Leveraging Disk Imaging Tools to Deliver RATs

Authors: Diana Lopera, Joshua Deacon, and Fahim Abbasi

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

A disk image is a software copy of a physical disk. It saves the entire data from the disk, including the file structure and all files and folders, in a single file and thus often serves as a full backup. Disk imaging software includes formats like ISO, IMG, VHD, VDI, VMDK, VHD and DAA etc.

In this blog, we will present two recent malspam campaigns that utilize disk image formats in delivering malware through phishing links and as attachments.

Figure 1: Attack flow illustrated here shows disk imaging software like ISO or DAA files are sent as an email attachment or hosted at a site pointed to via a link in an email to infect victims with RATs.





Fake French FedEx Campaign

The first campaign was a fake FedEx shipment email message targeting some of our European customers. The message tricked the victims to click on a link that downloaded an ISO archive containing a single executable of the Nanocore RAT.

An ISO file (often called an ISO image), is a well-known archive file of optical discs like CD/DVD. They are often used for backing up optical discs, or for distributing large file sets. Malware authors have started abusing these archives by re-purposing them to deliver malware. Recent versions of Microsoft Windows 10 and Windows 8 have the built-in ability to mount .ISO disc image files when they are opened, hence making them a hot commodity for scammers.

Figure 2: Screenshot of the email message as displayed to a victim

The email was drafted in the French language, hence targeting French speakers. The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address.

Figure 3: Google Translate used to translate the message to English

Clicking on the link (hxxp://madridbg[.]com/FedEx,pdf.iso) downloaded an ISO archive called “FedEx,pdf.iso”. The ISO archive had a relatively low detection on VirusTotal (18/70). This ISO contains a single binary executable in it called “fedex,pdf.exe”, this binary was disguised with a PDF logo as shown in Figure 4.

Figure 4: Executable inside the ISO using a fake PDF logo and PDF extension

Payload Analysis

The Downloaded ISO

Upon opening the ISO, we were presented with an executable file “fedex,pdf.exe”. Analyzing the executable file with DiE (Detect it Easy) suggests that the file was likely packed due to the unusual imports, and lack of strings.

Figure 5: Detect It Easy tool assessment on the executable “fedex,pdf.exe”

Upon execution of the file “fedex,pdf.exe”, the executable creates a new process of the Windows CLI tool “RegAsm” and injects a malicious payload into it leading to networking communication with the C2 Boki0419[.]duckdns[.]org on port 9900.

Figure 6: The network activity of RegAsm process via Process Hacker tool

Looking at the assembly around the call to CreateProcessInternalW, we can see the string “PE” located at “[ebp-4]”. Typically, when we see this “PE” string, we can expect to see a PE file in the allocated region of memory where “[ebp-4]” is within. By following “[ebp-4]” in the memory dump view and browsing the top region of the memory, the infamous MZ signature and DOS stub of a PE file can be seen. The PE file is a .NET executable packed with “Eazfuscator”.

Figure 7: x64 DBG disassembly view of CreateProcessInternalW and dump view of PE file in memory section





Figure 8: Detect It Easy tool identifies the dumped PE to be packed with Eazfuscator

Using De4Dot to remove the “Eazfuscator” obfuscation, the executable “fedex,pdf.exe” is verified to be the malware NanoCore RAT client through the project name after decompilation of the deobfuscated malware and various other strings.





Figure 9: The de-obfuscated copy of the dumped PE file in DnSpy

Many in-depth analyses on the NanoCore client are available online, and we will not go into detail here. But a high-level overview of the NanoCore client's functionality is as follows:

File Execution

Mouse Control

Shutdown/Restart

Keylogging

Password Recovery

Video/Audio Capture

Lock a System with Custom Encryption

Reverse Proxy

Open CD Tray

Open Webpages

File Browsing

View Running Processes

Registry Editor

Reverse Shell

The executable “fedex,pdf.exe” contained in the downloaded ISO is Nanocore version 1.2.2.0. Cracks for this version are available online.

Figure 10: Memory dump of the RegAsm process where the NanoCore code was injected

FedEx.pdf.exe IOCs:

Files Persistence C2 C:\Users\<username>\AppData\Roaming\tygh\iuhje.exe.exe C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs boki0419[.]duckdns[.]org, port 9900 C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuhje.exe.vbs Abokijob[.]hopto[.]org, port 9900

This is the VBS Script used to execute the malware at each system startup (iuhje.exe.vbs):

Figure 11: Screenshot of the Nanocore VBS execution script

This script simply executes the file located at the path of the malware. Because this file is in the “Startup” folder, it will be executed each time the operating system starts.

Malware Invoices with DAA

After analyzing the ISO image case above, we hunted around for similar campaigns that use other disk image formats and found a recent one. This campaign spammed fake invoices through an email attachment – this time with the disk image format DAA.

The sender domain in the emails were spoofed from actual businesses, however we noticed that the display name used in From address often didn’t match the name or local-part of the email address (e.g. From: “John Doe” <bruce.wayne@wayneenterprises.com> ) suggesting random scripts being used by the scammers. In addition to the header, the content in the email body like company email templates, physical and post addresses, contact numbers and employee names, seem to be randomly selected details of legit businesses. The text in the email body directs the recipient to open the DAA attachment.

Figure 12: Invoice spam containing DAA attachment

DAA stands for Direct Access Archive. Unlike ISO files, DAA files are not recognized by Windows, hence, they will not be mounted when double clicked. Only Windows machines with installed disk image editing applications like PowerISO, UltraISO, and WinArchiver can open these files.

