Phishing emails are one of the most common delivery mechanisms for malware authors. The attachments in those phishing emails have a variety of payloads. Well-known delivery methods include: exploiting vulnerabilities in the document program (e.g., doc, xls, rtf), using macros, or embedding user-clickable objects that drop payloads. Out of all these methods, embedding objects in the document is considered a “gray area” because both IT professionals and malware authors use this technique.
Don’ts
Don’t let your employees get into a habit of blindly double-clicking on any embedded objects in Documents, Excel spreadsheets, or PowerPoint presentations. While this is useful for IT professionals, it is the perfect social engineering tactic to install malware. Figure 1 is an example of a clean PowerPoint presentation for install instructions with an embedded executable.
Figure 1. Legitimate Embedded Object Scenario
Phishing Document In the Wild
Figure 2 is the typical anatomy of a phishing document attack. First, the user will be tricked into double-clicking on the embedded object in the document which activates the payload execution. Secondly, the object is created on the filesystem. And lastly, the object extracts the backdoor or infostealer and carries out its final objective.
Figure 2. Typical Phishing Document Anatomy
Let’s explore some phishing samples found in the wild.
The following two documents use the Microsoft Office Object Packager tool to embed an executable into a Word document. With this tool, the author can configure the appearance of the packaged file and insert a file to trick the user into double-clicking.[1] This is a simple method for getting the user to install a payload, but it can also evade some automated sandboxes and AV solutions because it requires user interaction.
Fake YouTube Player
The first document is not as sophisticated as most phishing documents, but its simplicity still fulfills the attacker’s objective. This document tricks the user into thinking that the YouTube player is a link when it is actually just a screenshot of a YouTube player. When the user double-clicks the image, that action activates an executable to install the payload. The user sees a program start up called AdobeUpater.exe, this is actually a remote desktop client called Teamviewer.
Figure 3. Screenshot of the Fake YouTube Player
The Microsoft Object Packager module allows a user to insert files into an Microsoft Office document. Microsoft office gives you the ability to view the configuration menu for the embedded object. Figure 4 shows how the object should appear in the document as well as the content embedded.
Figure 4. Object Packager Configuration Menu
Nesting Doll Attachment
This nesting or layered approach to social engineering malware has been very common in several email campaigns in the last several months dating back to August 2014.
Figure 5. Screenshot of the Original Document
Below are the steps the embedded object takes to steal the target’s data:
Figure 6. Attack Flow
1. The embedded object, TT PAYMENT COPY.exe, is a self-extracting RAR archive (rar_sfx) that extracts and hides the AutoIt[2] executable called uyifile.exeand supporting payload files.
2. The AutoIt executable then begins to RC2 decrypt the supporting payload file iwnLAowlFJ.JPC. As it turns out this is the InfoStealer kit called Predator Pain v14. See the Appendix for the AutoIt decryption script.
3. The AutoIt script uses the following hard-coded process names in which to inject the InfoStealer code:
a. RegSvcs.exe
b. RegAsm.exe
c. AppLaunch.exe
d. newdev.exe
e. twunk_32.exe
f. ndadmin.exe
4. As the injected process then injects into vbc.exe, it then extracts the information and collects into the following files:
a. %TEMP%/holdermail.txt
b. %TEMP%/holderwb.txt
5. The injected InfoStealer then exfiltrates the following types of data:
- Network information
- OS information
- Bitcoin wallet
- Passwords
- Firefox
- Google Chrome/Talk
- Internet Explorer
- Safari
- Opera
- Outlook
- AIM
- Minecraft
6. The InfoStealer sends this information back to the email server in the following format:
Predator Logger Details:
Server Name:
Keylogger Enabled:
Clipboard-Logger Enabled:
Time Logs will be delivered: Every % minutes
Enabled:
Time Log will be delivered: Average 2 to 4 minutes
Local Date and Time:
Installed Language:
Operating System:
Internal IP Address:
External IP Address:
Installed Anti-Virus:
Installed Firewall:
Dos
- If you must send someone an installation executable or even a form helper program, compress the executable in a password protected ZIP file, where the password is not easily guessable. Using a standardized strong password limits access to users or employees that need to access the program.
- Educate your employees to not click on objects in documents without first confirming the source email address.
- Enforce content filtering on web and email to prevent employees receiving executable files from the internet
- Remove admin/local admin privileges to prevent employees installing new and unknown software onto devices.
- Consider Advanced Threat Prevention technologies that can examine emails for sophisticated multi-stage droppers that evade detection of all email security gateways today.
Appendix
Fake YouTube Player Hashes
4db3a51ed2b34177ef85afe04a81e6aa |
Office Document |
c5c05c0f4b9e3b6ac2ad51dc15ef8f43 |
youtube_player.scr |
28c4c35aed7949277a9c68a04a113114 |
AdobeUpdater.exe (Teamviewer) |
Nesting Doll Attachment Hashes
1ed0608e7172fd63300119cf2c85c8fc |
Email Document |
b00347a63aad17bcd5863d3e5a526ae9 |
%TEMP%\TT PAYMENT COPY.exe |
92729c143c9057725c8ab422aef00b9c |
uyifile.exe (AutoIt) |
AutoIt Decryption Script
$uniscriptdir = FileGetShortName(@ScriptDir)
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = + -268435456
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md5 = 32771
Global Const $calg_rc2 = 26114
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True)
Local $hbuff
Local $ierror
Local $vreturn
Local $htempstruct
Local $iplaintextsize
Local $aret
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = 1
$vreturn = + -1
ExitLoop
EndIf
EndIf
$hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata))
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = + -1
ExitLoop
EndIf
$iplaintextsize = $aret[6]
$htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPTR($hbuff))
$ierror = 0
$vreturn = DllStructGetData($htempstruct, 1)
Until True
Return $vreturn
EndFunc
Func _crypt_startup()
If __crypt_refcount() = 0 Then
Local $hadvapi32 = DllOpen("Advapi32.dll")
If @error Then Return SetError(1, 0, False)
__crypt_dllhandleset($hadvapi32)
Local $aret
Local $iproviderid = $prov_rsa_aes
If @OSVersion = "WIN_2000" Then $iproviderid = $prov_rsa_full
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "PTR", 0, "PTR", 0, "dword", $iproviderid, "dword", $crypt_verifycontext)
If @error OR NOT $aret[0] Then
DllClose(__crypt_dllhandle())
Return SetError(2, 0, False)
Else
__crypt_contextset($aret[1])
EndIf
EndIf
__crypt_refcountinc()
Return True
EndFunc
Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5)
Local $aret
Local $hcrypthash
Local $hbuff
Local $ierror
Local $vreturn
_crypt_startup()
Do
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 1
$vreturn = + -1
ExitLoop
EndIf
$hcrypthash = $aret[5]
$hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]")
DllStructSetData($hbuff, 1, $vpassword)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = + -1
ExitLoop
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 3
$vreturn = + -1
ExitLoop
EndIf
$ierror = 0
$vreturn = $aret[5]
Until True
If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
Return SetError($ierror, 0, $vreturn)
EndFunc
Func __crypt_contextset($hcryptcontext)
$__g_acryptinternaldata[2] = $hcryptcontext
EndFunc
Func __crypt_context()
Return $__g_acryptinternaldata[2]
EndFunc
Func __crypt_dllhandleset($hadvapi32)
$__g_acryptinternaldata[1] = $hadvapi32
EndFunc
Func __crypt_dllhandle()
Return $__g_acryptinternaldata[1]
EndFunc
Func __crypt_refcountinc()
$__g_acryptinternaldata[0] += 1
EndFunc
Func __crypt_refcount()
Return $__g_acryptinternaldata[0]
EndFunc
submain()
Func submain()
$skey=IniRead($uniscriptdir&"\adNJvATpYuhk.UNE","2731075","2731075","NotFound")
$sapppath1=FileGetShortName(@ScriptDir&"\iwnLAowlFJ.JPC")
$sapppath=FileRead(FileOpen($sapppath1,16))
$sarquive=_crypt_decryptdata($sapppath,$skey,$calg_rc2)
ConsoleWrite($sarquive)
EndFunc
[1] https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/packager_what_is_obj_pkg.mspx?mfr=true
[2] https://www.autoitscript.com/site/autoit/