Rechnung Financial Malspam

Posted on 2021-09-29 by Dmitry Melikov

Protecting an organization from today's cyber threats is not a simple but rather extensive task. The threat landscape is constantly changing, requiring a flexible approach to defense. The threats, techniques, and vulnerabilities that cybercriminals exploit may be unknown to organizations that provide protection to their users. This is a prime example of the exploitation of a critical vulnerability. An exploit that was found in the wild.

Since phishing or targeted distribution of documents is often the first step of attackers, interception of such malicious files using machine learning or collected infection indicators is an important approach in ensuring the security of an organization or user.

A few days ago we found a sample that seemed interesting to us. Therefore, we decided to delve deeper into his research and also publish this research.

Image 1: The lure for this document is in German.
File TypeOffice OpenXML Document 
Sha256 184e849d1bca74fa21864da49882f4465b30f1abc21c48821aae6de48e54582e 

This document showed very shallow detection on VirusTotal.

Image 2: Analysis of this sample on the service VirusTotal.

Despite the fact that the detection of this sample across other sources is low, our lab has marked it as malicious.

Let's dive deeper into his research and see what we find. And also what indicators and interesting functions may be present.

The document connects to the server and downloads an executable file, which it later launches.

hxxp://52.57.83.240/update365_0831042[.]exe

File Type.NET Executable
Sha-2565b3823331f0a9c7afa37ec0c5a8e6f2142a7856f189e3acfed04d1b4d1ec1e63 

The executable file contains some pieces of data that are encoded in Base64.

Image 4: Strings in Base64
Image 5: Decoded Line
Image 6:Encoded Payload

In the illustration, we see a large data block encoded in Base64. After decoding, it appears to be a PowerShell script which then executes.

FileTypePowerShell 
sha256f629ee8faba1ff297f4ff389c8ccbc82198c23e443e5c23cc518f77d9d58d64d
Image 7: Payload

The main payload one, which is encoded in Base64, looks like this. This script decodes the dnscat2 tool from its body. And it launches it in order to build DNS tunneling by connecting to a remote server, o365updates[.]net. The program establishes a connection and waits for further commands from the remote server. 

Such attacks are carried out thousands of times each day and threat actors are constantly developing new methods. Contact Us to find out how InQuest's Deep File Inspection platform can detect these malicious documents.

IOCs

XML Document184e849d1bca74fa21864da49882f4465b30f1abc21c48821aae6de48e54582e
XML Documentcbdb4dc896c1d5dfaaef10f8da3de9ec7b263d747d186297bff1a01c837a7c73
.NET EXEed8419e1f3d373b1128987dcaff9a938307167f05b7493c2108db02b610ac379
.NET EXEdbc6a80620aac42ddd2c9f2c51c52f9a4c636c786ee71d61d113462cfa9dffee
.NET EXE5b3823331f0a9c7afa37ec0c5a8e6f2142a7856f189e3acfed04d1b4d1ec1e63
PowerShell Scriptf629ee8faba1ff297f4ff389c8ccbc82198c23e443e5c23cc518f77d9d58d64d
URLhxxp://52.57.83.240/update365_0831042[.]exe
Domaino365updates[.]net
Tags
in-the-wild threat-hunting labs