{"id":88380,"date":"2020-01-24T16:34:10","date_gmt":"2020-01-24T11:04:10","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88380"},"modified":"2020-01-24T19:17:59","modified_gmt":"2020-01-24T13:47:59","slug":"new-wave-mal-spam-campaign-attaching-disk-imaging-files","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/new-wave-mal-spam-campaign-attaching-disk-imaging-files\/","title":{"rendered":"New wave of Mal-Spam campaign attaching Disk Imaging Files"},"content":{"rendered":"

From past few months at Quick-Heal Labs, we have been observing a sudden rise in Spear Phishing mail containing distinct file formats as attachment like IMG, ISO, etc. These new types of attachments are mainly used to deploy some well-known and older Remote Access Trojans. The subject of these emails are made to appear as genuine as possible in the form of \u2018Case file against your company\u2019 or \u2018AWB DHL SHIPMENT NOTICE AGAIN\u2019 etc. The attached files contain compressed malware (RAT\u2019s) which have many different names like \u2018Court Order.img\u2019, \u2018Product Order.img\u2019, etc. The below image displays one such spear phishing mail.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 1: Spear phishing mail with malicious attachment of type IMG<\/em><\/figcaption><\/figure>\n

Below fig. shows that common compression file formats like RAR, ZIP and GZ are used most widely for spear phishing emails. We can also see that disk imaging file format like ISO and IMG are also being used for spear phishing and deployment of malware to some extent.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 2: Distribution of various compressed file formats in Phishing Mails<\/em><\/figcaption><\/figure>\n

The below graph shows that the number of IMG and ISO files used to deploy RAT\u2019s is growing rapidly from November 2019. Before November 2019, the count of IMG and ISO files combined was negligible.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 3: Rise of IMG and ISO Files used in Spear Phishing Emails<\/em><\/figcaption><\/figure>\n

On windows 8 and above, user can directly open these files like ISO, IMG in explorer by just double clicking it. For older versions of windows, users have to mount or extract these files and then use. This might be the reason for high amount of spear phishing emails using disk imaging format.<\/p>\n

The below image shows the widespread distribution of spear phishing emails over past 6 months, with .ISO and .IMG extension of attachment indicated with red dots in different countries.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 4: Country wise distribution of attachment types used in Spear Phishing Mails.<\/em><\/figcaption><\/figure>\n

We specifically observed Nanobot, Remcos and Lokibot spreading through use of disk imaging formats. These malware are observed all over the globe with Nanobot having the highest hits for spear phishing mails.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 5: Comparison of Number of Spear Phishing attempts<\/em><\/figcaption><\/figure>\n

Infection Chain:<\/strong><\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 6: Flow of Infection<\/em><\/figcaption><\/figure>\n

Now let\u2019s see each of these one by one i.e.Nanobot, Lokibot and Remcos. As these malware are widespread and already known, we will only take a short look into them.<\/p>\n

Nanobot: <\/strong><\/p>\n

The attached iso or img file contains a windows executable file which works as a loader for nanobot, remcos or lokibot. Below fig shows mounted ISO image with just double click on attachment.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 7: Mounted ISO file.<\/em><\/figcaption><\/figure>\n

This executable is a compiled AUTOIT script. It creates a new Process \u2018Regasm.exe\u2019 and injects the main payload into it. The injected payload is a .Net executable file obfuscated with eazfuscator, and turns out to be a Nanocore client.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 8: Spawned Regasm.exe<\/em><\/figcaption><\/figure>\n

This particular sample that we analyzed is of Nanocore client of version 1.2.2.0 as shown in below fig.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 9: Nanocore Client<\/em><\/figcaption><\/figure>\n

Nanocore client\u2019s configuration and plugins are encrypted and present in the resources. At run-time it decrypts its configuration which contains multiple configurable options like Keyboard Logging, which can be set to true or false, bypassing UAC control, Run On Startup and various other configurable options for CNC communication.<\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 10: Nanocore Configuration<\/em><\/figcaption><\/figure>\n

Capabilities of NanoCore:<\/p>\n

    \n
  • Keyboard Logging<\/li>\n
  • Bypass UAC<\/li>\n
  • Multiple Plugins e.g:\n
      \n
    • Surveillance Plugin: Microphone and Webcam access.<\/li>\n
    • Management Plugin: Remote Console, Registry Editor etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

      Remcos:<\/strong><\/p>\n

      The process for dropping Remcos is similar to that of Nanobot in above case. This executable is also a compiled AUTOIT Script, which creates \u2018RegSvcs.exe\u2019 and injects a PE into it which is Remcos RAT.<\/p>\n

      \"\"
      \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 11: Spawned RegSvcs.exe<\/em><\/figcaption><\/figure>\n

      It makes use of mutex to confirm only one instance of malware running on infected system. Below image shows name of malware used as part of mutex name.<\/p>\n

      \"\"
      \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 12: Mutex Creation<\/em><\/figcaption><\/figure>\n

      Remcos decrypts it\u2019s settings from resource \u2018SETTING\u2019 present in its binary which is encrypted using RC4 algorithm.<\/p>\n

      \"\"
      \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 13: Reading of \u2018SETTINGS\u2019 Resource<\/em><\/figcaption><\/figure>\n

