Covid-19 Variant Malware Evades Multiple SEGs
By: Kian Mahdavi & Adam Martin, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has recently derived a stealthy malware campaign that we believe shares an abundance of attributes with the malware-as-a-service Buer Loader. The authors have taken the rare stride of rewriting their malicious downloader in the unfamiliar Rust programming language. We can only assume this decision was executed in a bid to slow down forensic research analysis, avoid detection and, most importantly, slip past as many secure email gateways (SEGs) as possible.
The threat actors behind the attack have really upped their game by incorporating high-quality Covid-19 communication themed references. They inform the reader there is “urgent information on the latest research from Centers for Disease Control and Prevention (CDC) and Food and Drug Administration (FDA) in the field of vaccines against the COVID-19.” There’s already an abundance of global discussion regarding the health and safety of the program and, as a result, this naturally reels in inquisitive readers.
Let’s explore more:
Figure 1: Email Body
Delivery
The subject line reads: “Covid-19 Vaccination Information.” Logically, this would be the first chunk of data the reader would come across in their inbox – an email that users would likely be expecting, given recent vaccination rollouts globally. Nothing unusual here?
The email derives from a cleverly crafted but newly created domain name that’s only a few weeks old (as of this writing). The top-level domain (TLD) contains the all-important Covid-19 reference, as well as an abbreviation of “information” – at least that’s what we assumed:
@cov19inf[.]com
Furthermore, the opening of the email doesn’t contain phrases such as, “Good Morning” or “Dear…”, possibly indicating this is a mass-email attack sent to many individuals. The threat actors understand the power of social engineering, and how to not only outwit users but also frighten and manipulate. Mentioning severe life-long complications, post-vaccine, is enough to send cold shivers down anyone’s spine. Worse still, federal agencies such as CDC and FDA have been included within the email body. We noted that multiple Covid-19 vaccines were stated, further widening their scope and encouraging users to engage.
Lastly, there’s this: “You were assigned personal access to the attached, your passcode: ***”. This is the secret recipe required to ignite the malicious downloader into the victim’s computer. With the personal touch added, users could be motivated to take it more seriously, had they not done so a moment ago.
Figure 2: Password Protected – Document.xlsm – Generic Naming
Infection Chain
The threat actor baits the victim into clicking the “Enable Editing” button to initiate the embedded macro within the Microsoft Excel document. The macro then drops and runs a dynamic link library (DLL) within the ProgramData folder. Once the malicious DLL is executed, it then downloads a .XLS file that’s actually an executable, renamed and placed within the C:\ProgramData\. The file name is a randomly generated string and will be different for each infection as evident in Figure 6 below.
Figure 3: Security branded images are used to showcase “trusted” status.
Initial Stage Malicious Files
File Name: document.xlsm
MD5: 0884e793587dc061b8ae69fc086ece83
SHA256: bd477b8eabe8baa2042f42b04d6afed2390afc1f3b5f7270538130f96b27e039
Size: 91136 bytes (89K)
File Name: test.dll
MD5: 2539dbed170613f776445dab9b62fac0
SHA256: dc8c2d326143ff4334a7bdbafcb821ee9a525eb3248e676e4940baab8d0626a9
Size: 6144 bytes (6.00K)
Second Stage Malicious Files
File Name: SignerLib.xls
MD5: 796b3e4674b68b33c906ce32c3275d83
SHA256: afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd
File Size: 7115776 bytes (6M)
Second Stage Payload
Figure 4: XLS Download – Second Stage Payload
Payload URL Location: hXXps://hgastation[.]com/reg/new_user
IP Address:172[.]104[.]240[.]67
Figure 5: Analysis from PE Studio
Once inspected in PE Studio, the .XLS file is in fact a PE Executable, as can be seen above the first HEX bytes, with 4D 5A confirming it as a PE file. It also contains an import table that will utilize several anti-analysis functions.
Second Stage Payload Icon
Figure 6: Executable File – Randomized Name
The malicious payload contained API calls, which are intentional and meant to help evade sandbox checks and detection from security vendors. This file contained several MITRE tactics such as IsDebuggerPresent and GetTickCount to evade detection, as illustrated below:
Figure 7: IsDebuggerPresent and GetTickCount