Research by: Yohann Sillam and Daniel Alima
Introduction and Context
Check Point researchers are following an evolving, ongoing malspam campaign that is targeting more than 80 Turkish companies. The malware uses different evasive methods to bypass security solutions.
The initial attack vector starts with a phishing email that includes an Office file attachment. The file is in a 20-year old BIFF format, which cannot be parsed by common Office parser tools. In the next stage, a malicious Jar file is downloaded. This file is heavily obfuscated and carries several evasion techniques to avoid detection by security products. The jar file then drops an Adwind RAT, a multiplatform malware, which is configured to steal sensitive information and send it to the attacker Command and Control (C&C) server while gaining remote access to the victim’s machine.
All of these files have a very low detection rate in Virus Total, most likely due to the heavy obfuscation.
- The attacker sends a malicious email to the victim.
- The victim triggers the malicious content.
- A malicious RAT is downloaded from a GitHub repository.
- The malware establishes a connection with its C&C server.
figure 1: Infection Chain
Downloading the malicious JAR file
Subject: Hello. Yearly life insurance documents
Body: Attached is the document that is forwarded by Mrs. Asena, the responsible…
Waiting for your response …
I wish you success in your work.
The initial malicious documents are either XLS or CSV files. The XLS files contain an External Reference record, designed to trigger the download of a malicious JAR file:
Figure 2: Malicious External Reference record (RecordType highlighted) from an XLS malicious file.
The command: `
cmd /c powershell –executionpolicy bypass –W Hidden –command` aims at downloading a JAR file called zpmqwjs.docx
The Externsheet Injection is a rare technique that explains why the file was only detected by a small number of security vendors as shown in Figure 3 below:
Figure 3: Virus Total verdict of the previous XLS file.
Moreover, the attackers added many junk and special characters in the cell content and used a 20-year old BIFF version  (BIFF5) so the detection tool fails to parse the file. This is the error returned by the BiffView analysis tool:
Figure 4: BiffView trying to process the XLS file.
The CSV file is used to download the same JAR via Formula injection technique.
Both of these vectors require user interaction to download the malicious JAR executable.
Github Pages, hosted under pages.github.com, is a static site hosting service by GitHub. It gives webmasters the ability to serve web documents directly from their GitHub repositories to their websites. The attacker responsible for this campaign created a website with GitHub Pages service to distribute the malware samples hosted in their repositories.
Figure 5: Board of the attacker’s Github Account.
One user associated with the GitHub repositories is named “5308682.” This account is associated with 18 different repositories. The current repository used for this campaign is “ofxamz19.”
However, the majority of the files hosted by the attacker were variants of the same malicious JAR file, under different filenames: “wucgy3jecwgpv.svg”, “6da7uj4b4oi2a.pdf”, “zpmqwjs.docx” and more.
Evolution of the Campaign
Talos and Sophos reported earlier stages of the campaign. We noticed an evolution of this campaign, showing that the attackers are constantly improving their technique to maintain a low detection rate.
Figure 6: Campaign Evolution
The dropper and the payload
The dropper and payload files were obfuscated and only detected by a few security vendors. None of the tools we considered was able to decompile it entirely (JD-GUI, Fernflower, CFR, Procyon … see Figure 7 for example).
Figure 7: CafeBabe failing to decompile the dropper
Figure 8: Malicious Jar file almost no detected by security vendors.
Figure 9: Obfuscated main function of the dropper (Fernflower decompiler).
The Figure 9 represents the decompiled code of the dropper. The calls of all functions are embedded into a decryption function (Gv) and comparisons are performed between encrypted values.
From Figure 7, we estimated that the best solution to analyze this JAR file was to debug it from the bytecodes. The arguments of all static functions (including decryption function) called during runtime were encrypted and so was the output. All interesting function calls ran through dynamic invoke.
The relationship between `Gv` function and `findStatic`, `findDynamic` of Java language helped to identify `Gv` as the main decryption function.
Figure 10 : Breakpoint on Gv function showing encrypted dynamic call
Compared to previous versions of the campaign, the malware performs several new evasion techniques to fool generic emulation sandboxes:
- Check if the default locale of the JVM is set to Turkish.
- Check if the language of the machine is Turkish.
- Check if the country name of the computer is Turkish.
Then, the malware connects to checkip.amazonaws.com to collect the public IP. It queries ipinfo.io/public_ip/country to check if the country associated with the IP is Turkey.
If any of these conditions is not met, the malware will not show its true behavior.
Then, the payload will search for Anti Viruses via WMIC.exe and sends this information to the CnC server.
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`
Windows utility Attrib.exe will be used to make the payload a hidden file.
The malware author put some effort into finding an attractive icon and a name (Uninstall) that wouldn’t raise suspicion. The malware is associated with a Windows object. Double-clicking the malware icon starts up the control panel board Figure 11 in order to mislead the victim. Indeed, double clicking the icon will not start any malicious behavior. However, starting the file with Java program will start the info stealing.
Older version of the malware were associated with the Trash folder instead.
Figure 11 : Board and Icon
Figure 12 : Registry key on HKCU for persistence.
The registry key written in at `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` ensures the persistence of the malware after machine restarts.
After running through all the evasion mechanisms presented in the previous section, the malware tries to connect to 21736.xyz on port 1505 (TCP):
Figure 13 : Extract of the memory of the malware
Figure 14: Generic Adwind v3.0 attacker dashboard
The picture above represents the dashboard of the standard version of Adwind 3.0. This board gives to the attacker the following abilities:
- Taking screenshots.
- Taking pictures and recording videos or sounds from the PC.
- Stealing files, cached passwords and web data.
- Collecting keystrokes.
- Collecting VPN certificates.
- Controlling the SMS system of Android devices.
- Moving laterally in the network
Check Point protections:
As part of the Check Point SandBlast Zero-Day Protection solution, SandBlast Network prevents these attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for these threats.
SandBlast Network Protections:
- Anti-Virus blade includes hashes signatures for the RAT.
- Anti-Bot blade includes network signatures for the RAT’s behavior, as well as C&C domains.
IPS protections :
- Communication with the CnC.
We would like to thank our colleague, Itay Cohen for his precious contribution in this research.