NanoCore Variant Delivered Through UUE Files

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed malicious.

Figure 1 – Ordy Compressed File Icon

All emails contain the same message body shown in Figure 2, asking users to confirm the payment and customer details as outlined in the attached copy of the Swift advice.

Figure 2 – Email body

The messages had a PDF attachment named “MensajeSWIFTMT103.pdf” (MD5: 8b9a5e36cd1e1ec7dfd7801bfa5afa86, SHA256: 743c9ffe67a80ac84385efc8dc78c84f7b38805285dda49ac6459d17008daa17). The PDF only contains one page, characteristic of malicious PDF documents, and the PDF does not contain any text but only a link to “View File” (as shown in Figure 3).

Figure 3 – PDF Document – View File

The link takes the user to the Dropbox site hxxps://www[.][.]uue?dl=1 to download Ordy.uue (MD5: 673d3a374900a23ecec3acc092fe8dba, SHA256: d476a35f392a1c616f045418ce9c3c6645ac6886a6195ef1ec578e6bbe15a48b). After downloading the file, it appears that a compressed file has been downloaded, as previously discussed. Unpacking the file extracts the executable Ordy.exe (MD5: 1A9E533E870C4B0B5D6126A3E7609601, SHA256: F76A8BED84ED4177626A4B7B3ECED4AEABE93BE8CB500A1B2D5F3A662539C98D), with an Acrobat PDF icon (as shown in Figure 4), which tricks the user in thinking that this is a genuine PDF file.

After executing Ordy.exe, it creates a copy of itself in \AppData\Roaming\taskprocess.exe while Ordy.exe hides itself, and it adds taskprocess.exe to the scheduled tasks (as shown in Figure 5).

Figure 5 – Scheduled Tasks

Additionally, it creates a Registry entry to start itself automatically when Windows starts (as shown in Figure 6).

Figure 6 – Registry Key Entry

The malware reads the machine GUUID and creates a directory in \AppData\Roaming with the GUUID as well as two subfolders: \DPI Subsystem and \Logs. The directory \DPI Subsystem contains a copy of Ordy.exe called dpiss.exe which gets executed after reboot.

The logs directory contains a .dat file with the naming convention of KB_XXXXXXX.dat. Opening the .dat file reveals some hexadecimal values (as shown in Figure 7).

Figure 7 – Hex contents in .dat file

After converting the hexadecimal values from the .dat file to ASCII, it becomes apparent that the malware captures keystrokes and stores them in the .dat file (as shown in Figure 8).

Figure 8 – Ascii decoded hex from .dat file

Analysing the malicious network traffic reveals active communication with IP over TCP port 6777 (as shown in Figure 9). After a three-way handshake is completed, the host and server exchange a PSH, ACK, ACK communication sequence a few times per second. Often, keylogger and remote access trojan malware will communicate using HTTP requests sent to a webserver. However, this TCP communication indicates a different, perhaps more difficult to stop, means for exfiltration.

Figure 9 – Wireshark Capture

Figure 10 – TCPView Outbound Connection to malicious IP

After reboot, dpiss.exe is executed instead of Ordy.exe and a new .dat file is created in \AppData\Roaming\{machineID}\Logs.

This malware application also reveals analysis and sandbox evasion characteristics in which a functional Internet connection is verified and will not attempt to make any outbound connections when executed in a sandboxed environment with restricted Internet access. It still copies itself and adds itself to the registry and scheduled tasks as well as capturing keystrokes, but it only tries to communicate to the server once a valid Internet connection has been established.

This malware contains a keylogger that actively captures keystrokes and transfers them to the server in the hope of capturing login details and other valuable information. While delivery using .UUE files has been around for a while, it is not commonly used at this point, and, to end users, these files appear as genuine compressed files. Most firewalls and endpoint security solutions only alert on or block .zip or .rar file extensions, ignoring .UUE and making it easier for attackers to bypass security solutions.

During analysis, we have observed this malware behaving like NanoCore. NanoCore is a remote access trojan (RAT) that is used to steal sensitive information such as passwords from victim computers.

However, Ordy.exe doesn’t contain any hardcoded “NanoCore” strings which is the reason why current NanoCore Yara rules will not detect this variant of NanoCore. Figure 11 shows the strings typically found in NanoCore samples, while Figure 11 shows the ones found in Ordy.exe.

Figure 11 – Identifiable NanoCore strings

Figure 12 – Ordy.exe strings

NanoCore first appeared in 2013 and has since gained popularity due to its modularity, which allows attackers to expand its functionality and performance. Several cracked versions of NanoCore exist in the wild, allowing attackers to use and modify the core functions to create new variants, and Ordy.exe is no exception. As our research suggests, Ordy closely resembles NanoCore, but the delivery through .UUE files is still very rare and can be seen as an attempt to bypass malware defences. Attackers will continue to create new malware as well as modify existing malware to pass through security perimeters; so, always act on the side of caution and only open links and attachments you trust.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

SMILE – New PayPal Phish Has Victims Sending Them a Selfie

Phishing scams masquerading as PayPal are unfortunately commonplace. Most recently, the PhishMe Triage™ Managed Phishing Defense Center noticed a handful of campaigns using a new tactic for advanced PayPal credential phishing. The phishing website looks very authentic compared to off-the-shelf crimeware phishing kits, but also levels-up by asking for a photo of the victim holding their ID and credit card, presumably to create cryptocurrency accounts to launder money stolen from victims.

New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B

Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.  

Tales from the Trenches: DocuSign® DELoader Phishing Attack

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

Google Doc Phishing Attack Hits Fast and Hard

Google Doc Campaign Makes a Mark

In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the website.

April Sees Spikes in Geodo Botnet Trojan

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them.

An example of a typical phishing email used in these attacks is shown below:

Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of these messages is the use of the words “invoice” or “order” as a common substring in the subject lines.

Below are some examples of subject lines we have observed:

Emails containing malicious links providing the PDF documents used to deliver this malware have also been found to contain the word “attachment” somewhere within in the subject line.

When the victim executes the JavaScript application or opens the PDF document, scripting content is used to download and execute the Geodo malware sample. The list below contains a representative sampling of payload locations used to deliver Geodo:

Once the Geodo payload is in place on the victim’s computer, it will connect to the Geodo command and control infrastructure allowing the attacker to collect sensitive information from the infected machine.

Listed below are command and control hosts that have been observed during our analysis:

The core functionality of the Geodo trojan lies in its ability to collect sensitive information from infected machines and their users. Sophisticated browser-based information stealing functionality provided by Geodo includes form grabs and HTTPS man-in-the-middle attacks. Geodo also sports the ability to produce new sets of phishing emails, delivering itself to new potential victims.

Full List of Geodo IOCs collected by the Phishing Defense Center

Infection URLs (Where the malware was originally downloaded from):


Command and Control hosts:


PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for unexpected emails that contain subject lines referring to invoices or attachments, and email bodies that ask you to visit a link to see an invoice or report. PhishMe Simulator customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.

Want to be notified of the latest malware strains and phishing threats? – sign up for our complimentary PhishMe Threat Alerts service, delivered straight to your inbox.