Malspam activity was noted on August 22nd 2017 delivering NanoBot malware via a 'detailed description.xls' Excel spreadsheet with an embedded malicious macro. According to this threat profile from Microsoft, this backdoor has the following capabilities:
In this threat advisory we will discuss the host and network behavior of the malware using RSA NetWitness Suite.
The malicious macro inside our 'delivery description.xls' delivery document contains heavily obfuscated VBA code as shown by RSA pre-release What's This File service in the screenshots below:
Upon running the VBA code starts cmd.exe in order to run an encoded powershell command to download, save and run an executable on the infected machine:
Although the download activity took place over SSL, NetWitness Packets registered meta for the session to indicate a missing subject organizational name for the SSL certificate in use:
The malware starts to communicate with its command and control (C2) server using a custom protocol over TCP on destination port 30314:
For this session, NetWitness Packets registered the meta value binary handshake under the indicators of compromise key:
The C2 IP address is associated with other NanoBot samples according to VirusTotal results.
Opening the delivery document on a machine with a NetWitness Endpoint agent shows the following chain of events:
Our friend 'powershell.exe' connects to the delivery domain.
The next screenshots show the module IIOC's for the newly created process. In addition, they show how it copies itself to a new location on the infected machine, modifies the registry to gain persistency on the system, and connects to the C2 IP address:
NanoBot delivery document (SHA256):
NanoBot variant (SHA256):
All the IOC will be added to FirstWatch C2 feeds as follows: