Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Ahmed Sonbol
1 2 3 Previous Next

RSA NetWitness Platform

43 Posts authored by: Ahmed Sonbol Employee

Malspam activity was observed on February 11th delivering a Keybase variant. The keylogger was first reported by security researchers at Palo Alto Networks in 2015. FirstWatch previously blogged about how to detect it using RSA NetWitness.


The delivery document is crafted to exploit CVE-2017-8759 in Microsoft Office. CVE-2017-8759 is a SOAP WSDL parser code injection vulnerability. FirstWatch dug deeper into that vulnerability in a previous threat advisory.


Upon opening the RTF document with an un-patched Microsoft Word, the user is presented with an empty page:



In the background there is an HTTP request over SSL to a[.]pomfe[.]co :





Next comes the request to retrieve an HTA script from bahyt-krim[.]ru :




Then an executable ziraat_bobby.exe; a Keybase variant; is downloaded from the same domain:





Once the download is complete, the binary executes and it starts to exfiltrate data in the query strings of successive HTTP GET requests to ziraat-helpdesk[.]com:





Post infection HTTP sessions were tagged with keybase malware in NetWitness Packets:



Here is the analysis report from


It is worth mentioning that the delivery domain bahyt-krim[.]ru has been active over the past couple of days:



Delivery document (SHA256):

  • 4487cb74d5524d57eb0859bdda34fd9ba7f426fd0867e8826ac2e8c787052848


ziraat_bobby.exe (SHA256):

  • df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1


Malspam activity was observed on February 13th delivering a variant of ISR password stealer. ISR was reportedly used in spear phishing attacks against food and machine industries. In this blog post we will discuss the network activity using RSA NetWitness Packets.


The delivery document Payment receipt.doc is crafted to exploit CVE-2017-11882. You can learn more about the vulnerability in this FirstWatch threat advisory.



Opening the malicious document with an un-patched Microsoft Word application led to the following network activity:





Once 99v.exe executes on the victim machine, it starts to communicate with what looks to be a compromised Wordpress website transeagleperu[.]com:



Since the User-Agent string used in this session is common to ISR variants, it was tagged with the value known bad ua credentialleak under Indicators of Compromise meta key:



It is worth mentioning that the delivery domain menorasarainc[.]info has been active over the past week:



Payment receipt.doc (SHA256):

  • 383521ecc7aa09050e82498e10c756c866b0ce47702d77c6a5a4a7da98517146


99v.exe (SHA256):

  • 29eb49ad843aa992abff873d9b611a62248b2b8b4fbfa900bb7712f6aa6cda65


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


Malspam was observed on February 7th 2017 delivering GandCrab ransomware. GandCrab is a new ransomware family that was first reported in late January. This is the first time to see it being distributed via a malspam campaign [1].


This screenshot from shows an example of e-mails used in the campaign [2]. They come with PDF attachments and a little bit of social engineering. If the user opens the attachment, it downloads a Word document ; opening the Word document in turn downloads the ransomware payload.



A similar infection chain has been used lately to deliver the Dridex banking trojan. RSA FirstWatch previously blogged on the resurgence of Dridex.


Scan-image001_070218.jpg is an example of one of those downloaded Word documents:



Submitting it to RSA pre-release What's This File service gives more information about its maliciousness:




The embedded code suggests that the actors are only targeting Windows 64 bits machines.


Upon opening the document with Microsoft Word on a 64 bits machine, an HTTP GET request is issued to sorinnohoun[.]com to retrieve a script:





It is a well-documented and publicly available script. It can reflectively load a DLL/EXE into a powershell process or it can reflectively load a DLL into a remote process. In this case, sct5 is being used to load the GandCrab ransomware into the powershell process:




Next, the malware connects to its C2 domain nomoreransom[.]coin to get the victim machine IP address:




This is followed by POST requests to the same domain with encoded/encrypted data:





On the host side, you can start seeing the files being encrypted. The ransomware adds gdcb extension to an encrypted file:



It drops a note in each directory with the instructions on how to pay the ransom and recover the files:




As of this writing, the actors are asking for 2.6 Dash coins to buy GandCrab decryptor in order to recover the files on this particular victim machine. If not paid in time, the ransom they are asking for simply doubles. 



