14/05/2020

Spam campaign: Netwire RAT via paste.ee and MS Excel to German users

Netwire RAT via paste.ee and MS Excel to German users Malware

DeepRay alarm: attacks on German customers

At noon on 13. April 2020 our monitoring system created an alert because DeepRay reported more hits than usual for one particular detection on PowerShell downloaders. The alarm system is there to see early if something goes wrong. However, this alarm went off because of a spam campaign hitting our German customers. The detections were all legitimately preventing the malware downloader from doing it's job.

We investigated the threat and also found BEAST-related entries which showed that the culprit were Excel documents delivered by email. While we do not receive the Excel or email documents themselves, we do see infection chains reported by BEAST for those customers that agreed to the Malware Information Initiative (Mii).

Infection vector: Delivery email with Excel attachment

The malicious email claims to be from DHL, a courier, parcel and express mail service in Germany. It says that the delivery address of a recent order cannot be found and that the recepient should add information to an attached document. A screenshot of an email is shown in this German article that warns about malicious Macros, which we found to be describing the same threat because of the IOCs.

A lot of people are currently getting deliveries due to Corona related lockdowns of shops, which is probably why the threat actors chose this way to deceive the user.

The document has the name Dokumentation.xls[1]. After searching for threats via Google, we found a sample on Virustotal that fits to the ongoing campaign. If opened it shows an image that requests the user to activate Macros in order to show the contents.

After enabling Macros, the Excel document activates a PowerShell command which downloads two files from paste.ee and performs character replacements on them in oder to decode the files.

One of those text files[4] is seen on the left hand side below. Here the characters '@@' will be replaced by '44' and '!' by '78'.

After character replacement and converting the integers to bytes, a second obfuscation layer[5] becomes visible (image on the right side). This layer only has 'N' prepended to all byte values. Decoding it reveals the last layer, which is a .NET DLL called Hackitup[2].

Hagga delivers NetWire RAT

The other file downloaded from paste.ee is an obfuscated but non-packed NetWire[3] sample. Netwire is a wide-spread remote access malware.

The aforementioned .NET DLL Hackitup[2] performs process injection for a given file. The PowerShell command calls this DLL to inject NetWire[3] into MSBuild.exe.

This kind of PowerShell downloader is typical for Hagga aka Aggah campaigns as described in this Azorult article.

Takedown of paste.ee pastes stopped the campaign

After I had tweeted about the ongoing campaign, researcher @JayTHL requested the paste.ee sites and reported them. They were taken down a few minutes later, effectively stopping payload delivery.

Indicators of Compromise

DescriptionFilenameSHA256Detection

[1] Excel attachment
Similar to the ones used in campaign but older

Dokumentation.xls67fd76d01ab06d4e9890b8a18625436fa92a6d0779a3fe111ca13fcd1fe68cb2Trojan.Agent.EQQI
[2] .NET Injection DLLHackitup

bb37f30311a0ade4a807a5de7f078efd6b3af815aa4305a4bcc17f6d4b5ee9e6

MSIL.Trojan.Injector.OX

MSIL.Trojan.Injector.OY

[3] NetWireMSBuild.exe

cdd2e26792bd7ee81a6297d13dd514836778620c9bd96e79ae6ee26239c546b1

e8edf64d02ed7f0456b8f1601026ce37f9120d3a1d1e9ba7fdc8d9bc8bf10d10

Win32.Trojan.Netwire.C
[4] Obfuscated Hackitup Layer 1
(raw paste.ee download)
 f3764f7cd5b1f27e1d921b4f7eb229482652a317a27193824207da051943a2c8 

[5] Obfuscated Hackitup Layer 2
(first unpacking stage)

 f92db2c4401d5da1e1f68a4ec1fb159c34fc7f020e4fbacca3e4682db0a5bbe2 
URLs
paste .ee/r/e49u0
paste .ee/r/dlOMz
paste .ee/r/gTYWf
paste .ee/r/rHoL5