A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.
The spams in this campaign have a PowerPoint Add-in attachment which contains a malicious macro. When the PowerPoint file is closed, it accesses a URL via the Windows binary mshta.exe, and this leads to different malware being installed into the system. This routine is not unusual for macro downloaders. However, we find the obfuscation used on the URL interesting and worthy of further investigation.
Figure 1: The spam containing a PowerPoint Add-in and the PowerPoint’s process tree
Figure 2: The PowerPoint attachment and its macro code where the initial malicious URL is formulated
The domains associated with this campaign are already known to host malicious files and obfuscated malicious data. To trick the email recipient, and avoid being flagged by email and AV scanners, the cybercriminals behind this campaign employed a semantic attack on these URLs.
A URI may have an Authority component and below is its structure. If the Userinfo subcomponent is present, it is preceded by two slashes and followed by an “@” character.
authority = [userinfo@]host[:port]
Userinfo is rarely used, and as such, can be used to try and fool a casual observer. In this campaign, dummy userinfo is incorporated on the URLs. The bad guys are attempting to make the domains unnoticeable yet still conforming with the generic URI syntax.
Figure 3: The URL flow
The initial URL shown in the image above has the domain j[.]mp – a URL shortening service offered by Bit.ly, a URL shortener too. To avoid being characterized as a short URL and eventually evading detection signatures, the string “%909123id” is repeatedly used in the userinfo. Since the URL j[.]mp/kassaasdskdd (shortened from Figure 3) does not require a userinfo to gain access to any resources, the userinfo data will be ignored when the URL is accessed. The first URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin.
Figure 4: The obfuscated script on Pastebin and its de-obfuscated data
Figure 5: The registry entry created by the VBScript on Figure 4
The VBScript, contained in the 2nd URL in Figure 3, is a dropper. It writes a PowerShell downloader into the registry and sets its persistence. The PowerShell downloads and processes the raw data on two more Pastebin URLs, and then executes the output binaries.
The third and the fourth URLs are Pastebin URLs too. Both contain dummy userinfo as well which will be ignored by the Pastebin URLs. The content at the third URL pastebin[.]com/raw/uhMtv3Bk (shortened from Figure 3) contains an obfuscated PowerShell code. The PowerShell executes 2 DotNet compiled DLLs – the first DLL bypasses the Anti-Malware Scan Interface (AMSI) and then loads a DLL injector into the memory. The fourth URL pastebin[.]com/raw/Nz1mPUdT (shortened from Figure 3) contains an obfuscated malware Lokibot sample. This will be injected to a legit process notedpad.exe by the DLL injector mentioned earlier.
Summary
We found it interesting that the attackers were using URIs in this way, which essentially is an attack on the user’s preconceived notion of what a URI should look like. It may also defeat security solutions, which may be expecting URIs in a certain format.
Trustwave Secure Email Gateway has added protection for this threat for our customers. As advised by my colleague in the blog, be cautious with URLs received from external emails – investigate links before clicking.
IOCs
Email Attachment
REQUEST FOR OFFER 08-20-2020.ppt (82944 bytes) SHA1: 01A3399F8A075137CD4F68A2B247C509FCEAB21F
DLL Injectors
WindowsFormsApplication68.dll (49664 bytes) F8E91A3A407235583058DF06C2C2CCDE73194A03
Guwav.dll (20480 bytes) SHA1: 70b45d01eea4156610583c8b3dfcab89eeb6f113
Obfuscated VBScipt from pastebin[.]com/raw/XZxTT7Xy
(3346 bytes) SHA1: FC050B623983B10D60ED4557771609C9D10F3C3A
Obfuscated PowerShell from pastebin[.]com/raw/uhMtv3Bk
(525125 bytes) SHA1: 047D7516EF672AE882B322F1E3E9DF2BDF7F4583
Lokibot deobfuscated from pastebin[.]com/raw/Nz1mPUdT
(104.0KB) SHA1: A988B692581A76A6220A641037F7AA254C1F293F
Lokibot Setting URL
hxxp://195[.]69[.]140[.]147/[.]op/cr[.]php/SczbkxCQZQyVr
Lokibot C&Cs
kbfvzoboss[.]bid/alien/fre[.]php
alphastand[.]trade/alien/fre[.]php
alphastand[.]win/alien/fre[.]php
alphastand[.]top/alien/fre[.]php
