Threat Research

Uncovering the Dark Side of Email Traffic | Official Juniper Networks Blogs

Securonix

Juniper Threat Labs analyzes email traffic to reveal how malicious files propagate via attachments, macros, and exploits, based on a random sample of one million files from 2022. The findings show that most malicious files are first-stage downloads, often delivered through Excel macros exploiting old Office vulnerabilities, and are detected and blocked by Juniper ATP and SRX in inline protection.
#Remcos #CVE-2017-11882

Keypoints

  • One million email-file samples from 2022 show PDFs dominate (82.66%), followed by Office Documents (16%), with small shares of Compressed Archives, Executes, and Others.
  • 14.61% of files were flagged suspicious; 3.87% were malicious; ~86% of malicious files were confirmed via sandbox technology; ML detected 8.26% that heuristics/AV missed; only 0.01% were known attacks.
  • Among malicious files, Executables (77.84%) were the largest known-bad category, with Office Documents (0.84%) and PDFs (5.10%) also involved; macros in Office Documents were common as downloader components.
  • 55% of malicious macros acted as first-stage downloaders; 43% of infected documents leveraged exploits targeting older Office versions, including CVE-2017-11882 and CVE-2018-0798.
  • Example: a malicious Excel attachment carrying CVE-2017-11882 exploit downloads Remcos RAT; MD5/SHA hashes and SSDEEP values are provided for the malicious file and the Remcos payload.
  • The Remcos configuration reveals C2 details using gotdns (dynamic DNS) with host and domain indicators, and a download/communication path via HTTP to an IP address; Juniper SecIntel blocks such outbound traffic.
  • Juniper ATP’s email file scanning allows configuration of quarantine, warning headers, or permit actions; default scanning with inline file inspection is recommended due to evasion tactics like macro modifications.

MITRE Techniques

  • [T1566.001] Phishing – ‘phishing is one of the most popular attack vectors. Attackers use deceptive attachments or links in phishing emails that are designed to trick recipients and compromise their systems.’
  • [T1203] Exploitation for Client Execution – ‘Attached to the email was a Microsoft Excel document with an embedded exploit for CVE-2017-11882.’
  • [T1204.002] User Execution: Malicious File – ‘55% of the macros were first-stage downloaders that fetched malicious code’ (Office macros in documents used to drop payloads).
  • [T1105] Ingress Tool Transfer – ‘The exploit downloads a Remcos instance from the following IP address by issuing a direct HTTP request: 208.136[.]4:80’
  • [T1071.001] Web Protocols – ‘The Remcos instance communicates with a C2 domain using HTTP; the domain helposti resolves via dynamic DNS (gotdns) provider’ (C2 over web protocols).
  • [T1547.001] Registry Run Keys/Startup Folder – ‘the sample persists after reboots by creating an autostart registry key.’
  • [T1056.001] Input Capture – ‘the malware creates keyboard hooks to capture user keystrokes and store them in logs.dat.’
  • [T1113] Screen Capture – ‘the malware takes screenshots’
  • [T1123] Audio Capture – ‘and records audio’
  • [T1041] Exfiltration Over C2 Channel – ‘what type of information to log and exfiltrate’ and the configured C2 path.
  • [T1071.004] DNS – ‘gotdns’ dynamic DNS provider used for C2 resolution (domain gdyhjjdhbvxgsfe.gotdns.ch and related infrastructure).

Indicators of Compromise

  • [IP Address] Direct download of Remcos from a remote host – 208.136[.]4:80, and a related C2 IP 37.139.129.71
  • [Domain] C2 domain – gdyhjjdhbvxgsfe.gotdns.ch
  • [Domain] Dynamic DNS provider domain referenced for C2 – gotdns
  • [MD5] Malicious Excel file MD5 – 0ec406570be4baa94ba2c70356819014
  • [SHA-1] Malicious Excel file SHA-1 – 9f14a7b8ae8eaf4dc2f2df9efa15ebe261b3c0c4
  • [SHA-256] Malicious Excel file SHA-256 – ef7cfc7d88ef776f589c3d6cf0c0c38bf258a70d77e601cea39c8dbc5c5d3552
  • [Imphash] Remcos sample imphash – f34d5f2d4577ed6d9ceec516c1f5a744
  • [MD5] Remcos payload MD5 – d4737ba9edce7dae4e80d9c6b8dd7931
  • [SHA-1] Remcos payload SHA-1 – 6733b801c76003b32fa5f3548515148ec17b99db
  • [SHA-256] Remcos payload SHA-256 – abdbc9b2fc56b9dd451fffae65630dc6ef64a6d30b73e4a46c4e4efb0180c92d

Read more: https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic