT

Nanocore

54557bceb9a30c0832a8c2997f0efc3df2222b6c

QUOTATION REQUEST PQ19-08511.daa

9ea410989e4a421521be92063420ec1d05bd2c26

QUOTATION REQUEST PQ19-08511.exe

VT

Lokibot

e9cef4b5fb39347efe53ab969d8a66e545fcc0f8

IMG_45473822.daa

70dd7b36acbe592321facbfae2595b1114afac38

IMG_45473822.exe

VT

Remcos

 

Content SHA1

filename observed

 

C&Cs

 

Malware

f24de4ec7dd16c798edf6a4c6d48d5979be5443c

fedex,pdf.exe

Boki0419[.]duckdns[.]org, port 9900

Abokijob[.]hopto[.]org, port 9900

 

Nanocore

4941cdfd714af56204dce96a67e143929d95c0dc

Purchase Order 7854-02536.exe

Johnsonmullaly[.]ddns[.]net, port 8486

Remcos

fbb9aa7648e7a560100d97fa4f0fac63b7997474

Invoice 0947523.com

Johnsonmullaly[.]ddns[.]net, port 8486

Remcos

 

Recent SpiderLabs Blog Posts