Unraveling the Shinigami's prank hidden in spam emails

This post is also available in: 日本語

Introduction

ITOCHU Cyber & Intelligence Inc. (abbr. : ICI) routinely observes a large volume of spam emails to identify new attack tactics and the early stages of mass-attack campaigns targeting Japan. We are paying particular attention to emails with attachments in unusual file formats or mail body written in Japanese, as these could indicate targeted attacks.

This blog post delves into the analysis of a recent Japanese-language spam email with a multi-stage infection process. This sample employed a combination of various traditional attack tactics, including obfuscated VBScripts and PowerShell scripts, malicious codes embedded in images (steganography), and the exploitation of free image-uploading and text-sharing websites used as payload retrieval infrastructure.

What is Steganography?

The art of concealing data within another medium.


Infection flow

The purpose of this sample was to deliver the AgentTesla malware to victims and infect them.

What is AgentTesla?

AgentTesla is an information stealer written in .NET Framework that has been observed since 2014.

It can steal a variety of information from victims, including keystrokes, clipboard contents, screenshots, and authentication credentials for installed software. The stolen data may be exfiltrated to other attackers. https://attack.mitre.org/software/S0331/

The infection flow is as follows:

Figure 1. The infection flow

As you can see, the several steps are involved in the process, from the receipt of the email to the final malware infection. Let's break down this process.

Malicious email

We have observed the following malicious email.

Figure 2. The observed malicious email sample

This email contained “payment-related” information, which is common subjects in email-based attacks. The sender's email address was a compromised email account belonging to a medical service company in Vietnam. Although the sender was Bank of Japan, yet a file named "韓国銀行の領収書 (In English, Receipt from Bank of Korea)” was attached. This inconsistency raised suspicions.

The domain mentioned in the closing paragraph did not match the official Bank of Japan domain. Additionally, the service center contact information was also presumed to be from a Thai bank, further contradicting the claim of being a financial institution’s email.

The attached file, 韓国銀行の領収書.tar.lz (md5: b73f8d56d31da6673025be38a4beb336), contained a VBScript file named 韓国銀行の領収書.vbs (md5: 6665a0f0f0b1d55cb8a85f115a8a1d07). Executing this VBScript file would ultimately lead to malware infection.

The .vbs extension is not visible by default in Windows settings, so it appears to users as a file named 韓国銀行の領収書 .

Analysis results

Let’s analyze the VBScript file.

Figure 3. The code of “韓国銀行の領収書.vbs”

The script written in the VBScript file first retrieves string data from a free text-sharing website called paste[.]ee. This technique of obtaining data from free text-sharing websites that leads to subsequent attacks, has been observed before.

References

New Panda Stealer Targets Cryptocurrency Wallets

Furthermore, Error messages are written in Portuguese. Is the developer of this VBScript fluent in Portuguese?

Figure 4. The strings identified in paste[.]ee at 2024/4/10

The string data retrieved from paste[.]ee is concatenated and replaced into some strings by the VBScript, which becomes a PowerShell script, and then executed.

This PowerShell script, as shown in the top part of Figure 5, replaces the string DgTre with the character A in the obfuscated string stored in the variable codigo (highlighted in green) and then decodes the string using base64 to execute the PowerShell script shown in the bottom part of Figure 5.

Figure 5. Obfuscated PowerShell script executed from VBScript

It is believed that the purpose of replacing specific strings and converting data into different formats is to evade detection by security products.

This PowerShell script fetches the image file new_image_vbs.jpg from a free image-uploading website "uploaddeimagens[.]com[.]br" and extracts and utilizes malicious code embedded within the image data. An example of the image file is shown in Figure 6 (The actual image has been masked to protect copyright).

The PowerShell script contained two URLs, and while the images at both URLs had the same design, malicious code was only embedded in one of them.

Figure 6. The image of "new_image_vbs.jpg" and embedded code

This method, where data is obtained from free image-uploading websites and malicious code is extracted from image data, has been widely exploited by many malware in the past.

References

Battle Against Ursnif Malspam Campaign targeting Japan

We suspect that the attackers may use these detection-evasion techniques to fetch payloads:

  • Retrieving data from image-uploading websites: Restricting access to these websites is challenging since they are not inherently malicious.
  • Fetching data via HTTPS: Identifying the accessed path is difficult in environments that don't decrypt SSL traffic and maintain logs.

The PowerShell script retrieves the image new_image_vbs.jpg from two URLs stored within the script. It then combines these images and extracts the string enclosed by the tags <<BASE64_START>> and <<BASE64_END>> embedded in the data. This extracted string is decoded using Base64 and loaded as a .NET file. This .NET file is also a loader-type malware, hereafter call as the ".NET Loader".

Following this, the process moves to the VAI method of the Home class within PROJETOAUTOMACAO.VB provided by the .NET Loader. Several arguments are passed, including the inverted URLs txt.ude/ba/moc[.]o<redacted>m//:spxxh. These arguments will be discussed later. Note: <redacted> is a placeholder for the domain of the compromised website.

Figure 7. The code within the VAI method

The VAI method first uses the Class6 class's start method within the Project. This method checks for the existence of a file named Name_File.vbs in the C:\ProgramData\ directory. If the file is not found, it executes the following command to copy the VBScript file named 韓国銀行の領収書.vbs which located in the current directory to C:\ProgramData.

