Yesterday, I found a phishing sample that looked interesting:
From: [email protected][.]com To: me Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08 Reply-To: [email protected][.]com Dear Respected Sir, Please find the proforma invoice attached. Kindly check and confirm. Material will be dispatched with 5-7 working days. Regards, Armit Thakkar Head Sales Development Technovinyl Polymers India Ltd. Filix 901 -C1, 9th Floor, Opp. Asian Paints, L.B.S.Road, Bhandup (W), Mumbai - 400 078, India Mob: +91-9322266143 Ph: +91-22-61721888
There was an attached document “INV 075 2018-19.xlsx” (SHA256: abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624) with a score of 28/60 on VT. When I opened the document, it presented a nice picture asking the victim to disable the default Office security feature:
But I also received an error message from Office about an application that could not be opened. Excel tried to spawn a new process:
Google this and you will discover that the “Equation Editor” is an Office tool that helps to write cool equations:
This tool is very useful for mathematicians or engineers who must add complex equations in their documents but who install this in a malware analysis sandbox? This is a nice way to evade automated analysis. Once my sandbox fixed and the Equation Editor installed, I re-opened the document and, immediately, the Equation Editor was launched. It downloaded and executed the following payload:
(SHA256: 7fe5f06d04390dd22e1065491c43c33dbebd03400826897c814db8d10469a8eb – VT score: 41/69).
Once executed, the malware copies itself into %APPDATA%Roamingsvhostsvhost.exe
It schedules a task via schtasks.exe:
schtasks.exe /create /sc MINUTE /tn svhost.exe /MO 1 /tr "C:UsersadminAppDataRoamingsvhostsvhost.exe
But also creates a shortcut in: %APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartupsvhost.exe.url:
The malware is a Razy trojan and it phones home to datalogsbackups[.]hopto[.]org (184.108.40.206) to port 2233.
The vulnerability exploited by this campaign is not new. It abuses the %%cve:2017-11882%% present in eqnedt32.exe.
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.