By Anita Hsieh, Rubio Wu, and Kawabata Kohei
Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft’s Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.
Figure 1. The volume of spam emails in July 12 and 13
From our research and analysis of spam emails sent on July 12 and 13, more than 50 percent of the email accounts that received this spam belonged to banks located in countries like Malaysia, Indonesia, Kenya, Romania, Poland, and Austria.
Infection chain
Figure 2. Infection chain of the spam campaign
The spam emails used subjects such as “invoice” or strings like “important announcement,” “copy,” “Scanned image,” “security bulletin,” and “whats this” to trick recipients. The PDF attached in the said emails contained embedded JavaScript code and a “downl.SettingContent-ms” file, similar to what ProofPoint has reported. Once the PDF file is opened by the user, the JavaScript code will trigger the SettingContent-ms file.
Once the “downl.SettingContent-ms” file is opened, Windows will run the PowerShell command inside the <DeepLink> tag, which will download the FlawedAmmyy RAT from hxxp://169[.]239[.]129[.]117/cal before executing it. This FlawedAmmyy RAT variant is the same one installed by a Necurs module on bots under bank- and POS-related user domains.
Figure 3. Spam mail sample showing a PDF attachment with JavaScript code and SettingContent-ms
Figure 4. The embedded JavaScript code that will be automatically triggered once the PDF is opened
Figure 5. The embedded “downl.SettingContent-ms” file that the JavaScript code opens
Figure 6. The JavaScript code used to open “downl.SettingContent-ms”file
Figure 7. The “downl.SettingContent-ms” file that the JavaScript code opens after it opens the PDF
Figure 8. The content of the “downl.SettingContent-ms file that contains the PowerShell command for downloading the FlawedAmmyy RAT
FlawedAmmyy RAT – the spam campaign’s connection to Necurs
Recently, Necurs has been showing interest in bots with specific characteristics. On July 12, Necurs pushed a module – a downloader of the FlawedAmmyy RAT – to its bots. The module checked if the domain name contained any of the following keywords: bank, banc, aloha, aldelo, and postilion (as seen in Figure 10). Aloha is a restaurant POS system, Aldelo is an iPad POS system, while Postilion is a solution for acquiring payments or transactions across all channels, from ATM and POS to ecommerce and mobile. It downloads and executes the final payload from hxxp://169[.]239[.]129[.]117/Yjdfel765Hs if the bot’s user domain matches Necurs’ criteria.
Figure 9. The module obtained the bot’s user domain via the cmd command echo %%USERDOMAIN%%
Figure 10. The module checks if the user domain contains any of the highlighted keywords
Trend Micro Solutions
To defend against spam and threats like Necurs, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of compromise (IoCs)
| IoC | IoC Type | Description |
| 5181ede149a8cd560e9e0958be51ec069b486c87 14efc02509ab12eee08183a8 |
SHA256 | Necurs module that checks if the bot is potentially bank- or POS-related |
| 576a373ccb9b62c3c934abfe1573a87759a2bfe26 6477155e0e59f336cc28ab4 |
SHA256 | PDF used in the spamming campaign on July 12 and 13 |
| 42ded82ef563db3b35aa797b7befd1a19ec92595 2f78f076db809aa8558b2e57 |
SHA256 | FlawedAmmyy RAT dropped by the Necurs module and the spam campaign on July 12 |
| 185[.]99[.]132[.]119:443 | IP + Port | C&C of the FlawedAmmyy RAT |
| hxxp://169[.]239[.]129[.]117/Yjdfel765Hs | URL | URL used to download the FlawedAmmyy RAT in the Necurs module |
| hxxp://169[.]239[.]129[.]117/cal | URL | URL used to download the FlawedAmmyy RAT in the SettingContent-ms file embedded in the PDF |
