- Phishing attacks are nothing new, but we are noticing a new trend for polymorphism.
- Bad guys are wrapping both the document and the dropped executable.
- In samples that are literally minutes old, we see the control server is re-obfuscating and updating the malware faster than anti-virus programs are updating their awareness.
The changes made to this phishing expedition are more than trivial substitution. As a result, there’s nothing in your perimeter or endpoint AV that’s preventing the malicious document from reaching end users and infecting them. It is only possible to detect this kind of fresh malware after you’ve become infected.
Here’s one example we saw earlier today. It’s a fairly standard phishing template and, using data stolen by the Trojan from other infected machines, pretends to be from a friend or acquaintance of the recipient. The email encourages the potential victim to click a link to download an alleged invoice.
Upon clicking the link, a document will download. This is what the email led the user to expect, so they will click on it. Here is the malicious document running inside a micro-VM, opened in front of the user who clicked on the phishing link:
Again, this is fairly standard; and as we see so often, the malware scarily detonates without any user interaction at all. As is often the case, there’s some social engineering to trick users into turning macros on if they have been disabled.
Using Bromium Secure Platform, this document has been isolated in a lightweight micro-VM. This is transparent to the user, but our hardware-based isolation allows us to safely continue execution of the malicious code, giving us a unique insight into what it is doing. This analysis is instantly fed back to our customer’s security team.
Here is a view of our analysis of this sample, instantly available via our on-premise console:
A full drill-down into the behavior is immediately available, and in this case we can see the malware migrating processes (each swim lane is a new process). Along the way, a freshly repacked executable is dropped and executed – again this pattern of drop-and-execute is very typical with malware, but in this case the executable has been repacked and is unknown by the majority of anti-virus products because it’s so fresh.
Ultimately this malware installs a Windows service called “sysservice.exe” which contains the Emotet banking Trojan.
Here is what the major AV engines thought of the downloaded document, as reported by Virus Total at the time it was served. Of course, over time this particular document will be known to more AV tools. But by then, the control server will be serving fresh new versions that are undetected.
Similarly, the dropped executable was largely undetected when we saw it – 50 of 66 engines failed to see bad. This is an interesting development as polymorphic documents have been seen extensively, but we generally see them drop binaries that were already known from previous campaigns. So this frequent repacking is an interesting trend.
Ultimately as malware matures, users will be served samples that have been automatically made specifically for them and are totally unknown in the wild – they won’t be stopped at the perimeter or found on the endpoint by legacy tools.
The re-obfuscation is interesting too. The authors have not made simple substitutions (which is all that would be required to defeat a solution relying on signatures) but are making random structural changes in a full re-obfuscation.
This can be seen in the observed PowerShell invocation, which is part of the early process migration:
Compared with a sample delivered from the same URL a few minutes later:
Bromium users are protected from this campaign, and other Zero-day outbreaks, by our unique hardware-based isolation. Our behavioral analysis also allows the malicious activity to be detected even when freshly repacked and re-obfuscated. We provide full forensic information immediately, and because we are able to wait until the malware has actually done something provably bad before creating an alert, we don’t annoy customers with false alarms. Users dependent on legacy AV or signature-based detection may fall victim to this and similar campaigns.
If you want to learn about Bromium Secure Platform, contact us to request a demo.