By Homer Pacag, Security Researcher at Trustwave
Using malware infected spam (or malspam for short) to attack targets is one of the oldest tricks in the cybercriminal book, but attackers frequently use old techniques with new twists to catch victims out.
In August, our threat detection team uncovered an unusual, new approach to malspam in a campaign that appeared to be exclusively targeting banks.
We first spotted the campaign in mid-August, and it reappeared again later in the month. The attack used the ever-popular technique of sending a malware-infected fake invoice to targets to trick them into opening the file and executing hidden malware.However, this came with a new development we hadn’t seen before.
Rather than the usual infected Word or PDF documents, the attackers instead used Microsoft Publisher, a program generally reserved for editing a document’s layout rather than composing and editing a simple file like an invoice. Seeing a .pub document with a filename like “Payment Advice” was unusual enough to prompt a more in-depth investigation from our team.
The hidden malware
Opening the attached .pub will prompt the user to “Enable Macros”, which may appear as “Enable Editing” or “Enable Content” in some older versions of Microsoft Publisher. Accepting the command will activate a hidden download link for a self-extracting archive containing a backdoor tool known as the FlawedAmmyy RAT (Remote Access Trojan).
FlawedAmmyy has been used in attack campaigns since 2016, usually targeting specific companies in industries such as the automotive sector. A large attack was detected in July 2018, this time using PDF documents.
Based on the leaked source code of a remote access admin tool, the malware has several abilities including a remote desktop tool and a file system manager. Once a machine has been infected with FlawedAmmyy, the attacker is able to remotely take control and perform a number of malicious actions. They can begin exfiltrating data or installing further malware with other capabilities and can use the compromised machine to email other users at the organisation under the guise of the commandeered email address.
What makes this attack different?
The use of .pub files rather than normal.docs or PDFs makes this campaign rather unusual. We can’t be certain of the attacker’s motivation for the switch up, but it appears to come as part of a prolonged campaign using different techniques. With further investigation, it quickly became apparent that this group have been repeatedly experimenting with their attack method in recent months.
A week after the initial discovery, we found the campaign had re-emerged, this time with the Windows Publisher files being embedded within a PDF. Hiding executable items inside a PDF is a popular tactic with this group, and the same technique was used for most of the previous FlawedAmmyy attacks.
After some further digging, we were able to identify several different cases likely stemming from the same attackers. They all used the FlawedAmmyy malware embedded in documents and were exclusively targeting banks, but frequently changed other elements, such as using different subject lines and other file types like Excel IQY.
It also appears that the campaign originates from the notorious Necurs botnet, which has been responsible for several very large-scale malware distribution campaigns over the last couple of years, for example WannaCry which hit the NHS in May 2017. However, this most recent example is notable for being of a much smaller scale and only targeting domains belonging to banks.
Should banks be worried?
The amount of evidence we have uncovered so far indicates that this group is very persistent in their goal of infecting a banking organisation with the FlawedAmmyy malware. This is unsurprising as compromising an endpoint device within a bank with the remote access trojan is something of a holy grail for a cybercrime group. A successful infection would potentially allow for further attacks, including stealing large amounts of confidential data, transferring funds, or even accessing the banking system itself.
After the recent spree of different attack patterns, we can anticipate that the attackers will continue to experiment with different combinations of file types and text until they are finally able to successfully infect a bank with malware.
Banks around the world should be on their guard for the appearance of this attack. As with past malspam attacks, this latest campaign relies on poor user awareness to succeed. Banks should consider strengthening their security training so that all users are aware of the threat posed by unknown files in their inbox. There should be a clear policy in place about handling and reporting and suspicious emails.
Taking it a step further, banks should also ensure they have the ability to closely inspect inbound document files at the email gateway. This will enable them to detect hidden files and macros that have been embedded within apparently benign files. It may also be advisable to block files like Excel IQY at the email gateway as they are increasingly being used to evade security measures and execute malware downloads.
Research also contributed by Phil Hay, Research Manager, Trustwave