Background

During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special malware analyses according to the threat.

The suspicious emails have been intercepted between 9th and 15th October during our common CSDC (Cyber Security Defence Center) operations in two different champains, each one characterized by one or more attempts and slightly different social engineering tricks.

Malicious Emails

The first intercepted malicious email had “markvanschaick.nl @qixnig .com” as a sender address. The specific name has been likely chosen by the attacker to try to exploit the Dutch marine service company reputation “Mark Van Schaick”, but sender’s domain and ip address shown no direct relationship to that organisation.

Figure 1. SMTP header details of wave 1

The message has been sent from a Roundcube webmail server hosted on lord. vivawebhost .com (173.237.190.12 COLO4-BLK7 US) and apparently unrelated to the sender’s domain. Moreover, “qixnig .com” (sender domain name) resolves to a different IP address reachable at 66.45.243.148 (INTERSERVER US). It’s interesting to figure out the crafted redirection applied to any visiting users: a HTTP 301 code redirecting to the Dan Marine Group’s official web portal.

Figure 2. Redirection to the Dan Marine web portal

The second email campaign was slightly different respect to the first one. It was originated by another Roundcube webmail service hosted at mail.dbweb .se (52.58.78.16 AT-88-Z US):

Figure 3. SMTP header details of wave 2

In this case the fake communication process mimics the interaction between “Naviera Ulises Ltd <[email protected]>” and "Evripidis Mareskas (Mr) <supplies.ulisnav @ kiramko .com>”. The extracted domain r happens to be “kiramko .com” and it resolved to the same remote ip address discovered in the first campaign wave (“qixnig .com”, 66.45.243.148 INTERSERVER US). Those campaigns could be considered as closely correlated. The “ulisnav .gr” appears to be unregistered at time of writing.

The intercepted emails come up with a carefully prepared phishing scheme, definitely targeting the italian naval sector. The observed chunks of headers and the network context shown the attacker tried to impersonate known vendors of marine parts and naval services in order to lure victims to open up the attached documents.

For example the first two detected attempts tried to mimic inquiries from the Chinese Dan Marine Group, pretending to validate the sender’s domain “qixnig .com” as legibly owned by the group. It then tried to redirect visitors to the Dan Marine official website. Another intercepted email inserted the victim as BCC into a fake communication between the tech support of the greek Naviera Ulises Ltd and one of its employer (data publicly available on linkedin).

No one of these communications appear to be real and legitim, indeed the intercepted data does not suggest the attacker has any kind of access to real assets.

Attachments

The intercepted email messages have more than one attached documents: on the first email campaign we observed two copies of the same Excel file (5c947b48e737648118288cb04d2abd7b) wrapping CDFV2 encrypted data and scoring relatively low in the VT’s AV coverage test (9/59 at time of writing).

This document is able to download an executable payload (66b239615333c3eefb8d4bfb9999291e) from a compromised web portal:

Figure 4. Malware download HTTP request intercepted

Further details regarding the evasion techniques, especially related to the “VelvetSweatshop” trick and the Equation Editor’s exploit used to drop the malware, are available here (link).

Figure 5. Malicious excel document

The second attack had as attachment a copy of Excel file and one more PDF document named “Company profile.pdf” (6d2fc17061c942a6fa5b43c285332251), this file appears to have been generated in the same time-period of the phishing attempts: nearly 30 minutes before the dispatch of the malicious message, from a MS Word 2013 document.

Figure 6. “Company Profile.pdf” metadata

The embedded attachments have been delivered in the middle of October using multiple names, most of them related to the naval industry and containing references to quotations, inquiry or orders of mechanical parts.

Figure 7. Submission time and names of the samples

Having said that, we can now explain the internal choice of the "MartyMcFly" code-name for this campaign: the name comes from the "First Seen in The Wild" value reported by the VT platform and the meta-data found in the artifacts, which are a quite interesting topic to be discussed.

Payload

The executable payload has been downloaded from a potentially compromised website legitimately owned by a turkish company selling mechanical spare parts, indicating the attacker had carefully taken care of the thematization of the malware distribution infrastructure.

The PE32 file 66b239615333c3eefb8d4bfb9999291e contains executable binary code compiled from Delphi source code (BobSoft Mini Delphi).

The first stage of execution shows several anti-analysis patterns and tricks, for instance at 0x0045e304 the malware checks if the year of the local time configured in the OS is after 2017 (rif. Figure 8) moreover at 0x045e393 it slows down the execution invoking the SleepEx library function (rif. Figure 9).

Figure 8. Current Local Time check

Figure 9. Code slow down via SleepEx

The bypass of all the debug checks and evasion tricks inside the malicious code leads to the dynamic loading of a .NET module in a RWX code-segment mapped at the 0x012e0000 location.

Figure 10. Executable module unpacked in memory

Yara signatures claim the extracted PE32 module is attributable to a weaponized version of “QuasarRAT”: an open-source remote administration tool freely available on github.

Figure 11. Yara signature match on the dumped .NET Modules

The manual verification reported in Figure 12 confirms the extracted payload is compatible with QuasarRAT modules published on the github repository. Moreover, the IoC section below reports the C2 server locations found in the malware configurations.

Figure 11. Example of module names and messages used by the QuasarRAT

At the moment no attribution to known group is possible, many threat actor choose to use or customize open-source tools to try to make the attribution harder, such as the chinese “Stone Panda” group (APT-10) known for espionage operations against defence and government, having the QuasarRAT in their arsenal, or also the “Gorgon Group”, the ambiguous mercenary group responsible of both cyber-crime attacks and targeted espionage campaigns against governments.

Indicator of Compromise

Here the list of indicator of compromise collected during the analysis: