BLOG

TA505 Disguises Malware for Halloween

Executive Summary

TA505 is a financially-focused cybercrime group that has been in existence since 2014. The group recently launched a seasonal spear-phishing campaign which leverages impersonating domains of the file-sharing service Sync in order to host malicious Microsoft Excel files, which act as droppers for additional malware which can then be potentially used to expand TA505-controlled botnets. ZeroFOX Alpha Team has been coordinating with customers and threat-sharing groups who are affected by TA505. Through this coordination, the team has recently observed a change in the group’s spear-phishing techniques as well as their malware obfuscation and packing techniques. TA505 is clearly knowledgeable of Western pop culture – demonstrated most recently by a new campaign focused on Halloween. Specifically, the campaign leverages Halloween as a call to action to get victims to download and run their malware.

Infection Vector

On October 28, 2019, ZeroFOX Alpha Team obtained a malicious XLS file, believed to be a TA505-associated dropper. The dropper was hosted on a website that encouraged users to download the file with a call-to-action referencing today’s holiday, Halloween. Given that this campaign went live on October 27, 2019, when the command and control domain was registered, this appears to have been done deliberately to capitalize on the upcoming holiday. This is similar to previous TA505 campaigns, which have hosted droppers on Dropbox-themed websites. In this case, however, a Dropbox competitor, Sync, is being spoofed. This demonstrates frequent adaptation of delivery methods and utilization of similar products in order to increase chances of a download. The spoofed domain used for this campaign, d1.syncdownloading[.]com, features a landing page very similar in appearance to the legitimate Sync download page, increasing the likelihood that a user will download the file. While refreshing this page, multiple filenames were observed – “Haloween_invitation.XLS” and “IVO292980002.XLS”. Both files were obtained, and the functionality was determined to be the same. The “Haloween_invitation.XLS” file name indicates a level of familiarity with Western pop-culture, capitalized upon to create a level of trust and urgency with their victims.


Figure 1. Sync download link of Halloween-themed malicious XLS file.

XLS Dropper and Obfuscation Method

When downloaded and opened in Excel, the file appears benign and displays a loading image. This image is static and the loading bar does not change no matter the length of time the document is opened.


Figure 2.  XLS file as opened in Microsoft Excel. 

When a user who has macros enabled opens the dropper file, a series of macros are run to install the dropper, unpack a module to access the C2 server, and make the corresponding C2 call. During our analysis of this file, ZeroFOX Alpha Team did not observe any kind of notification to the user that macros were being run, making it more difficult for a victim to realize they have been infected. Although the command and control server was live at the time Alpha Team began this analysis, no payload was obtained from the C2, preventing further analysis.

The XLS file contains an OLE stream. Embedded within this stream is a Windows INF file. INF files are associated with driver and device installation. This appears to be a legitimate Epson printer driver INF for Windows 7 installation. However, in this case, this INF is used to obfuscate two binaries that have been sandwiched into the driver file. Both of these binaries are Windows DLLs. 


Figure 3. Legitimate Windows printer driver config, used to disguise embedded DLLs. 

Dropper Functionality and DLL Loading

The macros within the XLS file are used to extract and load these DLLs from the OLE stream within the XLS file. There are two DLLs, as one is intended to be loaded on Windows x32 systems, and the other on Windows x64 systems. Both DLL varieties are encrypted. The DLL extraction function is called DonHuan, potentially a reference to the legendary Spanish libertine who seduced his way through Seville. This function is used to move to a specific offset within the XLS file, which varies by Windows version and therefore DLL version to be extracted, and to verify that the first bytes at this offset are consistent with the Windows executable file header before extracting the DLL. 


Figure 4. DonHuan function used to extract DLLs from dropper.

The DonHuan extraction function is called within a second function, called StartRecovery, shown below.


Figure 5. StartRecovery function, calling DonHuan for DLL extraction, DLL loading and ZooDcom exposed function call.

Within this function, the DonHuan function is called to locate and extract the appropriate DLL from the dropper. The file path used to save the DLL to memory is built and saved to a variable called “nm.” This is consistent with other macros seen used by TA505, although the obfuscation methods in this case do differ from previously seen methods. The name of the extracted DLLs is also visible here – “MPCMD1.dll” or “MPCMD2.dll” depending on the version. The path where the extracted DLL will be saved, along with the name of the OLE stream, and the CNPK variable containing the offset of the DLL to be extracted, are passed to the DonHuan function. Finally, a function called ZooDcom is called. This is an exposed function within the DLL, likely used to download additional payloads. 

