Bah HumBug and Die Hard

10918520082?profile=RESIZE_400xMuch of the world’s population observes and celebrates Christmas every December to connect with friends and family and reflect on the year.  Malware operators also observe the holiday, perennially attempting to compromise the systems of users who have let their guard down during the festivities.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Malware opens a backdoor and exfiltrates information from compromised machines
Severity Level: High

FortiGuard Labs has come across two holiday-themed phishing examples that exploit people’s interests in the holidays, leading to malware infection and further exploitation.[1]

Giving the Gift of AgentTesla for Christmas: FortiGuard Labs found that an AgentTesla affiliate started Christmas activities early this year.  Their email is disguised to look like it came from a jewelry shop in Dubai.  It was sent to a company that specializes in water treatment in Chile.  The email requests that the recipient provide quotes for the price and availability of jewelry for Christmas.  An obvious red flag is that “Dubai” is spelled wrong (besides asking a company specializing in water treatment for jewelry pricing.)

10918520263?profile=RESIZE_400x10918521853?profile=RESIZE_400xFigure 1. Screenshot of the email

The email has two attachments: “new designs.gz” contains “new designs.exe,” and “Inquiry lists.gz” contains “Inquiry lists.exe.” Although the embedded files have different names, they share the same file hash -

(SHA2:c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5).

10918521862?profile=RESIZE_710x“new designs.exe” inside “new designs.gz”

10918521672?profile=RESIZE_710x“Inquiry lists.exe” inside “Inquiry lists.gz”

When executed, c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5 drops fkkvzetzm.exe, jfwxswcu.au3, igqyivch.prc, and kywyozha.x into the %usertemp% directory.  It then calls an AutoIt script (jfwxswcu.au3) by launching fkkvzetzm.exe (a legitimate copy of AutoIt3) with jfwxswcu.au3 as an argument.

The file jfwxswcu.au3 is an obfuscated AutoIt script designed to read and deobfuscate igqyivch.prc, which contains shellcode.  The shellcode is then loaded into memory via VirtualAlloc.  The shellcode, in turn, loads kywyozha.x into memory.  Once loaded, kywyozha.x performs several tasks, including launching a copy of the running process and checking to see if it’s running inside a 64bit process.

To avoid being detected by system monitors such as AV and EDR, it copies ntdll.dll into memory so it can use that instead of the one on the disk.  It then checks to see if specific APIs in ntdll.dll have been modified or hooked with trampolines.  It then finally injects kywyozha.x into the copy of the running process.

The file kywyozha.x is an executable file.

It calls itself 8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe
(SHA2: 0FCAE5DB73D10B022E86F7E0799073623FA5063A29054807E1F93A4016D8FC99).
8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe is a variant of the AgentTesla infostealer Trojan that uses Telegram (hxxps://api.telegram[.]org/bot5018340186:AAFKw8ktzY7O_6e1fhgEWq27H2aE-rsBGjA/) for its Command-and-Control (C2) server. The malware can download and delete files, steal credentials from browsers and FTP and email applications, and perform keylogging

Fortunately, the company that received the email is not in the jewelry business and is unlikely to have opened and executed AgentTesla.  Whew….

“Welcome to the party, pal!”

We also recently came across a strange email with a theme familiar to Christmas movie viewers.  The email was crafted to appear as being sent from Klaus Hans Gruber to John McClane - fictional characters from the original Die Hard movie.  The email has a heartfelt message requesting to settle their long-time feud and asks the recipient (in this case John McClane) to open the attachment, “good_time.zip.”

10918522258?profile=RESIZE_584xFigure 2. Die Hard spoof email

10918522099?profile=RESIZE_400xThe archive file contains a series of what appear to be JPEG image files. However, a closer look revealed that “image6” is not actually a JPEG file.

10918522482?profile=RESIZE_400xFigure 3. List of images in the “Die Hard” Right)

Rather than a photo, Figure 4. is a batch file that displays “image7.jpg.jpg” (shown below) and also loads and executes PowerShell code from hxxps://pastebin[.]com/raw/PeJLUFC4. While these PowerShell commands claim to be for “educational purposes,” they create a reverse shell backdoor to the email sender.

This backdoor allows for the execution of arbitrary PowerShell commands. The obvious tactic used by the attacker is to get the recipient to go through a set of amusing images attached to the email and inadvertently run the malicious batch file.

10918522672?profile=RESIZE_584xFigure 4. Screenshot of image7.jpg.jpg

While the email is crafted as a joke, the attachment can still cause real harm to users by opening a backdoor on compromised machines.

Conclusion - While the attacks covered in this blog are not new by any means, such attacks are repeated every year because threat actors believe that “if you take enough shots, you will eventually make a basket.”  That’s especially true when attacks exploit things like holidays and major events, like Christmas or the World Cup.  Taking advantage of distracted recipients continues to be a successful strategy, and users are cautioned to remain vigilant during the holiday season.

To that end, the Cybersecurity and Infrastructure Security Agency (CISA) has created several tips to help users with online safety and handling email attachments.

The Fortinet Antivirus engine detects all binaries discussed in this blog using the following AV signatures:

  • MSIL/AgentTesla.919C!tr
  • AutoIt/Agent.WKO!tr.
  • PowerShell/Agent.0D84!tr
  • PowerShell/Agent.36F7!tr

File IOCs

  • c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5 (Inquiry lists.exe)
  • 0FCAE5DB73D10B022E86F7E0799073623FA5063A29054807E1F93A4016D8FC99 (8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe)
  • 1f4118f5e843334e23e325784b5c4a8249315da7211c7c69d94d7a5a60d00d84 (image6.jpg.bat)
  • 5e715ff174547e66f9566232bc7edccebd93ae7f99e5cd3818040c13acec36f7 (malicious PowerShell scripts hosted on pastebin[.]com/raw/PeJLUFC4)
  • 543d26c5081bdcda693c8dc3586a874319413e8e8ab762b8ad99341f37c4b3fa (good_times.zip)

Network IOCs

  • api.telegram[.]org/bot5018340186:AAFKw8ktzY7O_6e1fhgEWq27H2aE-rsBGjA/
  • pastebin[.]com/raw/PeJLUFC4

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/trying-to-steal-christmas-again/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!