Search This Blog

Showing posts with label Microsoft Word. Show all posts

A Module-Based Malware Spread by Word Document

As a module-based malware, Trickbot a malware family previously captured by FortiGuard Labs and afterward analyzed in 2016. It can broaden its functionalities by downloading new modules from its C&C server and executing them on its victim's device. 

While it was at first recognized as banking Trojan, it has progressively extended out its functionalities to gather credentials from its victims' email accounts, browsers, installed network applications and so on. It is likewise able to send spam to its victim's email contacts, just as deliver other malware to the victim's device, like Emotet. As of late, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading another variation of TrickBot. 

This is how by which it chips away at the victim's machine. At the point when the malevolent Word document is opened with MS Office Word, it requests input, by requesting that the victim click the "Enable Content" button to empower the document's Macro feature. When this is done, its malicious Macro (VBA code) is executed. By going to the Menu "Developer"- > "Visual Basic" we can look at the Macro's VBA modules and code. 

The Macro project is password-protected, so one can't see any of the detailed data until the right password is provided. Luckily, there is an approach to sidestep this protection by changing its binary file. On the form, there is a Label control containing the malignant JS code, sketched out with a red rectangle. One of the VBA modules has an autorun() function which is called consequently when the Word doc opens. The VBA code at that point separates two files onto the victim's framework. 

 One document is "C:\AprilReport\LogsTsg\LogsTsg7\LogsTsg8\List1.bat", with content "cscript/nologo C:\AprilReport\List1.jse", and the other is "C:\AprilReport\List1.jse", with JavaScript code from the label control, which is a tremendously jumbled JavaScript code. At that point, it begins the first extricated file "List1.bat", which calls "script" running the huge JavaScript document "List1.jse". The JavaScript code is heavily muddled. This secures the API function calls and consistent strings from being distinguished. They additionally utilize tons of unknown functions also.

At the point when the code starts, it first waits around for a minute to sidestep any auto-analysis devices by appearing to be dormant. After waiting, it then proceeds with the command "Select * from Win32_Process" to acquire every running procedure. It at that point puts the entirety of the names of these acquired procedures together and verifies whether its length is less than 3100. 

Provided that this is true, it will raise an exception and close. For the most part, on a real computer, this length is bigger than 3100. As of now, it’s better ready to sidestep numerous auto-analysis systems, including Sandboxes and Virtual Machines. 

For the solution for this issue, Fortinet customers are already said to have been shielded from this TrickBot variation by FortiGuard's web filtering, Antivirus, and IPS benefits as follows: The downloading URL is appraised as "Malicious Websites" by the FortiGuard Web Filtering service. The Word doc and downloaded Dll record are distinguished as "VBA/TrickBot.MRVB!tr" and
"W32/TrickBot.EFDC!tr" and further blocked by the FortiGuard AntiVirus administration. 

The IP locations of the C&C server are identified and then blocked by the FortiGuard IPS signature "Trojan.TrickBot".

Hackers Utilize Hosting Infrastructure in the United States and Host 10 Malware Families

Hackers host10 malware families and distribute them through mass phishing campaigns via utilizing the hosting infrastructure method in the US.

The cybercriminals have been said to reuse similar servers so as to easily host diverse malware that demonstrate the coordination of a common entity between the malware operators.

The said hosted malware families incorporate five banking Trojans, two ransomware and three information stealer malware families. The malware incorporates the easily recognizable ones, like the Dridex, GandCrab, Neutrino, IcedID, and others.

Bromium, a venture capital–backed startup working with virtualization technology subsequent to tracking the operations for just about a year says that, “Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns.”

The malware families hosted in the server have separation with the C2 servers, which shows that one threat actor is in charge of email and 'hosting' and another for the malware tasks.

The malware facilitated servers run the default establishments of CentOS and Apache HTTP, and the payloads are ordered and hosted in less than 24 hours. All the malware are disseminated with phishing messages that convey macro implanted pernicious word documents that consist of links indicating the malware hosted servers.

Bromium said, “63% of the campaigns delivered a weaponized Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’.”

Albeit strict measures are being taken to predict any further troubles similar to this one however an ongoing report from IBM, states that the major cybercrime groups associated together in 'explicit collaboration' and keeps on exchanging their contents, strategies, and systems to sidestep the security and to dodge from the law  enforcement agencies with ease.