During a normal monitoring activity, one of the detection tools hits a suspicious email coming from the validtree.com domain. The domain was protected by a Panama company to hide its real registrant and this condition rang a warning bell on the suspected email so that it required a manual analysis in order to investigate its attachment. Digging into this malicious artifact opened up to a possible raising interest of the infamous TA505 in System Integrator Companies (companies in which have been found that threat).
During the past few weeks suspicious emails coming from the validtree.com domain was detected: they were addressing System Integration Companies. The domain validtree.com is registered through namecheap.com on 2017-12-07T15:55:27Z but recently renewed on 2019-10-16T05:35:18Z. The registrant is protected by a Panama company named WhoisGuard which hides the original registrant name. Currently the domain points to 95.211.151.230 which is an IP address assigned to LeaseWeb a VPS hosting provider located in Netherland, Europe. Attached to the email a suspicious word document was waiting to be opened from the victim.
| Hash | 7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392 |
| Threat | Macro Dropper |
| Brief Description | Document Dropper |
| Ssdeep | 384:nFZ5ZtDGGkLmTUrioRPATRn633Dmej0SnJzbmiVywP0jKk:n1oqwT2J633DVgiVy25 |
By opening the word document the victim displays the following text (Image1). The document tempts the victim in enabling the macro functionality in order to re-encode the document with readable charsets by translating the current encoding charset to the local readable one.
A transparent Microsoft-word-shape placed on top of the encoded text avoids the victim to interact with the unreadable text. That document holds two VBA-Macro functions which were identified as a romantic AutoOpen and an additional one named HeadrFooterProperty. Interesting to note that the document had no evidences on VT (during the analysis time), so it could be a revamped threat or a totally new one! The two Macros decoded a Javascript payload acting as a drop and execute by using a well-known strategy as described in: “Frequent VBA Macros used in Office Malware”. The following image shows the decoding process. A first round of obfuscation technique was adopted by the attacker in order to make harder the analyst’s decoding process. That stage implements an obfuscated Javascript embedded code which decodes, by using a XOR with key=11, a third Javascript stage acting as drop and execute on 66.133.129.5 resource. That IP is assigned to Frontier Communications Solutions: a NY based company.
It was nice to read the obfuscated code since the variable names where actually thematically chosen per function. For example the theseus function is obfuscated with “divine terms”, one of my favorite was actually the following conditional branch: If pastorale / quetzalcoatl < 57 Then …, which actually was always true ! 😀 (quetzalcoatl is “feathered serpent” a aztech god, while pastorale is an evocative composition often used for cite or pray to gods). Another fun fact was in the variable name the attacker attributed to the string “JavaScript”: emotionless. In particular the attacker refers to JavaScript through the object “emotionless.Language”. Funny isn’t it?
The final javascript downloader aims to drop a file from http://66[.133[.129[.5/~chuckgilbert/09u8h76f/65fg67n placing it into the system temporary directory and naming it nanagrams.exe. Finally it runs that windows PE file on the victim machine. During the analysis-time the dropping URL was not working, indeed the dropping URL contains a surprise.php. Actually, a misconfiguration of the dropping website allowed us to visualize its source code. As shown in the following image (Image3) the page tracks the visitors through an iframe pointing to: http[://tehnofaq[.work and through a random loop redirects the downloader script to a different dropping URL.
Building a re-directors or proxy chains is quite useful for attackers in order to evade Intrusion Prevention Systems and/or protections infrastructures based upon IPs or DNS blocks. In such a case the redirection script pushes to one of the following domains by introducing the HTML meta “refresh” tag, pointing the browser URL to a random choice between 4 different entries belonging to the following two domains:
The used infrastructure, by analyzing the dropping urls, looks like an old infrastructure used for propagating Ransomware. Indeed it’s possible to observe many analogies with the following dropping urls belonging to a previously utilized Ransomware threat:
The infrastructure used in the attacks suggests the involvement of the cybercrime group TA505. The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.
Recently security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot, it is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch. The used URLs in the attack have the same pattern associated with the notorious crime gang, the researchers also pointed out that the IP addresses (i.e. 66.133.129.5) observed in the attacks were involved in previous campaigns delivering Locky and Dridex malware.
Unfortunately, I was not able to analyse the final payload of the attack chain that was still not available at the time of the analysis. The final stage malware analysis is essential to attempt to attribute the attack to a specific threat actor. The evidence and artifacts collected in this analysis suggest two possible scenarios:
An interesting Maldoc acting as drop-and-execute was identified and spotted in the wild targeting System Integrator based in Europe . From the described analysis we attempted to identify the attacker by observing he was exploiting an old infrastructure behind 66.133.129.5 as a dropping websites.
During the analysis time the attack-path was still incomplete and the attacker didn’t weaponize the dropping websites yet, but the spread document is able to grab content from specific URLs and to run directly on the victim machine.
The used strings for obfuscating the dropper were actually fun and “thematic”. For example strings like “madrillus”, “vulcano”, “pastorale”, “quetzalcoatl” remind an ancient culture (mandrillus, vulcano and quetzalcoatl) while objects like “emotionless” assigned to a specific programming language reminds a witty attacker.
Since no final stage was obtained so far, attribution is quite hard, but TTPs suggest a TA-505 attacker, due to the collected artifacts and to the analyzed URLs.
Additional information, including indicators of compromise (IoCs) are reported in the original post is available on Marco Ramilli’s blog:
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – TA505, cybercrime)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.
