SWIFT E-mail Leads To Evasive Gootkit

 

We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.

Tactics of the downloader/dropper:

Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file

…and many other warning signs shown by the software in deeper debugging in included in the report.

Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
(envelope-from <[email protected]>)

Reply-To: <[email protected]>
Date: Tue, 12 Jun 2018 01:42:52 +0000

A copy of the original e-mail received to a honeypot spam account:

Download the attached PDF, and examine it finding a link:

SWIFT MT103 PDF from E-mail 

 

Download the file from a box.com link, and unzip the contents:

hxxps://cambridgecommodities.box.com/shared/static/4yr4v2uaa43835jqi0lawo204oydj2d0.zip

Analysis on the dropper downloaded from this link:

SWIFT MT103 Joe Sandbox Report

or directly from Joe Sandbox if you don’t trust my PDF.