Here is a recap of the network activity:



All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


Feb-9523713.pdf (SHA256):

  • 3aabca6aa74d4499e07d8828be981e65d421603895dd8450a15b49f1113517ff


Scan-image001_070218.jpg (SHA256):

  • 8f9e12851b92fcc74f9c9ab6181aa3fd49eabcf789608f9986cb136141033213


sct (SHA256):

  • 6960a00da0069a5b1aa7e213962a65abe3b148ddb7ac508cda0f8f8492ef7eaf



  1.  GandCrab Ransomware: Now Coming From Malspam - SANS Internet Storm Center 

Ahmed Sonbol

A New Hancitor Campaign

Posted by Ahmed Sonbol Employee Jan 25, 2018

This week RSA FirstWatch observed a new malspam campaign delivering Hancitor malware.  Hancitor is a downloader that was used by adversaries to deliver various malware families such as Pony and Zeus Panda Banker.  Contrary to previous malspam campaigns that used VBA macros to deliver Hancitor, this one is exploiting CVE-2017-11882 in malicious RTF documents.


Invoice_304550.doc and fax_645751.doc are two examples of the RTF documents used in this campaign.  Opening them with an un-patched instance of Microsoft Word leaves a user with a blank page. However, a lot of activity is happening in the background.



First, a suspicious retrieves "1", a script containing our Hancitor payload as a Base64 encoded blob along with the necessary commands to decode and start it as a new process.  



Looking at the HTTP GET, many of headers in the request are curiously absent.  



NetWitness Packets flags suspicious meta data (e.g., the file.analysis and service.analysis tags shown below).



Next, there is a request to a service to idenitfy the IP address of the victim machine:



Then, it checks-in with a C2 domain (undronride[.]ru) sending the host information via an HTTP POST request.  The directory and filename used in the request reflect the telltale 'ls5/forum.php' characteristics of Hancitor.



It is worth noting that the C2 domain, undronride[.]ru, was registered just seven days ago and lacks a surprising amount of registration information.



A second C2 callback to the CNOBIN-registered littarhapone[.]com was also generated by the malware. 



The following screenshot shows the meta populated by NetWitness Packets for these C2 check-in sessions:



In both cases, there were no binaries downloaded after the check-in. However, this SANS blog post discusses some of the additional payloads delivered by this Hancitor campaign.



All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


Delivery documents (SHA256):

  • b489ca02dcea8dc7d5420908ad5d58f99a6fef160721dcecfd512095f2163f7a
  • 6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297

Malspam was observed on January 12th 2018 delivering Ursnif (AKA Gozi). Ursnif is a Banking Trojan that was discovered in 2007. Originally it was targeting banking wire systems in English speaking countries. In the past decade, its list of target countries expanded and its capabilities evolved. In addition to stealing banking credentials, Ursnif can now collect user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites [1]. 


In October 2017, security researchers took notice of a new Ursnif spam campaign [2]. The actors behind this campaign developed their macros to run when the document is closed. Sandbox technologies might miss this behavior and it could prove to be a simple yet effective evasion technique.


Let's take this delivery document as an example. Submitting it to RSA pre-release What's This File service shows the embedded VBA code including its AutoClose function:





On NetWitness Packets, first there is a DNS request to what looks like a DGA delivery domain. Notice the large number of answers in the DNS response:



Next, an HTTP GET request to retrieve a script from the domain:




Here is a better look at the downloaded script:



The script reaches out to the same domain in order to download an executable. Notice the usage of PFX file extension and the absence of many headers in the HTTP GET request:





VirusTotal scan results indicate that the binary is an Ursnif variant.


Once the download is complete and the malware is executed, it checks in with the same domain:




Here is a recap of the network activity:



More information about the recent Ursnif variants can be found in this Malware Breakdown blog post.


