The attack in this campaign starts with a spam email that pretends to be a \u201cWebsite Job application\u201d. This email contains a password-protected zip file. The password to open the zip file is given in the body of the spam email itself. This trick gives the attacker the following advantages:<\/p>\n
- \n
- The email looks more legitimate to the targeted user<\/li>\n
- It is difficult for the email protection security modules to scan files inside password-protected zip files.<\/li>\n<\/ul>\n
Fig 1 below shows a sample of the email used in this campaign.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/1.jpg\")
<\/p>\nFig 1. Email with a malicious attachment<\/p>\n
As we can see in the fig 1, the email is pretending to be a job application email, containing a resume in a zip file. This zip is password-protected. After downloading this zip file, it asks for the password (12345), which is already provided in body of email. After successful extraction, \u201cresume.doc\u201d file is obtained. This doc is a malicious macro laced Word document. If the user tries to run this doc file to view the content, the user is asked to run the macro by clicking the Enable Content<\/strong> button as shown in fig 2.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/2.jpg\")
<\/p>\nFig 2. Doc file asking to enable macro<\/p>\n
When the user enables the macro by clicking on \u201cEnable Content\u201d<\/strong>, in the background, a malicious macro gets executed which further launches the PowerShell that requests for the remotely hosted file which downloads and launches the malicious payload on the user\u2019s system.<\/p>\n
Fig. 3 below shows the malicious macro code contained in the doc file.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/3.png\")
<\/p>\nFig 3. Malicious macro code inside doc file<\/p>\n
The code mentioned above launches a PowerShell with malicious parameters as shown in fig 4.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/4.jpg\")
<\/p>\nFig 4. PowerShell executing with malicious parameters<\/p>\n
If we look closely, the malicious file is hosted as a poop.jpg file on the attacker\u2019s server, which is actually an executable SmokeLoader malware. This file is dropped with the name DKSPKD.exe<\/strong> at %Temp% location and launched to perform malicious activities.<\/p>\n
Some of the significant activities observed during the analysis of this scam campaign are as follows:<\/p>\n
- \n
- The malware scenario is successfully generated on Microsoft Windows 8 and above platform only.<\/li>\n
- During the execution, the malware kills all the processes related to malware analysis tools and debugger.<\/li>\n
- Upon successful execution, SmokeLoader can download other malware components on the infected system.<\/li>\n<\/ul>\n
Quick Heal detection<\/strong><\/p>\n
Quick Heal Browser Protection successfully blocks malicious URLs used to download the payload.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/5.png\")
<\/p>\nFig 5: Quick Heal Browsing Protection alert<\/p>\n
Quick Heal Virus Protection successfully detects and block malicious document files responsible for delivering the payload into the system.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/6.png\")
<\/p>\nFig 6. Quick Heal Virus Protection alert for doc file<\/p>\n
Quick Heal Virus Protection also detects and stops the malicious SmokeLoader payload.<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/01\/7.png\")
<\/p>\nFig 7. Quick Heal Virus Protection alert for malicious payload<\/p>\n
Best practices to stay safe from such malware attacks<\/strong><\/p>\n
\u00a0<\/strong>Do not download attachments or click on links received from unwanted or unexpected email sources.<\/p>\n