TA505 is a financially-focused cybercrime group that has been in existence since 2014. The group recently launched a seasonal spear-phishing campaign which leverages impersonating domains of the file-sharing service Sync in order to host malicious Microsoft Excel files, which act as droppers for additional malware which can then be potentially used to expand TA505-controlled botnets. ZeroFox Alpha Team has been coordinating with customers and threat-sharing groups who are affected by TA505. Through this coordination, the team has recently observed a change in the group’s spear-phishing techniques as well as their malware obfuscation and packing techniques. TA505 is clearly knowledgeable of Western pop culture – demonstrated most recently by a new campaign focused on Halloween. Specifically, the campaign leverages Halloween as a call to action to get victims to download and run their malware.
On October 28, 2019, ZeroFox Alpha Team obtained a malicious XLS file, believed to be a TA505-associated dropper. The dropper was hosted on a website that encouraged users to download the file with a call-to-action referencing today’s holiday, Halloween. Given that this campaign went live on October 27, 2019, when the command and control domain was registered, this appears to have been done deliberately to capitalize on the upcoming holiday. This is similar to previous TA505 campaigns, which have hosted droppers on Dropbox-themed websites. In this case, however, a Dropbox competitor, Sync, is being spoofed. This demonstrates frequent adaptation of delivery methods and utilization of similar products in order to increase chances of a download. The spoofed domain used for this campaign, d1.syncdownloading[.]com, features a landing page very similar in appearance to the legitimate Sync download page, increasing the likelihood that a user will download the file. While refreshing this page, multiple filenames were observed – “Haloween_invitation.XLS” and “IVO292980002.XLS”. Both files were obtained, and the functionality was determined to be the same. The “Haloween_invitation.XLS” file name indicates a level of familiarity with Western pop-culture, capitalized upon to create a level of trust and urgency with their victims.
XLS Dropper and Obfuscation Method
When downloaded and opened in Excel, the file appears benign and displays a loading image. This image is static and the loading bar does not change no matter the length of time the document is opened.
When a user who has macros enabled opens the dropper file, a series of macros are run to install the dropper, unpack a module to access the C2 server, and make the corresponding C2 call. During our analysis of this file, ZeroFox Alpha Team did not observe any kind of notification to the user that macros were being run, making it more difficult for a victim to realize they have been infected. Although the command and control server was live at the time Alpha Team began this analysis, no payload was obtained from the C2, preventing further analysis.
The XLS file contains an OLE stream. Embedded within this stream is a Windows INF file. INF files are associated with driver and device installation. This appears to be a legitimate Epson printer driver INF for Windows 7 installation. However, in this case, this INF is used to obfuscate two binaries that have been sandwiched into the driver file. Both of these binaries are Windows DLLs.
Dropper Functionality and DLL Loading
The macros within the XLS file are used to extract and load these DLLs from the OLE stream within the XLS file. There are two DLLs, as one is intended to be loaded on Windows x32 systems, and the other on Windows x64 systems. Both DLL varieties are encrypted. The DLL extraction function is called DonHuan, potentially a reference to the legendary Spanish libertine who seduced his way through Seville. This function is used to move to a specific offset within the XLS file, which varies by Windows version and therefore DLL version to be extracted, and to verify that the first bytes at this offset are consistent with the Windows executable file header before extracting the DLL.
The DonHuan extraction function is called within a second function, called StartRecovery, shown below.
Within this function, the DonHuan function is called to locate and extract the appropriate DLL from the dropper. The file path used to save the DLL to memory is built and saved to a variable called “nm.” This is consistent with other macros seen used by TA505, although the obfuscation methods in this case do differ from previously seen methods. The name of the extracted DLLs is also visible here – “MPCMD1.dll” or “MPCMD2.dll” depending on the version. The path where the extracted DLL will be saved, along with the name of the OLE stream, and the CNPK variable containing the offset of the DLL to be extracted, are passed to the DonHuan function. Finally, a function called ZooDcom is called. This is an exposed function within the DLL, likely used to download additional payloads.
Command and Control Traffic
The dropper analyzed in this research makes an HTTPS request to the domain office-en-service[.]com. A quick whois search on this domain yields an interesting pivot point: the domain registrant has not removed their email address from the whois record. An additional reverse whois for the registered email address returns 20 total domains registered to this email, including googledrive-download[.]com, which was also seen used as a command and control server by related samples. Several of the other domains registered by this email address were also hosting live content, however, a cursory analysis did not indicate malicious activity. The spoofed hosting site of this dropper, syncdownloading[.]com, was not registered to this email, however, and no registrant information was included for this domain. At the time of this posting, none of the related domains are live.
Potential Links to TA505
There are some similarities between the dropper functionality utilized by this sample, and past droppers seen used by TA505. TA505 has been previously observed using droppers containing embedded DLLs, and calling exposed functions from the dropper macros in order to download additional payloads. This pattern is congruent with what ZeroFox has observed in this campaign. Historically, TA505 also tends to leverage cloud hosting services for dropper distribution. As is the case in this campaign, the group often attempts to spoof legitimate services like Microsoft Office and Google Drive with the command and control domains. TA505 very often modifies both the malware they use, as well as phishing and dropper strategies, however, the similarities between this campaign and past campaigns lead us to believe that this activity can be attributed to TA505.
Attackers change their obfuscation methods often to avoid detection. The obfuscation method seen utilized in this campaign is novel and utilizes an uncommon file format in an attempt to disguise embedded malicious binaries. This campaign also demonstrates a level of awareness of Western pop culture and capitalizes upon a major holiday in an attempt to increase the success rate of the campaign. Although the obfuscation method here is new, similarities between previous TA505 techniques and the technique used in this campaign lead us to believe this activity can be attributed to TA505.
Indicators of Compromise
Malicious Office Documents