Delivery document (SHA256):

  • a0a946868e2a067fc2144f19faa161b586c85fe57413633525e8e8bd5e2f48d6


Ursnif binary (SHA256):

  • eee6bd38c0e6498fadc466d5a1b635271b63c4235a3b271a9e15d5896c5a045a


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’




Malspam activity was observed on January 7th 2018 delivering a new variant of BITTER Remote Access Tool (RAT), which has been previously reported by Forcepoint in nation-state campaigns against Pakistani targets.  In this blog post, FirstWatch discusses observed malicious activity from the perspective of the RSA NetWitness suite.


The delivery document (NamesOfMaldiviansReturning-1.doc) tries to exploit CVE-2017-11882 in order to deliver the BITTER RAT to a victim machine.  CVE-2017-11882 is a vulnerability in Microsoft Office suite that was disclosed in November 2017 and has an available patch for affected products.  You can read more about this vulnerability in a past  FirstWatch threat advisory.


Upon opening the malicious document with an un-patched Microsoft Word application, a HTTP GET request was observed downloading an executable file from delivery domains, hartraders[.]com, which is hosted on a Namecheap server at 104.219.248[.]10.




VirusTotal scan results and a Hybrid-Analysis report of the payload, 'wp-sig.exe', are available, but also observe below the suspicious scoring of this file as evaluated during execution by NetWitness Endpoint (NWE).  



Upon execution, the malware also spawns a second process, 'ctfmers.exe', which is responsible for checking in with a C2 server.  This process is also flagged as potentially malicious by NWE.





Similar network behavior was previously observed in a November 2017 BITTER campaign with the execution of another delivery document (yyyyyyy.doc).  While, the malspam document from this earlier campaign was crafted to exploit the older CVE-2012-0158, the maldoc attempted to download its payload from zmwardrobe[.]com, which is actually hosted on the same Namecheap server as the current campaign, 104.219.248[.]10.



The payload from the November 2017 campaign was an earlier BITTER variant, 'ctf.exe' as shown below.



Post infection, we also observed similar C2 callbacks from this earlier BITTER variant.



That's not the only C2 similarity across historical BITTER campaigns though, the new variant's C2 communication also shares characteristics with much older variants.  For example, the following screenshot shows the C2 check-in for a binary first submitted to VirusTotal in January 2016:



More information about older BITTER variants can be found in this blog post from RSA FirstWatch.


Delivery documents (SHA256):

  • 9292764ce4a84b29f2ca4598def80239dfd079451c113a45f2569d9ea220fac3
  • d128bdcedecee0fbc8ec440a3edd3fe624cfd9a6c0ed298fe7c26f0c86f21618


BITTER binaries (SHA256):

  • ffe1528eea078bde8336ab96a574a5401ff2c0403bbefda96a34e5cce4ae6385
  • 131c53a3612c933e747897573a5f79db9f61895b404f69efea8c1c87262da4fe


All the IOC from those HTTP sessions were added to RSA FirstWatch APT Threat Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘apt’
  • threat.description = ‘bitter'


Thanks go to Kent Backman and Kevin Stear for contributing to this threat advisory.



  1. BITTER: A Targeted Attack Against Pakistan | Forcepoint 


Malspam activity was observed on January 8th 2018 delivering FormBook malware. FormBook is a data stealer and form grabber available on various hacking forums since early 2016. Its capabilities include clipboard monitoring, keyboard logging, taking screenshots, grabbing form data and collecting passwords from browsers and email clients. More information about the malware can be found in this blog post by FireEye security researchers.


The delivery document Tax Reform.doc uses macros to help delivering the payload to a victim machine.



The following screenshots show the results of scanning the document using RSA pre-release What's This File service including signs of an auto launch script.




Upon enabling the macro, the code runs and a binary is downloaded to the victim machine. Notice the absence of typical fields in the HTTP GET request and the usage of a unique User-Agent string.






VirusTotal scan results can be found here. Analysis report from suggests it is a FormBook variant.


Upon execution of the binary, it checks in with a list of C2 servers. 





After checking in, the malware posts data to the server in an encoded/encrypted format.