Command and Control Traffic

The dropper analyzed in this research makes an HTTPS request to the domain office-en-service[.]com. A quick whois search on this domain yields an interesting pivot point: the domain registrant has not removed their email address from the whois record. An additional reverse whois for the registered email address returns 20 total domains registered to this email, including googledrive-download[.]com, which was also seen used as a command and control server by related samples. Several of the other domains registered by this email address were also hosting live content, however, a cursory analysis did not indicate malicious activity. The spoofed hosting site of this dropper, syncdownloading[.]com, was not registered to this email, however, and no registrant information was included for this domain. At the time of this posting, none of the related domains are live.

Potential Links to TA505

There are some similarities between the dropper functionality utilized by this sample, and past droppers seen used by TA505. TA505 has been previously observed using droppers containing embedded DLLs, and calling exposed functions from the dropper macros in order to download additional payloads. This pattern is congruent with what ZeroFOX has observed in this campaign. Historically, TA505 also tends to leverage cloud hosting services for dropper distribution. As is the case in this campaign, the group often attempts to spoof legitimate services like Microsoft Office and Google Drive with the command and control domains. TA505 very often modifies both the malware they use, as well as phishing and dropper strategies, however, the similarities between this campaign and past campaigns lead us to believe that this activity can be attributed to TA505.

Conclusion

Attackers change their obfuscation methods often to avoid detection. The obfuscation method seen utilized in this campaign is novel and utilizes an uncommon file format in an attempt to disguise embedded malicious binaries. This campaign also demonstrates a level of awareness of Western pop culture and capitalizes upon a major holiday in an attempt to increase the success rate of the campaign. Although the obfuscation method here is new, similarities between previous TA505 techniques and the technique used in this campaign lead us to believe this activity can be attributed to TA505.

References

[1] https://attack.mitre.org/groups/G0092/

Indicators of Compromise

Malicious Office Documents

fa08f42cc45b6b82dc2f750bcd73ed952e45e8b8e45110d42d2e7a6bb7320332

376bf023723de86e1060596c762cd95c0bf35bc73f448ef5f353b76bf0eca06a

3cf9e4073d1c67a57f1e00f00f416af7cd2f2cbca6e5f3ef6035d41a794905ca

77ab30e099df582576068f38fb4addab31cbde45cf0cc0e781be13e869ffc3c5

ad3d4cc8836b6938a3885cda99728ec9d0211b1bc6bc1074fc8d6cf3ac6d7335

0901d2dc4ef3960827ffd24ba30f2bc388fe20d4ea995524455a251d419094cb

13a75cec7f70250f8f17975b6da7b90f0f03353099a77c27ec093e01acf7d207

45f20f70e00a908a4c6a13e41169973772e37576662a27d71a3b6ff460edbc8d

168f9da2fc50dc58f2975ef12195eea25b465cd8aa84ca4adce4811a14a2372e

26d04d6b98f7556b80a22242f5f867fbf2fbd5c7f31e5b2d4c56d5c6db0b8a59

513d77240a5026385eddc7a0e4c3a896dad45e1da1829f63252090cf50ba5d17

11458b1f464c0d946eca898fb3bf012ee48e37c9be1e40d2155e9e307e762238

fe7c72930907df9ce720c70807615c6f94ecde456d8ebe9e09bbd6fb80013ecc

dc500a4ce70aa31fb4b14a8e9ab76c20a4c7c41ad84c0bb00db0a036599207bf

3be49e4db9e8b82bccbc13448d35456d7afd9370bcf706f80e4317323484b69a

ac25caf7b80e5c7569ab3a736b5bc18658ea1dfb5f5f923a53ce573512632e57

5dfc61698958c0dda9dd0a24b4972614aec731a6df4961ad8e756392415d7205

5d3a1b37eb89789d4296e279b0293ba08f90f491202a5f4db30ce52a35023316

8fea8ee91bdae921e501fce1abd4380292c8a66047e4a8f745c78a84efe02970

9bbfcdca5e7c78e0a2ebc5434ad3ceb43a53adff8a22389a59f5c72b47568b41

6ffc2fbce89e01c594bc9b7bc67172907266d5d4d7434462f1f647994c738d9d

C2 domains

office-en-service[.]com

googledrive-download[.]com

syncdownloading[.]com

IP Addresses

45.142.214[.]119

195.123.245[.]71

File Names

Haloween_invitation.xls

IVO292980002.XLS

MPCMD1.dll

MPCMD2.dll