      After decryption of loaded resource called \u2018SETTINGS\u2019, below settings are generated for Remcos.<\/p>\n

      \"\"
      \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 14: Decrypted Resource Settings<\/em><\/figcaption><\/figure>\n

      Capabilities of Remcos:<\/p>\n

        \n
      • Key-logging<\/li>\n
      • Get system clipboard data<\/li>\n
      • Voice Recording<\/li>\n
      • Enable Camera<\/li>\n<\/ul>\n

        Lokibot:<\/strong><\/p>\n

        This is somewhat different from the above two, as it drops a Visual Basic Native Compiled executable which is a variant of Lokibot RAT.<\/p>\n

        The Lokibot malware reads registry key at present at: \u2018HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\u2019 and computes its md5 hash using cryptography functions provided in advapi32.dll, which is used for creating a mutex. This mutex is used to check if system is already infected or not.<\/p>\n

        \"\"
        \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 15: Mutex of Lokibot<\/em><\/figcaption><\/figure>\n

        \u2018MachineGuid\u2019 is generated at the time of system installation, which is somewhat unique to the system configuration. Further this md5 hash of \u2018MachineGuid\u2019 is also used for creating a folder in %appdata% and dropping a self-copy and hdb file. The dropped self-copy\u2019s names characters are from the md5 of \u2018MachineGuid\u2019 from characters 13 to 18, and folder name characters are from the md5 of \u2018MachineGuid\u2019 from characters 8 to 13. The hdb file generated is specific to lokibot which it uses for storing the hash of stolen data.<\/p>\n

        \"\"
        \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 16: Dropped Files by Lokibot<\/em><\/figcaption><\/figure>\n

        Capabilities of Lokibot:<\/p>\n

          \n
        • Stealing Password from browsers like Firefox, Chrome, Opera etc.<\/li>\n
        • Stealing Configuration from browsers.<\/li>\n
        • Stealing Password from Microsoft Windows Credential Manager.<\/li>\n<\/ul>\n

          Indicators of Compromise:<\/strong><\/p>\n\n\n\n\n\n\n\n\n
          MD5<\/td>\nName<\/td>\nMalware<\/td>\n<\/tr>\n
          795B0F5D8425DB2BBA02A7663A74447A<\/td>\nPurchase Order_raw_material_2019_20_05.iso<\/td>\nRemcos Wrapper<\/td>\n<\/tr>\n
          36E49FCD84AAFCC6F02238A304A40A09<\/td>\nPurchase Order_raw_material_2.exe<\/td>\nRemcos<\/td>\n<\/tr>\n
          5BFF53521C7FB38970D09B7CD82DFCCB<\/td>\nDHL.iso<\/td>\nNanocore Wrapper<\/td>\n<\/tr>\n
          B7C30DB2287179BBA2D007EC615ABCE4<\/td>\nNew nao.exe<\/td>\nNanocore<\/td>\n<\/tr>\n
          7129f51a9e66b98f0b240b62451da860<\/td>\nnonfragilely6<\/td>\nLokibot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          Few interesting file names of attached files in email to watch out for:<\/p>\n

            \n
          • \u2018Income Tax Payment Receipt\u2019<\/li>\n
          • \u2018IncomeTax Online Challan\u2019<\/li>\n
          • \u2018Citi Bank Payment-Advice-PDF\u2019<\/li>\n
          • \u2018DHL SHIPMENT NOTIFICATION_PDF\u2019<\/li>\n
          • \u2018FedEx Parcel\u2019<\/li>\n<\/ul>\n

            Conclusion:<\/strong><\/p>\n

            With invent of new features in Windows, threat actors also keep finding ways to abuse those features. Here, we have seen this in how disk imaging formats are being used to deploy RAT\u2019s. In future, these formats may also be used to deploy other kinds of malware, as threat actors are adept at abusing the features present in Windows itself.<\/p>\n

            How to stay safe:<\/strong><\/p>\n

            Spam mail has been one of the most common Infection Vectors for various kinds of malware. Many people fall in such trap of phishing mails as it is socially engineered by the threat actors.<\/p>\n

            Quick Heal provides protection against these threats. Users should take the below steps as security measures.<\/p>\n

              \n
            • Turn on email protection of your antivirus product.<\/li>\n
            • Do not open any link in the email body sent by an unknown source.<\/li>\n
            • Do not download and open any attachments from an unknown source.<\/li>\n<\/ul>\n

              Subject Matter Expert:<\/p>\n

              Prakash Galande, Rahul Sharma, Akshay Gaikwad<\/p>\n","protected":false},"excerpt":{"rendered":"

              From past few months at Quick-Heal Labs, we have been observing a sudden rise in Spear Phishing mail containing distinct file formats as attachment like IMG, ISO, etc. These new types of attachments are mainly used to deploy some well-known and older Remote Access Trojans. The subject of these emails are made to appear as […]<\/p>\n","protected":false},"author":32,"featured_media":88472,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,303,293],"tags":[],"class_list":["post-88380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-phishing","category-spam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88380"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88380"}],"version-history":[{"count":31,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88380\/revisions"}],"predecessor-version":[{"id":88385,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88380\/revisions\/88385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88472"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}