- Over Christmas, one of our customers was hit by a Trojan and they asked us to take a look at the threat.
- Sixteen of their users were fooled into opening a Word document.
- Fortunately, they had Bromium, so it safely ran inside a micro-VM and was unable to affect their host or their intranet.
Seasons greetings? Indeed. How did the bad actors fool such a large number of users to open the document? Well, they took advantage of the festive season and disguised it as an e-card full of Christmas greetings.
Document titles were along the lines of “Your eGift Card.doc”, “Gift Card for You.doc”, “Christmas Gift Card.doc”, “Your eCard.doc” (note the reasonably convincing polymorphism of the title). These arrived using e-mail links which took the user into their browser to download the file. Then the file opened, and bang – malicious software was installed on the PC.
On-demand Webinar: Cybersecurity Stack Advice for 2018
Again, in our case, the malicious software was instead installed in the virtual computer which we make for each untrusted document. In fact, I have it running right now… happily hiding as a “systemwmi.exe” process designed to fool me into thinking it’s part of Windows. It’s sitting there, having made lots of external network connections, waiting for instructions from its nefarious masters.
Fortunately, unbeknownst to them, it’s trapped in a micro-VM where it can’t do anything bad.
Apart from the festive seasonality, there’s nothing particularly novel about this malware – but it shows off a new feature that we’ve added to our Bromium Secure Platform 4.0.3 release. The sample does the usual Word -> cmd -> powershell -> native sorts of transitions:
But as of Bromium Platform 4.0 Update 3, we’ll give you a little more analysis detail here. You may notice “HTTP GET” for the first time – we’ll describe exactly what HTTP fetches the malware does.
Just a little bit more information that we offer in Bromium Platform 4.0 Update 3 and later, as an early Christmas gift from us.
Speaking of which… It turns out that malware authors tend to be late for Christmas. None of the e-Cards were opened until 26th December, and most of them didn’t get opened until January 3rd.
Appears even malware authors need to be more organized for Christmas.