Seasons Greetings? Not When That’s Malware In Your e-Card

Blog Seasons Greetings? Not When That’s Malware In Your e-Card

Seasons greetings from malware.

January 29, 2018 Category: Threats By: Adrian Taylor Comments: 0

Seasons Greetings? Not When That’s Malware In Your e-Card

  • Over Christmas, one of our customers was hit by a Trojan and they asked us to take a look at the threat.
  • Sixteen of their users were fooled into opening a Word document.
  • Fortunately, they had Bromium, so it safely ran inside a micro-VM and was unable to affect their host or their intranet.

Seasons greetings? Indeed. How did the bad actors fool such a large number of users to open the document? Well, they took advantage of the festive season and disguised it as an e-card full of Christmas greetings.

Document titles were along the lines of “Your eGift Card.doc”, “Gift Card for You.doc”, “Christmas Gift Card.doc”, “Your eCard.doc” (note the reasonably convincing polymorphism of the title). These arrived using e-mail links which took the user into their browser to download the file. Then the file opened, and bang – malicious software was installed on the PC.

On-demand Webinar: Cybersecurity Stack Advice for 2018

Again, in our case, the malicious software was instead installed in the virtual computer which we make for each untrusted document. In fact, I have it running right now… happily hiding as a “systemwmi.exe” process designed to fool me into thinking it’s part of Windows. It’s sitting there, having made lots of external network connections, waiting for instructions from its nefarious masters.

Seasons greetings.

Fortunately, unbeknownst to them, it’s trapped in a micro-VM where it can’t do anything bad.

Apart from the festive seasonality, there’s nothing particularly novel about this malware – but it shows off a new feature that we’ve added to our Bromium Secure Platform 4.0.3 release. The sample does the usual Word -> cmd -> powershell -> native sorts of transitions:

Seasons greetings?

But as of Bromium Platform 4.0 Update 3, we’ll give you a little more analysis detail here. You may notice “HTTP GET” for the first time – we’ll describe exactly what HTTP fetches the malware does.

Seasons greetings?

Just a little bit more information that we offer in Bromium Platform 4.0 Update 3 and later, as an early Christmas gift from us.

Speaking of which… It turns out that malware authors tend to be late for Christmas. None of the e-Cards were opened until 26th December, and most of them didn’t get opened until January 3rd.

Oops.

Appears even malware authors need to be more organized for Christmas.

Subscribe

Enter your email address to receive notifications.

About the Author

Adrian Taylor

Adrian Taylor
CTO, Protected Apps at Bromium

Recent Posts

Categories
2018-01-29T05:45:39+00:00 January 29th, 2018|Threats|

Leave a Reply

See Bromium in Action

Put an end to malware and attacks once and for all. Request a demo of the Bromium Secure Platform to learn how Bromium uses virtualization-based security to isolate applications and stop threats. Complete the form to request a demo.

Thank you! The information has been submitted successfully.
Share
Tweet
Share

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close