Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Leveraging Disk Imaging Tools to Deliver RATs

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

A disk image is a software copy of a physical disk. It saves the entire data from the disk, including the file structure and all files and folders, in a single file and thus often serves as a full backup. Disk imaging software includes formats like ISO, IMG, VHD, VDI, VMDK, VHD and DAA etc.

In this blog, we will present two recent malspam campaigns that utilize disk image formats in delivering malware through phishing links and as attachments.

 

Disk-image-malware-blog (1)

Figure 1: Attack flow illustrated here shows disk imaging software like ISO or DAA files are sent as an email attachment or hosted at a site pointed to via a link in an email to infect victims with RATs.

Fake French FedEx Campaign

The first campaign was a fake FedEx shipment email message targeting some of our European customers. The message tricked the victims to click on a link that downloaded an ISO archive containing a single executable of the Nanocore RAT.

An ISO file (often called an ISO image), is a well-known archive file of optical discs like CD/DVD. They are often used for backing up optical discs, or for distributing large file sets. Malware authors have started abusing these archives by re-purposing them to deliver malware. Recent versions of Microsoft Windows 10 and Windows 8 have the built-in ability to mount .ISO disc image files when they are opened, hence making them a hot commodity for scammers.

 

Fedex-ISOFigure 2: Screenshot of the email message as displayed to a victim

 

The email was drafted in the French language, hence targeting French speakers. The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address.

Translation

Figure 3: Google Translate used to translate the message to English

 

Clicking on the link (hxxp://madridbg[.]com/FedEx,pdf.iso) downloaded an ISO archive called “FedEx,pdf.iso”. The ISO archive had a relatively low detection on VirusTotal (18/70). This ISO contains a single binary executable in it called “fedex,pdf.exe”, this binary was disguised with a PDF logo as shown in Figure 4.

Exeiniso

Figure 4: Executable inside the ISO using a fake PDF logo and PDF extension

 

Payload Analysis

The Downloaded ISO

Upon opening the ISO, we were presented with an executable file “fedex,pdf.exe”. Analyzing the executable file with DiE (Detect it Easy) suggests that the file was likely packed due to the unusual imports, and lack of strings.

Detectiteasy

Figure 5: Detect It Easy tool assessment on the executable “fedex,pdf.exe”

 

Upon execution of the file “fedex,pdf.exe”, the executable creates a new process of the Windows CLI tool “RegAsm” and injects a malicious payload into it leading to networking communication with the C2 Boki0419[.]duckdns[.]org on port 9900.

Regasm

Figure 6: The network activity of RegAsm process via Process Hacker tool

 

Looking at the assembly around the call to CreateProcessInternalW, we can see the string “PE” located at “[ebp-4]”. Typically, when we see this “PE” string, we can expect to see a PE file in the allocated region of memory where “[ebp-4]” is within. By following “[ebp-4]” in the memory dump view and browsing the top region of the memory, the infamous MZ signature and DOS stub of a PE file can be seen. The PE file is a .NET executable packed with “Eazfuscator”.

Debug

Figure 7: x64 DBG disassembly view of CreateProcessInternalW and dump view of PE file in memory section

 

Detectiteasy-unpacked

Figure 8: Detect It Easy tool identifies the dumped PE to be packed with Eazfuscator

 

Using De4Dot to remove the “Eazfuscator” obfuscation, the executable “fedex,pdf.exe” is verified to be the malware NanoCore RAT client through the project name after decompilation of the deobfuscated malware and various other strings.

Obfus-deobfus

Figure 9: The de-obfuscated copy of the dumped PE file in DnSpy

 

Many in-depth analyses on the NanoCore client are available online, and we will not go into detail here. But a high-level overview of the NanoCore client's functionality is as follows:

  • File Execution
  • Mouse Control
  • Shutdown/Restart
  • Keylogging
  • Password Recovery
  • Video/Audio Capture
  • Lock a System with Custom Encryption
  • Reverse Proxy
  • Open CD Tray
  • Open Webpages
  • File Browsing
  • View Running Processes
  • Registry Editor
  • Reverse Shell

The executable “fedex,pdf.exe” contained in the downloaded ISO is Nanocore version 1.2.2.0. Cracks for this version are available online.

Hiew-nanocore-config

Figure 10: Memory dump of the RegAsm process where the NanoCore code was injected

 FedEx.pdf.exe IOCs:

Files

Persistence

C2

C:\Users\<username>\AppData\Roaming\tygh\iuhje.exe.exe 

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs

boki0419[.]duckdns[.]org, port 9900

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs

 

Abokijob[.]hopto[.]org, port 9900

 

This is the VBS Script used to execute the malware at each system startup (iuhje.exe.vbs):

Nanocoreexescript

Figure 11: Screenshot of the Nanocore VBS execution script

 

This script simply executes the file located at the path of the malware. Because this file is in the “Startup” folder, it will be executed each time the operating system starts.

Malware Invoices with DAA

After analyzing the ISO image case above, we hunted around for similar campaigns that use other disk image formats and found a recent one. This campaign spammed fake invoices through an email attachment – this time with the disk image format DAA.

The sender domain in the emails were spoofed from actual businesses, however we noticed that the display name used in From address often didn’t match the name or local-part of the email address (e.g. From: “John Doe” <bruce.wayne@wayneenterprises.com> ) suggesting random scripts being used by the scammers. In addition to the header, the content in the email body like company email templates, physical and post addresses, contact numbers and employee names, seem to be randomly selected details of legit businesses. The text in the email body directs the recipient to open the DAA attachment.

Daa-phish-email

Figure 12: Invoice spam containing DAA attachment

 

DAA stands for Direct Access Archive. Unlike ISO files, DAA files are not recognized by Windows, hence, they will not be mounted when double clicked. Only Windows machines with installed disk image editing applications like PowerISO, UltraISO, and WinArchiver can open these files.

Poweriso

Figure 13: PowerISO software used to open the DAA attachment and extract the executable

 

The DAA attachments observed from this campaign contains only one executable file, which follows the filename of the parent DAA but with .com and .exe as file extensions. The executables are the latest version of Remcos RAT v2.5.0 Pro.

Invoice 0947523.daa -> Invoice 0947523.com
Purchase Order 7854-02536.daa -> Purchase Order 7854-02536.exe

Remcos is one of the popular remote access tools today, mostly because it can be easily obtained. Also, this RAT gets updated frequently. Around 3 months ago, we saw a campaign leading to the then latest Remcos RAT version 2.4.7 Pro. Now, the latest version 2.5.0 Pro is being spammed.

The Remcos executables contained in the DAA attachments both connect to a free dynamic DNS Johnsonmullaly[.]ddns [.] net on port 8486. It logged the users activity on %appdata%\remcos\logs.dat

Process-mon

Figure 15: Registry and log file creation of the Remcos RATs

 

Remcos v2.5.0 Pro has a new feature and this is clearing logins and cookies of the browsers. As RATs are used to take control of the compromised system, we believe this feature could be used to clear any traces of the attacker’s malicious activities from the web browsers.

Memdump-remcos2

Figure 16: Memory dump of “Purchase Order 7854-02536.exe” showing the strings related to the Remcos v2.5.0 Pro

 

Conclusion

We observed a significant shift in malicious spam this year where cybercriminals are experimenting more with disk image archives like .ISO and .DAA for packaging their malware attachments, in an attempt to evade detection from email scanning gateways.

Most email gateways block all attachments with executables. Cybercriminals are finding innovative ways to conceal such executables inside containers to evade detection at the gateway. We looked back on spam messages containing disk image attachments we received this year and observed that the majority of malware contained in them were RATs like Remcos and Nanocore, while other samples included info-stealers like Lokibot.

Comparatively, ISO is a more popular disk image format than DAA and is supported by several archiving tools like the latest version of 7Zip (19.00) and WinRar (5.80). On the other hand, DAA archives are only accessible through proprietary software like PowerISO, UltraISO, and WinArchiver. We believe that due to better unpacking support, the ISO format has become a more popular archiving tool for cybercriminals, enabling them to use such attachments for spray and pray operations, while DAA archives are more likely to be used for targeted attacks. The malicious archives that are easier to unpack have relatively have higher AV detections compared to archives like DAA where unpacking may present a challenge.

Although the attack campaigns analyzed here do have some similarities, based on the information we have it is difficult to conclude whether the perpetrator is a single threat actor or different groups. Some similarities are listed here

  • Both campaigns use Invoice or PO email lures with random legit company templates and addresses to infect their victims.
  • Both campaigns use a disk imaging software archive with a single packed executable.
  • Both campaigns used free dynamic DNS as C&C such as duckdns and ddns

Finally, for customers of our Trustwave Secure Email Gateway (SEG), we’ll add that the SEG effectively detects these sorts of threats bundled inside disk imaging containers using a combination of its unpacking engine and its multi-layered threat detection technology.

 

Hashes and IOCs

Archive SHA1 filename observed Content SHA1 Filename Source  Malware
f24de4ec7dd16c798edf6a4c6d48d5979be5443c FedEx,pdf.iso  f24de4ec7dd16c798edf6a4c6d48d5979be5443c fedex,pdf.exe SEG Nanocore
39322eebe0458365ba19e826065eba5092d987fb Purchase Order 7854-02536.daa 4941cdfd714af56204dce96a67e143929d95c0dc Purchase Order 7854-02536.exe SEG Remcos
e62b862e4f4c9c22e84d453a312abe2cf66fa784 Invoice 0947523.daa fbb9aa7648e7a560100d97fa4f0fac63b7997474 Invoice 0947523.com SEG Remcos
8350e157e9ba43457c19b3d3d799987ff2399430 signed contract invoice.daa ddfe5f6e1fa91feda71aa1dd60982f1efa1a8c36 payment.exe SEG Remcos
1e6a3f92c95f5cb0f4dc2d9260f0e99ed647fc23 describtion.daa 6038400aca813fd64fb9835572f7f743f995c54a DECSRIBTION.exe SEG Lokibot
05b9d8ab616855c4459dc9fb1934e3d4754a239e outstanding statement - may'2019.daa 2ede56a7e12e508a40c0a5dced3a2983a370a96a Outstanding Statement - May'2019.exe SEG Lokibot
84A04B5740366506867B6B74481581D69A256FB3 HKHASE9F07831-T01.daa 70DFD7DB185817620B8C559D767E3ADEC02A964D HKHASE9F07831-T01.exe SEG Lokibot
04f3bedc70d73a992f90d156142b978e3827bbf4 Payment confirmation.daa 911c8e5f0dac3c10498daf4d6834b1d6ddf1a9d8 Payment confirmation.exe VT Remcos
fa34c8dddad18e4dbe17640b841c1a037606ab7b DHL SHIPPING PARCEL NOTIFICATION TRACKING_INVOICE.daa 51f125dda9d56df5eb2b0f89ed1de15b62b66c0a DHL SHIPPING PARCEL NOTIFICATION TRACKING INVOICE.exe VT Nanocore
54557bceb9a30c0832a8c2997f0efc3df2222b6c QUOTATION REQUEST PQ19-08511.daa 9ea410989e4a421521be92063420ec1d05bd2c26 QUOTATION REQUEST PQ19-08511.exe VT Lokibot
e9cef4b5fb39347efe53ab969d8a66e545fcc0f8 IMG_45473822.daa 70dd7b36acbe592321facbfae2595b1114afac38 IMG_45473822.exe VT Remcos

 

Content SHA1 filename observed

 

C&Cs

 

Malware
f24de4ec7dd16c798edf6a4c6d48d5979be5443c fedex,pdf.exe Boki0419[.]duckdns[.]org, port 9900 Abokijob[.]hopto[.]org, port 9900

 

Nanocore
4941cdfd714af56204dce96a67e143929d95c0dc Purchase Order 7854-02536.exe Johnsonmullaly[.]ddns[.]net, port 8486 Remcos
fbb9aa7648e7a560100d97fa4f0fac63b7997474 Invoice 0947523.com Johnsonmullaly[.]ddns[.]net, port 8486 Remcos

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More