2020-07-31 Deobfuscating IcedID Macro Script

Summary ========= This is just a quick writeup of how I managed to get the macro script decoded out of what appears to be an IcedID malspam campaign based on what I am seeing from URLHaus and this tweet from @p5yb34m. The link to the artifacts for this can be found at my Github here. Analysis ========= I am a huge fan of Philippe Lagadec’s OleTools suite for maldoc analysis (thanks for the awesome tools). So if I am not using OfficeMalScanner on my Windows VM, then I am using olevba or one of the other tools in the OleTools…

Continue reading

2020-07-17 ZLoader Malspam (Excel 4 Macros)

Summary ======== This is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was one that I had not seen before but had read about on several different occasions – an Excel 4 macro. The interesting thing about this attack vector is the fact that it doesn’t rely on an embedded VB macro in the Excel spreadsheet per se, but uses the native built-in…

Continue reading

2020-05-27 Netsupport RAT Malspam

Summary ======== Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results….

Continue reading

2020-04-06 Qealler RAT Malspam

Meta ===== From: Bharti Ladwa Subject: EFT Supplier Number: 0003697 Link in the email: hxxps://jfreecss.co.uk/ Malware type: Qealler ———————- Basically this is a Java RAT. Below are some additional resources that explain how this type of malware works. http://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer http://securityboulevard.com/2019/10/hiding-in-plain-sight-new-adwind-jrat-variant-uses-normal-java-commands-to-mask-its-behavior/ http://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/ Earlier today I came across a phishing email that had contained an embedded image which had a malicious link in it. Once it was clicked on, the site automatically redirected to another site which then proceeded to download a JAR file. I tried to deobfuscate the Java code in my VM but did not get anywhere fast. Knowing that…

Continue reading

2020-03-25 Agent Telsa Malspam – Covid-19 Themed

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps://onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587). Outside of that this was your…

Continue reading

2020-03-23 Agent Telsa Malspam

Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the…

Continue reading

2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here. Here is the code in the actual VBScript. And then with it decoded (first pass). Which leads to this final code being runned on the system. Reference ========== – http://urlhaus.abuse.ch/browse.php?search=show1.website – http://malshare.com/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://bazaar.abuse.ch/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://app.any.run/tasks/8f771d9c-355f-4262-bac0-0a1927f52222/ – http://gchq.github.io/CyberChef/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM Artifacts ========== Email hashes ————- 182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml b23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69…

Continue reading

2020-03-18 Deobfuscation of MalDoc script – Possibly Predator the Thief

Meta ====== From: Debt Collections Agency Houston Subject: Collection letter for Account Identification number 021621495WZ Attachment: Word file I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus, the site was taken offline. Looking at VT and some other sites, I was not able to find any more information about this maldoc. The fun part with this one was trying to figure out what the macro was doing without having to execute it. Based on what I saw…

Continue reading

2019-10-16 Emotet maldoc deobfuscated

This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this looks like it was from “epoch 2” of emotet as documented here. This write-up is to document how I managed to deobfuscate the macro script. Artifacts =========== Analysis ========= To make this easier, I decided to use OfficeMalScanner to get the files that contained the macro code. Looking at those…

Continue reading

2019-08-23 WSHRat Javascript de-obfuscation

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came across this malspam that was referencing a request for quote (ala: RFQ). The email had an attachment to it that was Gzipped. Unzipping it I saw there was a nicely obfuscated Javascript file. Opening it up and looking through it, there was some clear text code that follows after a…

Continue reading