Recently, we’ve come across an interesting spam campaign aimed at French users. The campaign itself uses a well-crafted lure that is likely to catch the attention of its would-be victims. In addition, the malware used – the GootKit backdoor – contains several unusual technical characteristics. Both of these highlight how this campaign was quite well thought-out on the part of the attackers.
Spam: Using the French Ministry of Justice
This campaign starts with email in French that uses varying subject lines:
- Copy du jugement (translated to: “Copy of judgment”)
- L’information sur la comptabilité (translated to: “The information on accounting”)
- Paiement (translated to: “Payment”)
The email’s text reads as follows:
Selon la décision du tribunal n° 184, afin de recouvrir les sommes dues auprès du débiteur, et en vertu des procédures d’exécution n° 135-01, la saisie de votre propriété a été prononcée.
Vous pouvez obtenir une copie de cette décision auprès du greffe du tribunal.
Une copie du jugement se trouve dans le fichier ci-joint.
This content can be roughly translated as:
According to the court decision No. 184, to cover the amounts due from the debtor, and under enforcement proceedings No. 135-01, seizure of your property has been pronounced.
You can obtain a copy of the decision to the court registry.
A copy of the judgment is in the attached file.
The email contains a Microsoft Word document (alternately named copy du jugement.doc or paiment.doc) which the user is asked to open. This file has the SHA1 hash of 9b7cf1b6255a7dc26b346fdcccbfc4755db020bf.
Once opened, this document downloads and opens a decoy image from the file hosting site savepic.su (which is displayed below). It also contains a macro which downloads and runs a backdoor.
Figure 1. Decoy image shown when opening the Microsoft Office document
The image is a reproduction of a letter from the French Ministry of Justice. It is a letter typically sent to individuals stating that the Ministry cannot assist with cases that are already before courts. This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers. (References to the individual who originally received this letter were already blurred when downloaded.)
It’s worth noting that the text used in the email contained no typos or grammar mistakes. This is unusual, as spammed messaged frequently included such mistakes (whatever language they use). This suggests that a French speaker, or someone well-versed in French was responsible for writing the above text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam.
Size and scope of campaign
Over a two-day period in the middle of March, we estimate that the images were downloaded and viewed more than 1,700 times. Based on the email addresses, both corporate and home users were targeted by this threat. We are unaware of any public or private data breaches that contained the list of recipients, which suggests that the addresses were gathered from various online sources.
We also found other spam campaigns that used the same malware families for their malware droppers and payloads. Other countries, such as Italy, are now being targeted as well. For instance, we noted a sample email with an attachment named documente copy.doc, which had the following subject names:
- vi invieremо il doсumentо рer confermаrе il раgamеntо
- case number 647
These malware samples consistently used images uploaded to savepic.su. This made it easy to count the number of times each picture was downloaded. We found that each image was viewed between 1,700 and 10,000 times.
After the user opens the malicious document and executes the embedded macro, it then downloads and executes the dropper (SHA1 hash: f9772fcfbcaac9c4873989a1759a5c654eec440e). First, it first creates an Application Compatibility Database with an .SDB extension containing its own patch code, which is installed via the sdbinst command. Explorer.exe is then started with the command-line parameter issdb. The patch code is then injected by shim and then executed.
The exact method used here is unusual, and was first described in a research paper titled Persist It: Using and Abusing Microsoft’s Fix It Patches published by Jon Erickson at Black Hat Asia 2014. The paper described how developers could create an .SDB file that modifies or changes its behavior during its execution. We have seen how this particular method sideloads .DLLs, but this is the first time it has been used to patch a loader.
Figure 2. SDB overview via sdb-explorer
This patch is about 6 kilobytes in size, and patches memory at 5 different memory locations within kernel32.dll in order to run its patched code on the fly. This technique is used not only to patch explorer.exe, but other processes as well.
The patch code will detect the operating system version in order to get the appropriate version of GootKit (as both 32- and 64-bit versions are available.) They can be downloaded from two distinct URLs:
- hxxps://repvisit[dot]com:80/rbody32 (32-bit version)
- hxxps://repvisit[dot]com:80/rbody64 (64-bit version)
It’s worth noting that the download server uses HTTPS. To do this, it uses a self-signed certificate that identifies the site as My Company Ltd, while the real file names of the downloaded files are node32.dll.rk or node64.dll.rk, respectively.
Figure 3. HTTP headers of download server
Once the .DLL file is downloaded and loaded, the malware is ready to perform its routines and it now communicates to its command-and-control (C&C) server located at hxxps://VersatileGreenwood[dot]net:80/200.
Figure 4. HTTP headers of C&C server
Two things about the C&C server are apparent. While it has a different URL, it has the same IP address as the download server. Also, the HTTP reply leaks some information about the server: the X-Powered-By: Express header indicates it is powered by the Express web framework for the Node.js platform.
Adding a Fake Certificate Authority
One of GootKit’s abilities is to monitor network traffic, even when encrypted. How does it do this? In a similar manner to the recent Superfish incident: it adds a fake root certificate authority to the system. However, it does this in an unusual way.
GootKit essentially takes an existing root certificate on the system and adds a duplicate certificate (of its own creation) with the same name. However, upon closer examination, we noted two key differences: the fake certificate expires in 2020, and its RSA key length is only 1024 bits.
Figure 5. Fake certificate – 1024-bit key on the left, private key on the right
GootKit uses the fake certificate to perform man-in-the-middle (MITM) attacks against any HTTPS traffic. Because the fake certificate uses the same name as a randomly chosen legitimate certificate already present on the system, it is very hard to detect this problem.
Remote Access Capabilities
While the remaining capabilities of GootKit are in line with its known features, it does seem to have added one new feature: the command RunVNC. This suggests it can now make use of the VNC protocol to give an external user (presumably the attacker) direct access to the victim’s machine.
Figure 6. List of available functions
We monitored the dropper to see if it was used to spread threats other than GootKit. We found that the malware also drops and CryptoWall and online banking malware.
This entire campaign was quite well thought out, with one exception. The social engineering used in the email was a cut above most. Gootkit appears to have picked up some fairly interesting and advanced behavior. However, requiring that macros be turned on for the user to be affected is very much the sign of an amateur. The mix is an odd one, to say the least.
Whatever the case, these attacks are still ongoing. We expect these to continue and victimize more users. It is also likely that future attacks will remove the need for macros to be enabled by default.
Users are protected from this threat via Trend Micro™ Security software, which safeguards against malware, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.
Indicators of compromise
|SHA1 hash||Detection Name||Notes||C&C server(s)|