A large-scale spam campaign bent on spreading info-stealing malware is applying advanced obfuscation techniques to get around security scanning and maximize infection rates.
According to Lastline researchers, a large botnet is distributing malicious rich text format (RTF) documents that act as downloaders for well-known info-stealers, such as Agent Tesla or LokiBot. These malware variants steal a variety of credentials – including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. The effort is linked to another recent spam campaign identified by Cisco Talos, Lastline said.
The firm found that many of the targeted entities are within the education sector in the Asia-Pacific region; however, the campaign also seems to be using a second, “spray-and-pray” approach on other potential victims.
“Some email subjects were quite generic, which implies that attackers used the spam campaign to target the generic public,” according to an analysis, published Thursday. In other cases, “email subjects were customized to specific targets or events, aiming to maximize its infection rate.”
The researchers found that the campaign uses common attack techniques, such as data obfuscation and VBA scripting, but that it also goes to great lengths to hide its infection processes.
Under the Hood
The campaign features malicious attachments in the form of decoy RTF documents. If the user clicks on the attachment, multiple pop-ups prompt the user repeatedly to activate macros for an Excel spreadsheet.
Further inspection showed that the same OLE object – in this case, the Excel file – is embedded multiple times into the RTF file, which “implies that each embedded OLE object may be related to each popup.” The intent is to wear the user down, enticing them to click “enable” in order to get the pop-ups to go away.
That Excel spreadsheet is a “typical weaponized document with an embedded malicious VBA macro.” The macro itself is hidden via encoding with uncommon Unicode characters.
The macro, once enabled, reads hex-encoded content from one of the spreadsheet’s cells. That content, when decrypted, turns out to be a PowerShell script that is then executed using Windows management Instrumentation (WMI).
The PowerShell script then adds a C# compiler (csc.exe) within its native PowerShell scripts – which is another evasion technique.
“What caught our attention are the csc.exe subjects spawned by the PowerShell processes,” according to the analysis. “csc.exe is the C# command-line compiler in the Microsoft .NET Framework, which can be called via [the Add-Type -TypeDefinition] cmdlet within the Windows PowerShell environment.”
Once the PowerShell process spawns csc.exe, it applies a known bypass method for Anti Malware Scan Interface (AMSI), to sneak past security defenses. Changing the underlying implementation from PowerShell to C# makes the activity less obvious to both humans and detection engines. In particular, it helps hide the AMSI bypass trick and any indicators of compromise (IoCs).
“The usage of the Add-Type cmdlet in PowerShell payloads, which allows one to compile C# programs…provided the attackers with great flexibility to bypass AMSI-related detection and carry out further malicious downloads,” according to analysis. “Given its effectiveness, we expect this technique to become more popular in weaponized PowerShell payloads.”
Incidentally, the botnet’s usage of this specific AMSI-bypass technique is what links it to the spam campaign recently uncovered by Cisco Talos, according to Lastline. That campaign was being operated by the SWEED threat actor.
Once established on the victim machine, the code will fetch a dropper payload from a remote host, which in turn downloads the last-stage info-stealing malware. These end stages are heavily obscured as well, researchers said.
“The download routine is straightforward and is executed right after the AMSI bypass has been set up: it downloads a remote payload into the AppData folder, and executes it,” according to the Lastline research. “There is a dedicated effort to hide the final payload URL by adding several obfuscation layers, a technique known to impair automated tools and parsers.”