Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Spam campaign: Netwire RAT via paste.ee and MS Excel to German users
#1
Bug 
Quote:
[Image: G_DATA_Blog_Excel_Rat_header.jpg]

G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL.

DeepRay alarm: attacks on German customers

At noon on 13. April 2020 our monitoring system created an alert because DeepRay reported more hits than usual for one particular detection on PowerShell downloaders. The alarm system is there to see early if something goes wrong. However, this alarm went off because of a spam campaign hitting our German customers. The detections were all legitimately preventing the malware downloader from doing it's job.

We investigated the threat and also found BEAST-related entries which showed that the culprit were Excel documents delivered by email. While we do not receive the Excel or email documents themselves, we do see infection chains reported by BEAST for those customers that agreed to the Malware Information Initiative (Mii).

Infection vector: Delivery email with Excel attachment

The malicious email claims to be from DHL, a courier, parcel and express mail service in Germany. It says that the delivery address of a recent order cannot be found and that the recepient should add information to an attached document. A screenshot of an email is shown in this German article that warns about malicious Macros, which we found to be describing the same threat because of the IOCs.

A lot of people are currently getting deliveries due to Corona related lockdowns of shops, which is probably why the threat actors chose this way to deceive the user.

The document has the name Dokumentation.xls[sup]][/sup]. After searching for threats via Google, we found a sample on Virustotal that fits to the ongoing campaign. If opened it shows an image that requests the user to activate Macros in order to show the contents.

After enabling Macros, the Excel document activates a PowerShell command which downloads two files from paste.ee and performs character replacements on them in oder to decode the files.

One of those text files is seen on the left hand side below. Here the characters '@@' will be replaced by '44' and '!' by '78'.

After character replacement and converting the integers to bytes, a second obfuscation layer becomes visible (image on the right side). This layer only has 'N' prepended to all byte values. Decoding it reveals the last layer, which is a .NET DLL called Hackitup.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • Toligo
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>