On the 4th of August one of our customers reported an infection attempt on one of their machines. In their deployment ReaQta-core is used to augment the security of their signature-based enterprise endpoint protection system, so an infection attempt detected by our solution is a sign that the AV missed the threat. Usually this either means that the attack is targeted or that the malware is brand new, let’s find out together the result of our investigation.
The malware il delivered via email, packaged inside a .docm file, this is a screenshot of the original message:
The content is written in decent italian, which is not usual for fake emails and it’s related to the shipment of a Volkswagen (or better a: Wolkswagen) car. The spoofed message arrived from a IP address registered in Hyderabad, India: 188.8.131.52. Curiously the anti-spam system didn’t trap it.
This is the internal structure of the document attached to the message:
Clearly the interesting part is the macro contained inside word/vbaProject.bin:
We have uploaded the script carved from the message on this pastebin. There are two functions of particular interest:
- usZ5pw3gU8: performs the payload download
- KLJLGBk: writes the payload to disk and executes it, shown below
The deobfuscated version of the download function looks like this:
And this is the deobfuscated version of the write&exec function:
They’re pretty straightforward so we can move to the payload.
CompanyName: Phoenix Labs
FileVersion: 200, 67, 214, 161
LegalCopyright: Copyright © 1156
ProductName: Plantain Motherland
At the time of discovery the payload was identified only by one antivirus and generically marked as a packed executable.
Once it is run the malware attempts several times to bypass the UAC and elevate its own privileges. The flow of this privilege escalation is already known and works like this:
- Dridex creates a .sdb file that is a compatibility database, copies itself and drops a .bat file (shown below)
- sdbinst is called in order to install the compatibility database
- iscsicli is called that in turn reads the configuration inside the installed compatibility database that instructs it to run the .bat file
- the .bat file runs Dridex with admin privileges bypassing the UAC
This privilege escalation attempt is correctly identified and reported:
After the elevation the malware copies itself inside %localappdata%\<RANDOM>\<RANDOM2>.exe and starts its life cycle by injecting a thread into explorer.exe.
Dropper SHA-256: 6457E0B72CC587EB8555086518760CFAE4715488E9C82016588E112623D3C294
Dropped .bat SHA-256: 447fd346600351cce82f29068368fa90ddae656ffb5399ffcdf72332c2111072
Dropped .sbt SHA-256: a6e827fbb574a774d4e7a517bd33e34d0c15c5b3914c0e2d87ccbe4223519db2
C&C IP address: 184.108.40.206
Payload address: http://cvaglobal.com (220.127.116.11)
Sender address: 18.104.22.168
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!