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Name_File.vbs

To ensure persistence, the VAI method also registers C:\ProgramData\Name_File.vbs for the current user's registry Run key (SOFTWARE\\Microsof\t\Windows\\CurrentVersion\\Run).

Figure 8. File check and persistence for the “start” method

The VAI method then resumes control and sets the _applicationName variable to C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBUILD.exe, as shown in Figure 9. This is a preparation for a code injection technique known as Process Hollowing, which will be discussed later.

Figure 9. Designated legitimate process

Next, as shown in Figure 10, the reversed URL string is restored to its original state, and the final malware payload is retrieved.

Figure 10. Reverse Process

In this sample, the string txt.ude/ba/moc[.]o<redacted>m//:spxxh was restored to the URL hxxps://m<redacted>o[.]com/ab/edu[.]txt and data was retrieved from this URL.

The nature of the retrieved data suggested that it was encoded in Base64 and then reversed. Reversing and decoding it using CyberChef revealed that it was a PE file.

Figure 11. Retrieve a PE file by reversing the data and performing Base64 decoding

Finally, as shown in Figure 12, the malware launches the process specified in _applicationName, which is C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBUILD.exe, and injects the decoded PE file into the memory of that process. This is a process injection technique called Process Hollowing, which is implemented to evade detection by security products.

References

Process Hollowing

Figure 12. Process Hollowing

Further analysis of the PE file extracted using CyberChef revealed that it is AgentTesla, a .NET-based malware.
AgentTesla is capable of exfiltrating stolen information via email. The email exfiltration destination was identified as mail[.]privateemail[.]com (port: 587, protocol: smtp). Figure 13 illustrates the malware configuration of AgentTesla.

Figure 13. Malware configuration of AgentTesla

Discussion

We've observed attacks utilizing similar infection techniques to target multiple malware types, including Remcos and XLoader (formerly Formbook). Analysis of related samples reveals that the attackers actively change file formats, using XLA and RTF, indicating an adaptive approach.

The day before the Japanese version of this post was published (April 15, 2024), PT Security released a blog post on the SteganoAmor campaign. The samples described in this post were similar to those we were analyzing at the time.

Reference:

SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world

We consider this tactic to be one that warrants continued attention, as it is likely to see further implementation in the future to evade detection and anti-analysis. This could include more complex infection flows using multi-stage access, obfuscation of scripts, and the adoption of new techniques.

Countermeasures

We have implemented the following countermeasures to defend those malicious emails containing malware:

  • Utilize spam filters to quarantine emails with attached VBS files or other malicious files with unusual extensions.
    • We deploy specialized tools to detect them within compressed files such as ZIP archives.

IoCs

file name type MD5 SHA1 SHA256
韓国銀行の領収書.tar.lz Attachment b73f8d56d31da6673025be38a4beb336 c13241205c24133f1d042283777c94fc9f083959 a5cd72de5d9b49324a4c3acce4dfd99b9cd07c5561b3df3178d5773980a327ad
韓国銀行の領収書.vbs(韓国銀行の領収書.tar.lz の解凍後ファイル) Downloader 6665a0f0f0b1d55cb8a85f115a8a1d07 0db07da604d0ad9b033df395b3843a815ae415c9 b9bbdc47e828eac24efc1576ef757a4a9fe72627f591b6ba74c6a57d6b47cc17
1gYLt Malicious code f94961734344d5b8f90871c428d180ea b8ab78334f58e1cdf9374ffa8b4697f1cf2313ec 10f0724e4a33ecb99465285d8b77602c68d07533cfaee7a7cea9f5f5ac273398
new_image_vbs.jpg(979/original) Image file 63d7161e549f4ae373e2ec328cc10bcc e074e84f245766b5693bb85a3be48ce65196a79b 8b337abd81fe0fa0cfb773bc185da8ebcca425adb14f81c61e7c060e7d81aea1
new_image_vbs.jpg(978/full/) Image file f48bc3d4ae14d039e9577aefbd64a680 1c47b7302dcaf3950dbf34d2bf9b91ca56078ba2 125514526ff630048097768f8d247112b0ff80b16126b32a3440dc5416998a64
N/A Downloader (embedded in an image) 8bae771d41d8713a3583d24005c9039b 6895ea61ce4600e6129353b0c5ae58f16bf26a78 bbd3b070c7a7185603cdbfb576e7bcc9c01cd5c8263666b3a3ee5de5e3a427ab
edu.txt Encoded AgentTesla 3d95db8e258c5c636f6c0e167b2a47fe bb65218a2eec9689b6db9a6c2aa8a6dfc531b6d3 0efdd91c6d1ffeca6e8eda3ece36cd849272dce1a2d9ab3c208be65a370d4493
N/A AgentTesla 59a8039570f0634f82e7d25bddd37658 868fc0385ba057cef96178eb54f04677fc4a3aed eda52b32b68b4a7f91bf7ddc52967d6541aa2d7d0ffbfd7a2cf1f70727bae239


Destinations
hxxps://paste[.]ee/d/1gYLt
hxxps://uploaddeimagens[.]com[.]br/images/004/766/979/original/new_image_vbs[.]jpg?1712588500
hxxps://uploaddeimagens[.]com[.]br/images/004/766/978/full/new_image_vbs[.]jpg?1712588469
hxxps:// m<redacted>o[.]com /ab/edu[.]txt
mail[.]privateemail[.]com (Port:587, protocol:smtp)