While phishing attacks against banks in Russia is not a new thing; the recent attacks carried out against the “certifying body” offering maintenance and support for various electronics goods is worth looking at!
Russian Service Centers were deceived by attackers who launched a phishing email campaign exploiting 17-year–old vulnerability in MS office. The vulnerability tracked as CVE-2017-11882 is a memory consumption issue that affects all versions of Microsoft Office including the latest office version i.e. 365 and could be triggered on all version of Windows Operating system including Windows 10. This bug could be exploited by cyber criminals to execute malicious code. This is done by tricking victims to open a especially crafted malicious file.
The first Russian Service Center attack was observed in March by FortiGuard Labs when spear phishing emails were sent by the crooks to a service center of Samsung’s electronic devices.
The analysis reveals that 50 domains were registered by the crooks on the same day to carry out phishing attacks and to deliver malware.
The contents of the email were in Russian language and include an attachment named ‘Symptom_and_repair_code_list.xlsx’.
The distinctive feature of Russian Service Center attack is its multiple staged launching. Each email sent included a different XLSX file that utilized a shell code to gain access to: LoadLibraryA and GetProcAddress functions or in other words gain access to library functions and address of DLL (Dynamic Link Library) functions. DLL plays an important role in code modularization.
The “URLDownloadToFileW and ExpandEnvironmentStringsW” are the two most important functions imported by Shellcode.
The purpose of these functions is to download a file from a url and store the downloaded payload to some specific location.
In order to evade detection the final payload then uses multiple layer multi packer protection.
First stage: The first layer of protection involves the popular ConfuserEx packer. ConfuserEx is an open-source protector for .NET applications that advanced security to applications written in VB, C#, F# and other .NET languages.
Second stage: The second stage of protection is determined by resources that are encrypted using DES (Data Encryption Standard) and executes decrypted file named BootstrapCS. BootstrapCS contains multiple anti analysis checks and the resources section determines which checks should be performed. These checks are necessary to avoid the code execution in virtualized environment.
Third Stage: This stage of payload uses simple XOR algorithm with the KEY = 0x20 for encryption and is represented by a binary resource names mainfile.
Based on the values in the settings resource file, the payload is injected into a process once it is de-crypted. The stage 3 of the payload allows malicious code to control victim’s PC including the webcam.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.