Volume License Trojan Chanitor targets enterprises

Cisco experts discovered a phishing campaign that is spreading fake Volume License Trojan Chanitor to corporate users and is able to evade sandboxes.

A few weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared as sent by the Microsoft Volume Licensing Service Center (VLSC), which contains a link to login to the Volume Licensing Service Center.

The Microsoft Volume Licensing Service Center is the services used by the company customers to get their licenses for Microsoft products, usually as activation code.

The malicious mails are tailored for each customer and inform Microsoft customers they have been assigned new licenses for free, its recipient seems to be a Microsoft account, but a keen eye just hovering the mouse over the link is able to discover that the mail was sent by one of these domains:

• livihome[.]pl
• tirillycompagnie[.]com
• redwoodrecycling[.]com
• gdc[.]travel

The researcher from Cisco discovered that threat actors hosted the malicious pages on compromised WordPress instances.

“Hackers added extra pages to the legitimate ones at a location like: http://tirillycompagnie[.]com/wp-content/tinymce-advanced/mc/searchreplace/1.php”  states the blog post form Cisco.

The attack aims to compromise corporate users, when victims click on the link included in the email they are redirected to the Microsoft Volume Licensing Service Center (VLSC) login page.

In reality the malicious link triggered the execution of a Javascript function that displays users the real Microsoft Volume License Center login page and starts a download of the fake volume license, which is an instance of the Chanitor trojan in the format of a .zip file.

Also in this case, by looking closely in the download window for the .Zip file, it is possible to note that the source of the download is http://tirillycompagnie[.]com, unfortunately for the majority of users this is an insignificant detail.

Threat actors are trying to serve Chanitor malware on corporate networks, the evasion technique adopted by crooks, appears very effective, Cisco researchers confirmed that initially, the detection rate was very low, just  9 out of 57 antivirus programs.

The analysis confirmed that the Sandbox Evaluation of the malware use in the malicious campaign failed, initially, the detection by antivirus software was a low 9 out of 57 antivirus programs.

“MTD investigators turned to sandbox analysis for the file. Detonating the malware on three commercial and one open source sandbox solution yielded no success.  The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything.  The name given by antivirus programs was Chanitor which is used to download other malware.  This downloader has been used in many attacks such as fake fax, fake voicemail, fake invoice and fake purchase order email attacks.” continues the post. “[It] sleeps to wait out automatic sandbox analysis before starting to communicate on the internet.”

The researchers used debugger in a real environment for the analysis of the Chanitor agent component and determine its command and control infrastructure.

They discovered that the malware was exploiting Tor network to communicate with its C&C server. The analysis revealed that Chanitor trojan uses the anonymize network in case a series of IP address in the surface web is not available as visible by looking at DNS queries and IP used at the time of analysis:

• api[.]ipify[.]org – 50.16.221.126, 54.225.211.214, 54.235.186.52
• o3qz25zwu4or5mak[.]tor2web[.]org – 194.150.168.70, 38.229.70.4
• o3qz25zwu4or5mak[.]tor2web[.]ru – 166.78.144.80

The attacks detected by Cisco demonstrate that criminal gangs are improving phishing techniques to compromise the corporate networks, in the specific case the experts consider valuable the sandbox evasion implemented for the Chanitor malware that evidently requested a considerable skill of the malware authors.

(Security Affairs –  Chanitor malware, phishing)