Delivery document Tax Reform.doc (SHA256):

  • 9441d7811e869d50e7c340c622a57c14004682573ff6d5d43fca4d0be6aca102


FormBook binary bin.exe (SHA256):

  • 391971ca3923a45997633275249dcd5bedf2b11f165646671e4359afa3fec4b4


Last month, security researchers at Embedi disclosed a new vulnerability in Microsoft Office suite. CVE-2017-11882 resides in the Microsoft Equation editor; a tool that lets users insert and edit mathematical equations inside office documents [1]. If exploited, the vulnerability allows the attacker to run arbitrary code in the context of the current user. Microsoft issued a patch to address the vulnerability in the affected products [2][3]. It didn't take a lot of time to start seeing malspam campaigns trying to leverage CVE-2017-11882 to deliver their final payload as discussed in this blog post by Fortinet.


One of those delivery documents is PI-5460-DPC.doc. In this threat advisory we will go over the host and network behavior using NetWitness Packets and NetWitness Endpoint.


Upon opening the document in a vulnerable Microsoft Word, the vulnerability is exploited and an instance of the vulnerable Equation tool (eqnedt32.exe) is created by svchost.exe:



That is followed by a GET request to retrieve a javascript script:



eqnedt32.exe calls mshta.exe to execute the downloaded script:



When mshta.exe runs, it calls cmd.exe to write a script (A6p.vbs) to the infected machine. wscript.exe runs the newly created script which has the instructions to download the final payload:





The downloaded binary is executed and it starts to communicate with its command and control server:






The post infection traffic is characteristic of dyzap malware (also known as Lokibot). RSA FirstWatch blogged twice about its activity here and here.


Here is a recap of the network activity:



And here is a recap of the host activity:



Thanks to Kent Backman and Justin Lamarre for contributing to this threat advisory.


PI-5460-DPC.doc (SHA256):

  • 3917474eb4b2dd52aad96b76228304b692031180a55f59346808e797ea332305


fafa.exe (SHA256):

  • 1c71868cf97ee2f713d1a445f650d7a829c80e49c529be5bffb3091a3059ff23





Malspam activity was observed on November 28th delivery a variant of Slingup backdoor. In this blog post, we will go over the network activity in RSA NetWitness Packets.


Submitting the delivery document (purchase order.doc) to RSA pre-release What's This File service scores the maximum threat score:



The embedded obfuscated VBA code launches upon opening the document:




The VBA code launches powershell to download an executable from a delivery domain:






According to VirusTotal scan results, the downloaded binary is a Slingup backdoor variant. Microsoft Windows Defender Security Intelligence has more information on the malware here.


When the malware runs on the infected system, it looks to be reaching out to the delivery domain to download more plugins. While the filename varies from one GET request to another, the directory remains the same /Panel/plugins/:



The server responds with obfuscated payloads as shown below:






  • purchase order.doc (SHA256):

  • loader.exe (SHA256):


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


For years, threat actors have been relying on DLL side-loading to load their malicious code into the address space of legitimate applications. PlugX is probably the most prominent example, but there are other malware families [1]. There is a certain order that Microsoft Windows follows in order to find a DLL required by an application [2]. If SafeDLLSearchMode is disabled, the current directory comes before other typical directories such as Systems directory or Windows directory in the search order for a DLL. By dropping their malicious DLL in the same directory as a trusted application, malware authors have a chance to blend in and evade analysis.


TeamSpy leverages the DLL side-loading technique to load its malicious payload into the memory space of TeamViewer; a popular remote desktop application [3]. Avast has a detailed explanation of TeamSpy and its capabilities [4]. In this blog post, we will go over a recent malspam activity delivering TeamSpy to victim machines and will discuss how the activity looks in NetWitness Packets.


