A URL might be utterly legitimate, but nonetheless deceptive. On this weblog, we’ll current one other approach with URLs that we noticed in a latest malicious spam marketing campaign. That is the continuation of an earlier weblog that mentioned how legitimate URL codecs can be utilized in evading detection.
The spams on this marketing campaign have a PowerPoint Add-in attachment which accommodates a malicious macro. When the PowerPoint file is closed, it accesses a URL by way of the Home windows binary mshta.exe, and this results in totally different malware being put in into the system. This routine just isn’t uncommon for macro downloaders. Nonetheless, we discover the obfuscation used on the URL fascinating and worthy of additional investigation.
Determine 1: The spam containing a PowerPoint Add-in and the PowerPoint’s course of tree
Determine 2: The PowerPoint attachment and its macro code the place the preliminary malicious URL is formulated
The domains related to this marketing campaign are already identified to host malicious recordsdata and obfuscated malicious information. To trick the e-mail recipient, and keep away from being flagged by electronic mail and AV scanners, the cybercriminals behind this marketing campaign employed a semantic assault on these URLs.
A URI could have an Authority part and beneath is its construction. If the Userinfo subcomponent is current, it’s preceded by two slashes and adopted by an “@” character.
Userinfo isn’t used, and as such, can be utilized to try to idiot an off-the-cuff observer. On this marketing campaign, dummy userinfo is included on the URLs. The unhealthy guys are trying to make the domains unnoticeable but nonetheless conforming with the generic URI syntax.
Determine 3: The URL move
The preliminary URL proven within the picture above has the area j[.]mp – a URL shortening service supplied by Bit.ly, a URL shortener too. To keep away from being characterised as a brief URL and finally evading detection signatures, the string “%909123id” is repeatedly used within the userinfo. For the reason that URL j[.]mp/kassaasdskdd (shortened from Determine 3) doesn’t require a userinfo to realize entry to any assets, the userinfo information can be ignored when the URL is accessed. The primary URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin.
Determine 4: The obfuscated script on Pastebin and its de-obfuscated information
Determine 5: The registry entry created by the VBScript on Determine 4
The VBScript, contained within the 2nd URL in Determine 3, is a dropper. It writes a PowerShell downloader into the registry and units its persistence. The PowerShell downloads and processes the uncooked information on two extra Pastebin URLs, after which executes the output binaries.
The third and the fourth URLs are Pastebin URLs too. Each comprise dummy userinfo as effectively which can be ignored by the Pastebin URLs. The content material on the third URL pastebin[.]com/uncooked/uhMtv3Bk (shortened from Determine 3) accommodates an obfuscated PowerShell code. The PowerShell executes 2 DotNet compiled DLLs – the primary DLL bypasses the Anti-Malware Scan Interface (AMSI) after which masses a DLL injector into the reminiscence. The fourth URL pastebin[.]com/uncooked/Nz1mPUdT (shortened from Determine 3) accommodates an obfuscated malware Lokibot pattern. This can be injected to a legit course of notedpad.exe by the DLL injector talked about earlier.
We discovered it fascinating that the attackers had been utilizing URIs on this method, which basically is an assault on the person’s preconceived notion of what a URI ought to appear like. It could additionally defeat safety options, which can expect URIs in a sure format.
Trustwave Safe E-mail Gateway has added safety for this risk for our prospects. As suggested by my colleague within the weblog, be cautious with URLs obtained from exterior emails – examine hyperlinks earlier than clicking.