SWIFT E-mail Leads To Evasive Gootkit
We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.
Tactics of the downloader/dropper:
Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file
…and many other warning signs shown by the software in deeper debugging in included in the report.
Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
(envelope-from <[email protected]>)
Reply-To: <[email protected]>
Date: Tue, 12 Jun 2018 01:42:52 +0000
A copy of the original e-mail received to a honeypot spam account:
Download the attached PDF, and examine it finding a link:
Download the file from a box.com link, and unzip the contents:
Analysis on the dropper downloaded from this link:
or directly from Joe Sandbox if you don’t trust my PDF.