Figure 13: PowerISO software used to open the DAA attachment and extract the executable

The DAA attachments observed from this campaign contains only one executable file, which follows the filename of the parent DAA but with .com and .exe as file extensions. The executables are the latest version of Remcos RAT v2.5.0 Pro.

Invoice 0947523.daa -> Invoice 0947523.com

Purchase Order 7854-02536.daa -> Purchase Order 7854-02536.exe

Remcos is one of the popular remote access tools today, mostly because it can be easily obtained. Also, this RAT gets updated frequently. Around 3 months ago, we saw a campaign leading to the then latest Remcos RAT version 2.4.7 Pro. Now, the latest version 2.5.0 Pro is being spammed.

Figure 14: Memory dump of “Purchase Order 7854-02536.exe” showing that the sample is Remcos v2.5.0 Pro

The Remcos executables contained in the DAA attachments both connect to a free dynamic DNS Johnsonmullaly[.]ddns [.] net on port 8486. It logged the users activity on %appdata%\remcos\logs.dat





Figure 15: Registry and log file creation of the Remcos RATs

Remcos v2.5.0 Pro has a new feature and this is clearing logins and cookies of the browsers. As RATs are used to take control of the compromised system, we believe this feature could be used to clear any traces of the attacker’s malicious activities from the web browsers.

Figure 16: Memory dump of “Purchase Order 7854-02536.exe” showing the strings related to the Remcos v2.5.0 Pro

Conclusion

We observed a significant shift in malicious spam this year where cybercriminals are experimenting more with disk image archives like .ISO and .DAA for packaging their malware attachments, in an attempt to evade detection from email scanning gateways.

Most email gateways block all attachments with executables. Cybercriminals are finding innovative ways to conceal such executables inside containers to evade detection at the gateway. We looked back on spam messages containing disk image attachments we received this year and observed that the majority of malware contained in them were RATs like Remcos and Nanocore, while other samples included info-stealers like Lokibot.

Comparatively, ISO is a more popular disk image format than DAA and is supported by several archiving tools like the latest version of 7Zip (19.00) and WinRar (5.80). On the other hand, DAA archives are only accessible through proprietary software like PowerISO, UltraISO, and WinArchiver. We believe that due to better unpacking support, the ISO format has become a more popular archiving tool for cybercriminals, enabling them to use such attachments for spray and pray operations, while DAA archives are more likely to be used for targeted attacks. The malicious archives that are easier to unpack have relatively have higher AV detections compared to archives like DAA where unpacking may present a challenge.

Although the attack campaigns analyzed here do have some similarities, based on the information we have it is difficult to conclude whether the perpetrator is a single threat actor or different groups. Some similarities are listed here

Both campaigns use Invoice or PO email lures with random legit company templates and addresses to infect their victims.

Both campaigns use a disk imaging software archive with a single packed executable.

Both campaigns used free dynamic DNS as C&C such as duckdns and ddns

Finally, for customers of our Trustwave Secure Email Gateway (SEG), we’ll add that the SEG effectively detects these sorts of threats bundled inside disk imaging containers using a combination of its unpacking engine and its multi-layered threat detection technology.

Hashes and IOCs

Archive SHA1 filename observed Content SHA1 Filename Source Malware f24de4ec7dd16c798edf6a4c6d48d5979be5443c FedEx,pdf.iso f24de4ec7dd16c798edf6a4c6d48d5979be5443c fedex,pdf.exe SEG Nanocore 39322eebe0458365ba19e826065eba5092d987fb Purchase Order 7854-02536.daa 4941cdfd714af56204dce96a67e143929d95c0dc Purchase Order 7854-02536.exe SEG Remcos e62b862e4f4c9c22e84d453a312abe2cf66fa784 Invoice 0947523.daa fbb9aa7648e7a560100d97fa4f0fac63b7997474 Invoice 0947523.com SEG Remcos 8350e157e9ba43457c19b3d3d799987ff2399430 signed contract invoice.daa ddfe5f6e1fa91feda71aa1dd60982f1efa1a8c36 payment.exe SEG Remcos 1e6a3f92c95f5cb0f4dc2d9260f0e99ed647fc23 describtion.daa 6038400aca813fd64fb9835572f7f743f995c54a DECSRIBTION.exe SEG Lokibot 05b9d8ab616855c4459dc9fb1934e3d4754a239e outstanding statement - may'2019.daa 2ede56a7e12e508a40c0a5dced3a2983a370a96a Outstanding Statement - May'2019.exe SEG Lokibot 84A04B5740366506867B6B74481581D69A256FB3 HKHASE9F07831-T01.daa 70DFD7DB185817620B8C559D767E3ADEC02A964D HKHASE9F07831-T01.exe SEG Lokibot 04f3bedc70d73a992f90d156142b978e3827bbf4 Payment confirmation.daa 911c8e5f0dac3c10498daf4d6834b1d6ddf1a9d8 Payment confirmation.exe VT Remcos fa34c8dddad18e4dbe17640b841c1a037606ab7b DHL SHIPPING PARCEL NOTIFICATION TRACKING_INVOICE.daa 51f125dda9d56df5eb2b0f89ed1de15b62b66c0a DHL SHIPPING PARCEL NOTIFICATION TRACKING INVOICE.exe VT Nanocore 54557bceb9a30c0832a8c2997f0efc3df2222b6c QUOTATION REQUEST PQ19-08511.daa 9ea410989e4a421521be92063420ec1d05bd2c26 QUOTATION REQUEST PQ19-08511.exe VT Lokibot e9cef4b5fb39347efe53ab969d8a66e545fcc0f8 IMG_45473822.daa 70dd7b36acbe592321facbfae2595b1114afac38 IMG_45473822.exe VT Remcos