Martijn Lammerts
My own digital place with a little of everything

Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs

31 July 2018

By Anita Hsieh, Rubio Wu, and Kawabata Kohei

Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft’s Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.

width="500"

Figure 1. The volume of spam emails in July 12 and 13

From our research and analysis of spam emails sent on July 12 and 13, more than 50 percent of the email accounts that received this spam belonged to banks located in countries like Malaysia, Indonesia, Kenya, Romania, Poland, and Austria.

Infection chain

Figure 2. Infection chain of the spam campaign

The spam emails used subjects such as “invoice” or strings like “important announcement,” “copy,” “Scanned image,” “security bulletin,” and “whats this” to trick recipients. The PDF attached in the said emails contained embedded JavaScript code and a “downl.SettingContent-ms” file, similar to what ProofPoint has reported. Once the PDF file is opened by the user, the JavaScript code will trigger the SettingContent-ms file.

Once the “downl.SettingContent-ms” file is opened, Windows will run the PowerShell command inside the <DeepLink> tag, which will download the FlawedAmmyy RAT from hxxp://169[.]239[.]129[.]117/cal before executing it. This FlawedAmmyy RAT variant is the same one installed by a Necurs module on bots under bank- and POS-related user domains.

width="500"

Figure 3. Spam mail sample showing a PDF attachment with JavaScript code and SettingContent-ms

width="500"

Figure 4. The embedded JavaScript code that will be automatically triggered once the PDF is opened

width="500"

Figure 5. The embedded “downl.SettingContent-ms” file that the JavaScript code opens

width="500"

Figure 6. The JavaScript code used to open “downl.SettingContent-ms”file

width="500"

Figure 7. The “downl.SettingContent-ms” file that the JavaScript code opens after it opens the PDF

width="500"

Figure 8. The content of the “downl.SettingContent-ms file that contains the PowerShell command for downloading the FlawedAmmyy RAT

FlawedAmmyy RAT – the spam campaign’s connection to Necurs

Recently, Necurs has been showing interest in bots with specific characteristics. On July 12, Necurs pushed a module – a downloader of the FlawedAmmyy RAT – to its bots. The module checked if the domain name contained any of the following keywords: bank, banc, aloha, aldelo, and postilion (as seen in Figure 10). Aloha is a restaurant POS system, Aldelo is an iPad POS system, while Postilion is a solution for acquiring payments or transactions across all channels, from ATM and POS to ecommerce and mobile. It downloads and executes the final payload from hxxp://169[.]239[.]129[.]117/Yjdfel765Hs if the bot’s user domain matches Necurs’ criteria.

width="500"

Figure 9. The module obtained the bot’s user domain via the cmd command echo %%USERDOMAIN%%

width="500"

Figure 10. The module checks if the user domain contains any of the highlighted keywords

Trend Micro Solutions

To defend against spam and threats like Necurs, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of compromise (IoCs)

IoCIoC TypeDescription
5181ede149a8cd560e9e0958be51ec069b486c87
14efc02509ab12eee08183a8
SHA256Necurs module that checks if the bot is potentially bank- or POS-related
576a373ccb9b62c3c934abfe1573a87759a2bfe26
6477155e0e59f336cc28ab4
SHA256PDF used in the spamming campaign on July 12 and 13
42ded82ef563db3b35aa797b7befd1a19ec92595
2f78f076db809aa8558b2e57
SHA256FlawedAmmyy RAT dropped by the Necurs module and the spam campaign on July 12
185[.]99[.]132[.]119:443IP + PortC&C of the FlawedAmmyy RAT
hxxp://169[.]239[.]129[.]117/Yjdfel765HsURLURL used to download the FlawedAmmyy RAT in the Necurs module
hxxp://169[.]239[.]129[.]117/calURLURL used to download the FlawedAmmyy RAT in the SettingContent-ms file embedded in the PDF

 

The post Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs appeared first on .

Share

Share

Ads