Submitting the delivery document NEW_price.xlsm to RSA pre-release What's This File service scores the maximum threat score:



The malicious spreadsheet has an auto-launch script to download a payload from a delivery domain:



When the victim enables the embedded macro, the download activity begins:




Here is the meta registered by NetWitness Packets for the download session:



Here is a list of files downloaded to the victim machine (all downloaded to the C:\ directory):


tv_64.dlldcd8cda46bb20ff09c8c8be8be2f3098Helper library for TeamViewer performance optimization and QuickConnect (64 bit)
tv_64.exee0331b54a56e7aa48f97b4956bcef769Helper process for TeamViewer performance optimization and QuickConnect (64 bit)
tvr.cfg71488723b5b71651ab164989535bceedObfuscated configuration file for TeamSpy spyware
TV.exe75c738b78021eec28f7a9eeaade02cfeTeamViewer Remote Control Application
avicap32.dllbe03a49d09f85bc7b977574bcef5a4f1Malicious DLL
TeamViewer_Desktop.exe301d4c233bb1297d600ceb05a0ebbc33TeamViewer Remote Control Application
TeamViewer_Resource_en.dll1ead0b5a632b2d60414b5a1daa4905f3TeamViewer resources
tv_32.dlld1cae98656bc6703e21f4580b8830dfcHelper library for TeamViewer performance optimization and QuickConnect
tv_32.exe7d90bdf0f9c2d9224d8b4d5d2f195506Helper process for TeamViewer performance optimization and QuickConnect


By dropping the malicious DLL in the same directory as the legitimate application, TeamSpy has a chance to load successfully and to run its payload. It uses a password to de-obfuscate the configuration file at run time in order to start communicating with its C2 server, which in this case is the same as the delivery domain:


Avast has a full list of those parameters in the query strings above [4] but here is some information:

  • id: ID of the infected machine
  • tout: timeout
  • osbt: 32bit/64bit
  • osv: OS version
  • osbd: OS build version
  • uname: user name
  • cname: computer name
  • tvrv: teamviewer version


Here is the meta registered by NetWitness Packets for the C2 communication:



Delivery document (SHA256):

  • 00048ea8873518a5a17ddea0cfee0f1103bf56c07b89b287c6aa60e082d75f99


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’



  1. DLL Side-Loading - enterprise 
  2. Dynamic-Link Library Search Order (Windows) 
  4. A deeper look into malware abusing TeamViewer 

Yesterday news emerged about a new ransomware outbreak dubbed Bad Rabbit. The new ransomware has some similarities to the Petya/Not Petya ransomware attack that took the world by storm last summer. Both ransomware families encrypt the entire disk.  As of now, it appears that most reported victims are in Eastern Europe with some reports suggesting that some victims were detected in the United States. While the US-CERT issued a notice that it is aware of the attacks, it has no specific information on US victims.


Bad Rabbit binary is currently being delivered to the victim as a fake Adobe Flash update (SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) through compromised websites, and one particular delivery domain, 1dnscontrol[.]com, has been identified in numerous Industry reports.  Researchers at Cisco Talos demonstrated how BadRabbit victims were redirected to this delivery domain via compromised websites.


First, there was a POST request to 185.149.120[.]3/scholargoogle to collect some information such as user agent, referring site, cookie and domain name of the session.  Next, the ransomware dropper was delivered via two paths:

  • 1dnscontrol[.]com/index.php
  • 1dnscontrol[.]com/flash_install.php


At this time, it appears that the delivery domain is no longer active; however, both the IP and domain have been placed into FirstWatch C2 feeds available in RSA Live with the following meta tags:

  • threat.category = "ransomware"
  • threat.desc = "badrabbit"


Executing the malware on a 32bits Windows machine, it dropped the following files on the system (names of the dropped files might vary from one system to another):


File PathSHA256Notes
C:\Windows\cscc.dat682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806diskcryptor driver
C:\Windows\dispci.exe8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client


Executing the malware on a 64bits Windows machine, it dropped the following files:


File PathSHA256Notes
C:\Windows\cscc.dat0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6diskcryptor driver
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client


Here is a process tree after running the dropper:



The malware creates two scheduled tasks to perform the following:

  • A scheduled task to run the open source utility DiskCryptor to encrypt the entire disk.
  • A scheduled task to reboot the system at a certain time.

