This time, one really interesting malware (from a really popular phishing) fell into my hands, which was really interesting to analyze. A big thanks goes to my co-worker Justas Kaminskas, who helped a lot with reverse engineering the obfuscated code. Now, let’s get to action and see what’s inside.

Delivery: email

Just like many malwares are delivered via e-mail, this is also not an exception. A victim receives a phishing email about the copyright infringement. Emails are being sent from compromised mail accounts and impersonate lawyers company.

Inside that e-mail, there is a link to an “actual pdf document” about that copyright infringement:

Let’s download the “pdf”

When victim clicks on the link, it redirects to tinyurl shortener service URL tinyurl[.]com/45nwy23z

A zip archive is downloaded to a computer, with a title related to copyright infringement problem. (Very scary) 🙂

The file size is too big for antivirus sandboxes to be able to check the file and it’s contents automatically, and the file hash has a unknown signature:

The catch – abusing native MS Windows archiver feature

Inside the zip archive, there are many bad files, but the user does not see them! Just… How??

If we double-click on a zip archive or if we extract the archive using built in Windows archiver, we can see only one file with pdf icon, assuming this is a pdf document.

Even if we set our computer’s settings to show hidden files, we still see only the “pdf” file when looking from the explorer.

But if we use a command line to list all files inside the folder, we can see two dll files and one folder named _.

This is the case, when hidden files are zipped into an archive, and later extracted using native Windows archiver, they are not visible to a user!! Even if I were to chose to see hidden files, they still remain hidden! Nice feature, Microsoft…..

Now what are these hidden files?

1. The PDF is actually not a PDF, but an executable file. It is a signed, valid file of Haihaisoft PDF Reader software: https://www.virustotal.com/gui/file/08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
2. The two dll files, are used by this Haihaisoft PDF Reader when executed.
3. Inside the folder named “_” there are 3 more files (very important for the attack). From the first look they seem like a pdf, docx and png files, but they are not. (We’ll see in a minute what purpose they serve).

Document.pdf is actually a legitimate Python setup file!

Evidence.docx is actually a batch file full of commands waiting to be executed:

At that time of malware analysis, it was almost clean on VirusTotal!

And last but not least the images.png is actually the main obfuscated malware code, stager, for further attack chain. Currently when the malware was analyzed – it was also almost clean on VirusTotal.

Malware execution

Let’s open “PDF”:

So we have a bunch of files, but only one (looking like a pdf) is visible to a victim user.

A user thinks that he/she opens pdf. But in fact, user executes the Haihaisoft PDF Reader software, which tries to open a fake document Document.pdf (to trick a user that some document is opening). The document does not open (because there is no such), but in the background it executes malicious dll file, which makes that Haihaisoft PDF Reader software initiate execution of multiple commands hidden inside Evidence.docx file.

These commands install Python, runs scripts silently, hides itself, sets up persistence through the Windows Registry, and deletes itself afterward. The worst thing is, that using installed Python, it executes the malicious payload from images.png file.

Malware also checks if it is being run inside the sandbox, and if it finds that it’s inside a VM or Sandbox environment – it quits and stops the attack.

What’s inside the images.png

For us to understand where this attack leads, we need to decompile the code stored inside the png file.

Inside that file we have a very long code:

As we can see there is plenty of useless code, which basically means nothing, but is only used to take space and make the file bigger.

The malicious, obfuscated code is right in the middle of the file and looks like this:

At this point kudos to Justas Kaminskas for reverse engineering the code and spending those late night hours together with me while analyzing this malware.

In short – this is a marshal bytecode, which, when decompiled, gives another similar looking payload (like the first images.png file), and after few repeated stages of decompilation, we can finally see that we are dealing with infostealer malware and then data exfiltration to Telegram channel.

How it works?

The first code takes a command line argument (sys.argv[1]) and visits a Telegram channel URL (hxxps://t[.]me) + the argument passed during that first execution.

t[.]me/MEXX6toHNBot

Then a regex is used to extract the content from the og:description meta tag on that Telegram page.

With that meta tag value, it constructs another URL using shortener service hxxps://is[.]gd, followed by that meta tag, and it requests this URL.

is[.]gd/5brwbddt

It again redirects to paste[.]rs service, where another bytecode is waiting for decompilation.

hxxps[://]paste[.]rs/2Lw7P

After playing with several stages of code decompilations, we finally managed to see what’s happening at the final stage.

We are dealing with the infostealer malware, which steals user’s data from every possible browser which might be present on the victim’s machine.

It steals passwords, session tokens, cookies, and even saved credit cards!

Then it exfiltrates the data to telegram channel, which tokens and IDs we can find inside the code.

After all these nasty and bad things, it does not leave a victim without making even more damage…

Another bytecode is downloaded from hxxps[://]0x0[.]st/8fVG[.]txt. And after decompiling a code inside this file, we found that it runs some kind of a shellcode.

This time we did not go further to reverse engineer the shellcode, but this is enough to understand how far and how deep such malwares can sometimes go..

End of story:

Stay safe, be cautious and always suspicious!

 

Research into such trends comes as part of the SOCcare project, as part of wider investigations into trending threats and their prevalence in Lithuania. Additionally, in sharing the results of the investigation with our project partner’s – University of Polytechnics Bucharest and RevelSI – we were surprised to find that not a single Romanian institution was targeted by the group. 

The SOCcare project is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.