[ Fake DnB documents malspam delivers Trickbot banking Trojan ]

I happened to chance upon this alert from Singapore Commercial Credit Bureau as shown in the image below.

I got interested in this since it’s a Singapore company giving this alert. I started looking at the samples from VirusTotal and found this interesting email.
An email with the subject of “FW: Case DNB928929” pretending to come from “Dun & BradStreet” but actually coming from a look-a-like domain “” with either a malicious zip attachment containing a .doc file or a .doc attachment delivering Trickbot banking Trojan.

As the malware authors are using email addresses that is similar to the real “Dun & BradStreet” and subjects that will scare or entice a user to read the email and open the attachment.

The email looks like:

The hash of the malicious doc is: 79344f12ecfbd478a564297e339067180625e83c7266c4cab39b2f68440fcb6b

If we were to analyse the malicious doc, we can see the following VBA within it.

For simplicity sake, i’ve made a simpler version to show the decoded string here: https://dotnetfiddle.net/31w0YF
As we can see from the code snippet below, the VBA in the malicious doc will download the payload from “http://calendarortodox[.]ro/serstalkerskysbox.png

That “serstalkerskysbox.png” is actually Trickbot
The hash of that Trickbot is 3e225d16e486fae7df684d73c6e4531fbaf203b898ea899623cf5150a0f13652

As hasherezade already made an awesome video on unpacking Trickbot. Users can just watch the youtube video and learn from it.

As a gentle reminder to all users.
PLEASE be very CAREFUL with email attachments. All of these emails usually use Social Engineering tricks to persuade you to open the malicious attachments that comes attached with the email.

Have Phun
Jacob Soo

[ TECHNICAL TEARDOWN: DBS MalSpam Attack – Bank Fund Transfer ]

Previously, we have written about MalSpam attack in Japan.

Recently, we have found several emails that are being sent out targeting DBS users.

[ Sample used in the analysis ]
MD5: 0a7150f13a5ad4e496992374082232f8
SHA256: d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Sample: DBS.Malspam

[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file (271-20170627-55147_109.doc).

We can also see the contents of that email.
============================================
Dear Customer,

This attached Advice is sent to you for information only.

This is an automatically generated notification.

Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.

Yours Sincerely,
DBS Bank Ltd

============================================

However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.

As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:
https://dotnetfiddle.net/uniQB6

As you can see here, the VBA will attempt to download the payload from
http://wallpaperbekasi[.]co[.]id/bankadvise/271-20170627-55164_45PDF.exe

The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.

So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.

Now you can step through it and eventually you will reach to this point as shown in the image below.

Now right-click on “Buffer” and click on “Follow in Dump” and you can use HxD or Profiler to carve out the dropped payload.

Now dump out the dropped payload.
We can see that it’s yet another Obfuscated .NET malware.

We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.

As i don’t want to bore everyone. A quick look at the decoded strings, the malware is most likely AgentTesla.

The stolen credentials are sent back via email to:
username: tou013@efx.net.nz
password: etou01315

Here is the decoded strings
https://dotnetfiddle.net/PIJjBt

Thanks & Regards
Jacob Soo

SHA-256:
========
Emails containing malicious Doc
d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
d38359359c5e7abc0b5118f2a7d2afa387b43ccdc52cf18d0e5fefc2f34bec0d
17224da53b266c1a7e487d95b57ad47c21dec82ca42056a785dd816555d46967
a988dd743fc359fc42d2c511f820c758dfc2c5c8301ced4bcfe5ac72672b1cdc

SHA-256:
========
Malicious Doc
db4703a6cea9b700cc17b527e7d0a4e228bdd41659bece18c65f0877724c87a4

SHA-256:
========
Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE

[ n00b Post ] How to check if you have the MS-017-010 Windows Security Update installed

There are so many blogs out there that encourage users to update their Windows OS in particular MS17-010 to protect them from falling victims to WannaCrypt.

But as a normal home user, how do they know whether their machine already have the latest security update and protected from this?

I’ll write in details on how normal home users can check whether they systems are updated or not.

  1. The number in the security update file is usually tied up with the KB (Knowledge Base) number. We can find the official Security Bulletin here: “Microsoft Security Bulletin MS17-010 – Criticalhttps://technet.microsoft.com/library/security/MS17-010 


    Figure 1:
     Screenshot of KB numbers
     

  2. The numbers in the brackets are the KB numbers. Now that we know the security update file that we should install.  Let’s check for the security updates that we have installed on our Windows machines.  We can use one of the built-in tool by Microsoft to do just that.
    Figure 2:  systeminfo command

    Once we do that, you should see something like the image below:

    Figure 3: Screenshot of returned output from systeminfo

  3. As you can see, my VM didn’t have the latest Security Update.  Windows 7 require “4012212” or “4012215” depending your Windows 7 version.
  4. By clicking on the earlier mentioned link, https://technet.microsoft.com/library/security/MS17-010We can click on the relevant Security Update file that we should install.
  5. In my case, the link that I should click on is : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012212I should see the following image:

    Figure 4: Downloading of Security Update file

I hope this is a simple to understand guide for home users.
I promised that i would write technical blog posts again. 😀

Best Regards
Jacob Soo

[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers

EMAIL HEADERS:

  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<tax_no_reply-no@iras.gov.sg>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address : 62.210.139.92.

Received: from 62-210-139-92.rev.poneytelecom.eu
(62-210-139-92.rev.poneytelecom.eu [62.210.139.92])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file

EMAIL MESSAGE:

 

[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.

 

When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.

 

First thing that caught my eye is this.

It’s seems like it’s asking victims to “Enable Content to view” Smells like Macros again.

If we were to look further down, we can see the reference to “/word/vbaProject.bin” as shown in the image below.

Ok, more Base64 decoding to do. Once we decoded, we can spot the familiar “D0CF11E0A1B11AE1

Ok, now let’s save this Base64 decoded file and use Profiler to parse it again and we should be able to see this.

Ok, let’s deobfuscate this Macro and we should get back something like the following:

So basically it’s just downloading the payload from http://travelbag[.]ca/lk/lk/kdabz.exe

The hash of this malware is “305B32DDC8786A56FABDA1114F6BF549AEB1B283FB3915D6076D49A7E5265FCB

Since that malware is developed in .NET, i shall leave the reversing of the malware as an exercise to the readers.

[ Part 3 : Side Note ]

I know some of you are wondering did attackers made this by hand?  I highly doubt so.  I don’t want to encourage script kiddies in replicating this but it’s really simple 🙁

Thanks & Regards
Jacob Soo

 

 

[ Technical Teardown: Analysing MalSpam Attack – 標的型攻撃メール ]

Yesterday afternoon, there is an alert about MalSpam attack happening in Japan.
https://www.cc.uec.ac.jp/blogs/news/2017/04/20170425malwaremail.html

Malware authors have been sending malware via zipped attachments in spam emails for a long long time but many people are still puzzled at why/how it works. I will try to fill in the required information about where to look out for information and how decode some of the information.

Firstly, we are going to learn how are a bit about the .msg file format and how is it used to store a message object in a .msg file, which then can be shared between clients or message stores that use the file system.

In order to analyze the .msg file without Outlook, we can read more about the file format from:

The purpose of this post is to give a better technical understanding of how attackers makes use spam emails to spread malware.

[ Sample used in the analysis ]
MD5: 3370c5c8d0f42a33a652de0cc2f923ed
SHA256: 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587
Sample:

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the .msg file 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .msg file using Profiler.

 

Each “__substg” contains valuable pieces of information. The first four of the eight digits at the end tells you what kind of information it is (Property). The last four digits tells you the type (binary, ascii, Unicode, etc)

  • 0x007d: Message header
  • 0x0C1A: Sender name
  • 0x0C1F: Sender email
  • 0x0E1D: Subject (normalized)
  • 0x1000: Message body

Since this is a forwarded email (SOC-Mail00135 【注意:標的型攻撃メール?】FW 固定床炉処理日報),  we can see that it’s most probably a spoof email from a Japanese Institution.

 

[ Part 2 : Email attachment ]
Since we can’t do proper email investigation, let’s look at the attachments.  Let’s look at “Root Entry/__attach_version1.0_#00000000” and refer to the specifications again.

  • //Attachments (37xx):
  • 0x3701: Attachment data
  • 0x3703: Attach extension
  • 0x3704: Attach filename
  • 0x3707: Attach long filenm
  • 0x370E: Attach mime tag

If we were to look at “__substg1.0_3704001F”, we will see that the filename of the attachment is called “M58A33~1.zip” and the display name “__substg1.0_3001001F” of the attachment is called “M58A33530641949.zip”.

 

Now let’s look at the actual data located within “__substg1.0_37010102” as shown below.

We can see that the zip file contained a .docx file, “vhlwspyw.docx

Now, let’s press “Ctrl+A” to select the entire contents. Then copy it into a new file as shown in the image below

 

We can now analyse the .docx but let’s use Profiler instead since it can already parse this entire Outlook file and identify what is inside the attachment.

As we can see from the image below, the docx contained an embedded OLE object which is actually a Javascript file.

The extracted Javascript looks like this.