Strings embedded in the unpacked DLL suggest that the malware also targets a certain list of files for encryption:

  • Note: It remains unclear why the malware has a list of target file extensions, while it's behavior encrypts the whole disk.


The malware also drops mimikatz-like binaries to harvest credentials.  Communication between those binaries and the malware is done through a named pipe as shown in the process tree above. 


In addition to the stealers, the malware comes embedded with a list of default usernames and passwords.  These credentials are used by the malware to try to login to other systems via SMB and infect them.  It should be noted, that BadRabbit does not currently use the EternalBlue vulnerability for lateral movement; instead this is basic scanning and login attempts for the following shares.

  • admin
  • atsvc
  • browser
  • eventlog
  • lsarpc
  • netlogon
  • ntsvcs
  • spoolss
  • samr
  • srvsvc
  • scerpc
  • svcctl
  • wkssvc

If a login attempt is successful, 'infpub.dat' is dropped into Windows directory and executed via SCManager and rundll.exe.  


In it's final stages, Bad Rabbit executes a system reboot, after which the victim is presented with a ransom note:



The helpful message on caforssztxqzf2nm[.]onion notifies victims of 0.05 Bitcoin ransom with a message suggesting that the price will go up after some 10+ hours.



Microsoft recently released a threat bulletin on Bad Rabbit [6]. It has the following instructions to stop the system from rebooting (thus stopping it from encrypting the disk):

  • Check event logs for the following IDs: 1102 and 106

Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.

Event 106  indicates that scheduled tasks "drogon" and "Rhaegel" have been registered (these are ransomware wipers)

If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot


Halim Abouzeid has a detailed post on how the post infection activity looks in both NetWitness Packets and NetWitness Endpoint.



Ahmed Sonbol

Sage Ransomware Campaign

Posted by Ahmed Sonbol Employee Oct 20, 2017

During the week of October 16th 2017, RSA FirstWatch observed a new malspam campaign delivering Sage 2.2 ransomware. The delivery documents come embedded with malicious macros that download the ransomware upon execution. 


31119.doc is one example. It uses the usual social engineering tricks to convince the user to run the embedded macro:



Submitting the delivery document to RSA pre-release What's This File service reveals more information about it including the obfuscated VBA code:




The VBA code runs a powershell command that downloads a binary to the victim machine and executes it:



NetWitness Packets shows the following information for the download session:



Analysis results indicate that the downloaded binary is a Sage ransomware variant. The following post infection screenshots are from



If you zoom out a little bit, you can notice a pattern:




Here is a list of delivery documents (SHA256):



And below is a list of Sage ransomware variants (SHA256):



All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


A new malspam campaign has been observed on October 6th 2017 spreading DoublePulsar via EternalBlue exploit, and Hidden Tear ransomware. Based on the delivery documents and ransom notes, the campaign looks to be targeting German speaking users.


EternalBlue exploits a vulnerability in the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests giving the attacker an opportunity to execute code on the target server [1]. Microsoft has issued a patch for the vulnerability back in March 2017 but the exploit was used as part of the WannaCry ransomware attack in May 2017 and NotPetya attack in June 2017. DoublePulsar is a backdoor implant that was used alongside EternalBlue. Hidden Tear is an open source ransomware family. Malware authors have built different variants on top of its code base that vary from each other in different ways such as the payment methods, the encryption techniques and which files to consider for encryption [2].


The delivery document (PRELIMINARY_KAPSCH_SECURITY_NIGHT_2017_WORD_DROPPER.doc) uses a macro to drop the malicious payload to the victim machine:



Submitting the delivery document to RSA pre-release What's This File service shows the following malicious characteristics including the auto-launch script to download a payload from a domain over SSL: 





The powershell script (launcher.ps1.txt) has the capability of mapping the victim network:



It can also download a zipped filed '' and extracts it on the victim machine:



The request to download '' was observed in NetWitness Packets:





Finally, the script proceeds to deliver:



First, it tries to run a powershell script (Execute-EB-Launcher.ps1) to attempt to infect machines in the network that could be vulnerable to EternalBlue exploit and to implant DoublePulsar in case the attempt was successful:



In this scenario, no neighbor machines were compromised. The malicious powershell script (launcher.ps1.txt) finally downloads and launches a Hidden Tear variant:





Upon execution, the malware encrypts the victim files and presents the following ransom note:



Post-infection traffic is over SSL:



The payment websites were down at the time of this writing.


Delivery documents (SHA256):

  • 8ad3c6df4a96b97279e50a39fe4c2662d8da7699c54cb2582a5c0ae7ae358334
  • 4592803dfdd47c4bfffad037695d3be4566c38ad46132e55c5679c7eb6f029da (SHA256):

  • 22a3a1c609b678b5eed59b48eed47513996998ab99841773d5b0f316fc9e7528

Hidden Tear ransomware (SHA256):

  • bf9d54c7b894065d6f3ac59da093241ee0c0c545a323c9d8ae8c8f8a9b14d591



  2. Ransomware Recap: The Ongoing Development of Hidden Tear Variants - Security News - Trend Micro USA


Malspam activity was noted on September 23rd 2017 delivering a Jacksbot variant to infected machines. Jacksbot is a backdoor family that can run on any platform that supports Java Runtime Environment [1]. In this blog post we will discuss the delivery mechanism and the behavior on the infected machine.


Submitting the delivery document to RSA pre-release What's This File service shows the maximum threat score.




The VBA code writes data to a local VBS file (J4n.vbs). Here is the activity in NetWitness Endpoint:



Next wscript.exe is called to execute the newly created J4n.vbs. A JAR file is downloaded and saved to a temp directory as HELP202.JAR. After a timeout, javaw.exe is called to execute the JAR:



Here is the download session in NetWitness Packets:




The following meta values were registered for the download session including watchlist file extension, tld not com net org, http not good mozilla, http no referer, http long user-agent and http get no post. For more information about those meta values, please check the hunting guide [2]:



According to VirusTotal scan results, the payload is a Jacksbot variant. However, it looks like it failed to run on a victim machine:



The delivery domain a[.]pomf[.]cat has been active delivering all kinds of payloads to infected machines not only over HTTP but also over SSL:




Here is another look at the process tree:



Delivery document (SHA256):

  • 1459ec6788f4ecd1dd8d2b55dd931c245304c3fd0cae410d2c0df93170c13ee8

Jacksbot variant (SHA256):

  • 090c02c428cc42b55772055e8c26232e2fd8f51c9c28e6041d503abcd82cb695



  1. TrendLabs Security Intelligence BlogJACKSBOT Has Some Dirty Tricks up Its Sleeves - TrendLabs Security Intelligence Blog 
  2. RSA NetWitness Hunting Guide 

Malspam activity was noted on September 19th 2017 delivering a Cobalt Strike payload. The malicious RTF document leverages the newly disclosed CVE-2017-8759 [1]. Microsoft already released a patch to address the vulnerability in the affected products [2]. RSA FirstWatch blogged last week about it [3][4]. However, we noticed a different network behavior that was worth sharing with the community.


The malicious document is spreading as 'resume.rtf'. Upon opening the document in Microsoft Word, the infected system communicated with an external server over FTP to retrieve a file (readme.txt):



RSA NetWitness Packets shows the file transfer taking place in a separate session (service=0):



Due to the vulnerability, an HTTP request was made to the same server to get 'favicon.ico' which is actually an HTA script:




Following the execution of the downloaded script, an SSL session was established to download an executable:



RSA NetWitness Packets indicates that the SSL session uses a self-signed certificate. In fact most of the fields were left blank and that's why you don't see values for SSL CA and an SSL subject in the screenshot below:



The final payload is a DLL; looks to be a hacking tool and a part of the offensive framework Cobalt Strike. You can find its VirusTotal scan results here.


RTF document (SHA256):

  • cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f


Final payload (SHA256):

  • 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362



  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  3. Malspam and CVE-2017-8759
  4. Malspam delivers MoonWind 9-20-2017 

Filter Blog

By date: By tag: