{"id":87818,"date":"2019-06-21T14:45:28","date_gmt":"2019-06-21T09:15:28","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87818"},"modified":"2019-06-21T17:16:42","modified_gmt":"2019-06-21T11:46:42","slug":"beware-email-attachments-can-make-victim-spear-phishing-attacks","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-email-attachments-can-make-victim-spear-phishing-attacks\/","title":{"rendered":"Beware! Email attachments can make you victim of spear phishing attacks"},"content":{"rendered":"

In the last few months,\u00a0we\u2019ve seen a sudden increase\u00a0in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses\u00a0social engineering tricks and some business transactions or deals to entice end user in believing that the email message is genuine and from a known person or contact.\u00a0The agenda of these emails, like any other cyber fraud, is to either gain access to the user\u2019s system or obtain other classified information. Spear phishing is considered as one of the most successful cyber-attack techniques because of the superior level of personalization done to attack users, which makes it highly believable.<\/p>\n

Technical Details<\/b><\/strong>:<\/b><\/strong><\/p>\n

The entry point for this infection chain is a benign looking email with an XLS file as an attachment. The attachment names look like\u00a0some\u00a0Important Notifications\/Updates related to private operation, government source. Due to this, the victim would try to open this type of attachments. When the recipient opens the XLS attachment, it prompts the user to enable macro in excel.<\/p>\n

\"\"<\/a><\/p>\n

Fig 1. XLS file (Enable Macro Prompt)<\/p>\n

Once the user clicks on the \u201cEnable Macros\u201d button, the XLS file is opened for viewing. One of the attachments which we analyzed further, had two\u00a0user\u00a0forms\u00a0with different names and a module with the source code of the macro present. The first form, \u201cWsHAfi Box\u201d contains data in Decimal form.<\/p>\n

\"\"<\/a><\/p>\n

Fig 2. Form \u201cWsHAfi Box\u201d in macro<\/p>\n

After further analyzing this form, we found that replacing apostrophe (\u2018) with space\u00a0gives\u00a0us some data in the decimal format. We converted\u00a0the decimal data into ASCII to\u00a0get a Zip file. This zip file contains the actual malware payload. Here are the screen-shots of original form data, data in decimal form and data in the zip file.<\/p>\n

\"\"<\/a><\/p>\n

Fig 3. Steps to get to the zip file.<\/p>\n

Execution starts from Module1 using\u00a0Sub userHafizaiLoadr()\u00a0function. In the \u201cWsHAfi Box\u201d user\u00a0form, it creates one\u00a0variable named ByteArray\u00a0and copy\u00a0data from \u201cWsHAfi Box\u201d user\u00a0form into this variable which is further used to create a zip file in \u201cC:\\Users\\Documents\u201d\u00a0folder.<\/p>\n

\"\"<\/a><\/p>\n

Fig 4. userHafizaiLoadr() function<\/p>\n

For extracting contents of this zip file,\u00a0Sub unHafizaizip() function is used. Finally, the payload (“dtiardhues.exe”) is executed using Shell command.<\/p>\n

\"\"<\/a><\/p>\n

Fig 5. Executable file with Payload dropped at a predefined location<\/p>\n

As we observed, contents of this executable file are different for different Windows NT versions (like 6.1 is for Windows 7, 6.2 is windows 8 and 6.3 is Windows 8.1). The payload,\u00a0dtiardhues.exe, is\u00a0a remote access trojan. It gets executed automatically without a user\u2019s intervention\u00a0and connects to a remote CnC Server. Once the victim host connects to the CnC server, it waits for the further commands from it. We noticed that this CnC server supports a wide list of commands for data collection and ex-filtration.<\/p>\n

\"\"<\/a><\/p>\n

Fig 6. Commands received from CnC Server<\/p>\n

Initially, this CnC server collects information from victim host such as Hostname, user name, OS\u00a0version, IP, AV Software name, if any. etc. It also collects information about the current running processes from the victim Host and then commands the victim Host to ex-filtrate all the gathered data.<\/p>\n

We analyzed the CnC server\u2019s communication through different victim Hosts and could identify the following commands used and their functionality.<\/p>\n\n\n\n\n\n\n\n\n\n\n
command<\/b><\/strong><\/td>\ndescription<\/b><\/strong><\/td>\ncommand<\/b><\/strong><\/td>\ndescription<\/b><\/strong><\/td>\n<\/tr>\n
info<\/td>\nit sends machine info (host name, user, AV).<\/td>\ndirs<\/td>\nsend list of drives in system<\/td>\n<\/tr>\n
clping<\/td>\nset time<\/td>\ncscreen<\/td>\ntake and send screenshot<\/td>\n<\/tr>\n
fldr<\/td>\nsend list of folders<\/td>\nfles<\/td>\nsearch file on disk.<\/td>\n<\/tr>\n
filsz<\/td>\nsize of file<\/td>\ndelt<\/td>\ndelete file<\/td>\n<\/tr>\n
procl<\/td>\nlist of process<\/td>\nrunf<\/td>\nrun executable file<\/td>\n<\/tr>\n
listf<\/td>\nsearch for file<\/td>\nafile<\/td>\nexfiltrate file to server<\/td>\n<\/tr>\n
cnls<\/td>\ncancel functionality<\/td>\nendpo<\/td>\nend process<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

\"\"<\/a><\/p>\n

Fig 7. CnC Communication Traffic<\/p>\n

IOC\u2019s-<\/b><\/strong><\/p>\n\n\n\n\n\n\n\n\n
Email attachments (OLE files)<\/td>\nPayloads dropped by OLE files<\/td>\nCnC\u00a0Serve\u2019s\u00a0IP<\/td>\nPort<\/td>\n<\/tr>\n
0e174d44893458f27feb7e859bac3191<\/td>\nb9a3cc40fd0e73538c2500455572fc44<\/td>\n81.17.56.226<\/td>\n3864<\/td>\n<\/tr>\n
593B11780B40EB78D118630CAA79F935<\/td>\nFC4DCD4D5360AB976E7B1FDFBFAF2097<\/td>\n107.175.1.103<\/td>\n3268<\/td>\n<\/tr>\n
A3434B63DFBE12A302DACCD056E10B54<\/td>\nFDD6344CA2587A9016F60BD69E788F55<\/td>\n192.99.241.4<\/td>\n4915<\/td>\n<\/tr>\n
0AE759DD1D108FB0A6D28DB83DB04C9D<\/td>\nD7540267D12657CE3411275A7C811C55<\/td>\n95.168.176.141<\/td>\n49188<\/td>\n<\/tr>\n
D1DBC070FA713CE9527970ED1164F609<\/td>\n893289045B002B034BCA837EA210D270<\/td>\n192.99.241.4<\/td>\n4915<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Conclusion<\/b><\/strong>:<\/b><\/strong><\/p>\n

Though identifying Spear Phishing emails is little difficult for an end user, one can always be careful while opening any email attachment. Users should consider the following points before opening any email attachment:<\/p>\n

    \n
  1. Verify the sender\u2019s email id<\/li>\n
  2. Don\u2019t get lured by freebies mentioned in the email subject or body<\/li>\n
  3. Do not click on any link from mail body.<\/li>\n
  4. Open the Office document files in Read Only mode; don\u2019t enable the macros by default.<\/li>\n<\/ol>\n

    Quick Heal<\/strong> and Seqrite <\/strong>enterprise security solutions protect its users from such malicious email attachments and can also help in identifying remote Command and Control server communication. So, remember to keep the endpoint security solutions always updated.<\/p>\n

    Subject Matter Expert:<\/b><\/strong><\/p>\n

    Prashant Tilekar, Anjali Raut | Quick Heal Security Labs<\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    In the last few months,\u00a0we\u2019ve seen a sudden increase\u00a0in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses\u00a0social engineering tricks and some business transactions or deals to […]<\/p>\n","protected":false},"author":54,"featured_media":87821,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[289,21,24,303,5,304,293],"tags":[],"class_list":["post-87818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-safety","category-email","category-malware","category-phishing","category-security","category-social-engineering-2","category-spam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87818"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87818"}],"version-history":[{"count":21,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87818\/revisions"}],"predecessor-version":[{"id":87850,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87818\/revisions\/87850"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87821"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}