Martijn Lammerts
My own digital place with a little of everything

IQY and PowerShell Abused by Spam Campaign to Infect Users in Japan with BEBLOH and URSNIF

By Junestherry Salvador 

Trend Micro recently saw increased abuse of the internet query file IQY, similar to the activity detected in June from a Necurs-distributed spam wave that delivered the FlawedAmmyy RAT. It appears cybercriminals are taking advantage of the simple structure of IQY files because they can be used to evade structure-based detection methods.

Our latest observation found the Cutwail botnet distributing spam mails abusing IQY files. The spam campaign specifically targets users in Japan, delivering either the BEBLOH (detected by Trend Micro as TSPY_BEBLOH.YMNPV) or URSNIF (TSPY_URSNIF.TIBAIDO) malware. The spam mails attempt to trick users into clicking the attachment using conventional social engineering baits such as “payment,” “photos sent,” “photos attached,” and “please confirm,” among others. The campaign’s activity was detected on August 6, 2018, and has managed to distribute approximately 500,000 spam mails. The spam distribution has since died down on August 9.

Figure 1. Volume of spam mails detected from August 6-10, 2018

Infection chain

Figure 2. Infection of the spam campaign

Based on our analysis of the first wave of spam mails detected on August 6, if the user opens the attached IQY file, it queries to the URL indicated in its code. The web query file pulls data, which contains a script that can abuse Excel’s Dynamic Data Exchange (DDE) feature, from the targeted URL into an Excel file. This enables the execution of a PowerShell process, which checks if the infected machine’s IP address is located in Japan. A Japan IP address triggers the final payload of BEBLOH or URSNIF, but it won’t download the final payload if it detects an IP address from another country.

Figure 3. Sample spam mail from the first wave of distribution that started on August 6. Translated In English, the subject reads “Photo attached,” while the message body reads “Always thank you for your help. I will send it in XLS version. Please check attached file, thank you. Thanking you in advance.”

In the second wave of spam mails detected on August 8, the PowerShell scripts used to download the final payload were obfuscated — a common scheme used to make it difficult for security solutions to analyze the scripts. We also observed that URSNIF has become the lone malware in the payload. Apart from these changes, the campaign’s infection chain remains similar to the first wave of spam mails.

Figure 4. Spam mail sample from the second wave that started on August 8. Translated In English, the subject says “Photo,” while the message body says “Thank you for your help. I will send a picture.”

Figure 5. Code snippet of the PowerShell script

Figure 6. Code snippet of the obfuscated PowerShell script


BEBLOH and URSNIF were notably active in Japan in 2016. BEBLOH is a banking trojan designed to steal money from victims’ bank accounts without them even noticing. Meanwhile, URSNIF is known for being a data-stealing malware armed with behaviors that include hooking executable files for browser monitoring and using simple checks to evade sandbox detections, among others.

Our analysis of TSPY_BEBLOH.YMNPV (the BEBLOH variant involved in this campaign) found that it modifies the infected system by adding registry entries to enable its automatic execution on every system startup.  The following data will be collected:

  • Explorer File Information
  • Keyboard Layout
  • Machine Name
  • Network Configuration (IP address, Socket, Ports)
  • OS Information (Version, Product ID, Name, Install Date)
  • Volume Serial Number

TSPY_URSNIF.TIBAIDO, apart from the usual system modifications, collects the following data:

  • Captured Screenshot
  • Clipboard Logs
  • Computer Name
  • Cookies
  • Digital Certificates
  • Email Credentials
  • Installed device drivers
  • Installed Programs
  • IP Address
  • Keyboard Logs
  • Running processes and services
  • System Information

This variant of URSNIF saves stolen information in a file and then uploads it, monitors internet browsing activities, hooks APIs of target processes, disables protocols in Mozilla Firefox, and terminates itself if it runs under a virtual machine or sandbox.

Protect Your Network from Spammed Threats

To protect against spam and threats like BEBLOH and URSNIF, enterprises can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs. Trend Micro Deep Discovery™ has a layer for email inspection that can protect enterprises by detecting malicious attachment and URLs. Deep Discovery can detect the remote scripts even if it is not being downloaded in the physical endpoint.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. Trend Micro™ Email Reputation Services™ detects the spam mail used by this threat upon arrival.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of Compromise (IoCs)

 First wave (August 6):

Detection Names SHA256s Description
TROJ_MALIQY.E e9202586bd09cf9457025de2db62622b8d231de0f1ecc5d64ee71909c4c9c3a2 .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/sc4?
TROJ_DLOADR.AUSUMV fe89c50f242f54c09a4a8de3f3c3fd813e6dc41af59cf21ab669b05efedfd0c8 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/sc4-2.dat
TROJ_DLOADR.AUSUMV c5d706f09a79bde59257fab77c5406fba89d10efdb9e4941a8b3c1677da1c878 PowerShell script to check if infected machine’s IP address is from Japan, then proceeds to downloading payload from hxxp://jiglid[.]com/ms.xlsx
TSPY_BEBLOH.YMNPV 5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b Final payload: BEBLOH
TSPY_URSNIF.TIBAIDO 9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e Final payload: URSNIF

Second wave (August 8):

Detection Names SHA256s Description
TROJ_MALIQY.F b52bf37f47e7991f26b3ecc679d9fc78037f950cbd63ac220ab06b5d5cf5dcfd .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/exel
TROJ_POWLOAD.TIAOEIG 70f3bda067b9c3519c909da0b0fda85fcd45f84093f416520972d5b1387c5894 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/version
TROJ_POWLOAD.TIAOEIG 8e7e90ca9812222ed762e6f6db677361aa0db526eca54b2a09fb1cfa41eed63f Non-obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
TROJ_POWLOAD.THHOIAH 0323da8293f583e42fd14ad7e997bb3ecc0a508fef9d486314f4d1a1d5c65f58 Obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
TSPY_URSNIF.TIBAIDO 87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57 Final Payload: URSNIF


The post IQY and PowerShell Abused by Spam Campaign to Infect Users in Japan with BEBLOH and URSNIF appeared first on .