The group behind Sanny malware attacks has made significant changes to the way it delivers their payload. According to new research by FireEye, the attackers have upgraded their delivery techniques when it comes to planting malware on systems via document attachments sent as part of spam and phishing campaigns.
“The attack is now carried out in multiple stages, with each stage being downloaded from the attacker’s server. Command line evasion techniques, the capability to infect systems running Windows 10, and use of recent User Account Control bypass techniques have also been added,” according to a FireEye report, which said the changes were first observed earlier this month.
The attackers, believed to be based in Korea, have targeted English and Russian-language diplomatic victims around the world since 2012. According FireEye’s report, written by researchers Sudeep Singh and Yijie Sui, the attacks are using both rigged Cyrillic and English-language Word files. The malicious file contains an embedded macro that, when enabled, triggers an infection chain that ultimately delivers to the Sanny malware payload.
“This campaign was low in volume but nevertheless, highly targeted,” said Singh in an email response to Threatpost’s questions. “The earlier malware delivery method used to spread Sanny malware was not multi stage. All the components were dropped directly on the disk and executed by the macro based document in the previous variants.”
Malicious document names include “РГНФ 2018-2019.doc” and “Copy of communication from Security Council Committee (1718).doc”. While the Cyrillic based document discusses “Eurasian geopolitics as they relate to China, as well as Russia’s security,” the English-language document covers “sanctions on humanitarian operations in the Democratic People’s Republic of Korea (DPRK).”
An analysis of the macro revealed that a Text Box found in the Word document – when activated – runs a hidden malicious command. “This TextBox property is first accessed by the macro to execute the command on the system and is then overwritten to delete evidence of the command line,” researchers wrote.
Next, stage one includes: “The macro leverages the legitimate Microsoft Windows certutil.exe utility to download an encoded Windows Batch (BAT) file from the following URL: http://more.1apps[.]com/1.txt. The macro then decodes the encoded file and drops it in the %temp% directory with the name: 1.bat.”
Stage two, according to FireEye, includes: “The BAT file will download the CAB file based on the architecture of the underlying operating system. The rest of the malicious activities are performed by the downloaded CAB file.”
A CAB file is short for Windows Cabinet file. CAB files store data related to various Windows installations including device drivers or system files. In the case of Sanny, the CAB file contained several malicious functions including delivering “ipnet.dlle” (the Sanny malware) and “ipnet.ini” (a configuration file used by the malware).
Another CAB component includes “update.dll,” which is used to perform a Windows 10 User Account Control (UAC) bypass. “This component from the CAB file is used to perform UAC bypass on Windows 10… if the underlying operating system is Windows 10, then it uses update.dll to begin the execution of code instead of invoking the install.bat file directly,” FireEye explains.
The BAT file also checks for the presence of specific antivirus software solutions on targeted systems. “If found, CAB installation is changed accordingly in an attempt to bypass detection,” researchers said.
Singh told Threatpost the capability to infect Windows 10 is new with these latest attacks: “It performs a specific check to detect Windows 10 OS and executes the code accordingly.”
Beyond the delivery method, the final payload (ipnet.dll/Sanny) has not changed since the previously observed variants, Singh said.
Once finally in, the malware harvests everything from Microsoft Outlook accounts and browser data that includes stored username and passwords. Sanny uses FTP as its means to exfiltrate data from the targeted system to the attacker’s command-and-control server.
“Sanny malware uses an interesting mechanism for compressing the contents of data collected from the system and encoding it before exfiltration. Instead of using an archiving utility, the malware leverages Shell.Application COM object and calls the CopyHere method of the IShellDispatch interface to perform compression,” FireEye wrote.
“This activity shows us that the threat actors using Sanny malware are evolving their malware delivery methods, notably by incorporating UAC bypasses and endpoint evasion techniques. By using a multi-stage attack with a modular architecture, the malware authors increase the difficulty of reverse engineering and potentially evade security solutions,” researchers wrote.