Naughty Little Email – Pseudo-Analysis (WiP)

Last week I got an email to an address that I don’t typically use much. The email is so blatantly not on the up-and-up I thought I’d go through it and see what it was about and it’s a lot more involved than I was expecting. It wants to take control of all the things.

I’m including the VirusTotal result links as well as links to all the source code I’ve found.

From:
Report

Subject:
Copy of:Your New REPORT #R55242100822 is Ready!

Body:
Confirmation letter enclosed,

Please view your protected attachment file through this link https://www . ssa . gov/forms/ssa4075652123_reports.zip.

*NOTE: The Password For your Protected File is : ssa88655

Thank you for using the Social Security Administration’s services.
Please do not reply to this email, as we are unable to respond to messages sent to this address.
———————————————–
ID:# (Removed in case it’s unique, though I doubt it)

—————————————

The link in the email actually directs you to https://drive . google . com/u/1/uc?id=1cXgO07L6NriAzkMHmNu0qHIghfdJjUA8&export=download and downloads SSAReport-2023-7-31_1557716.zip

This actually is password-protected and the supplied password is used.

This extracts SSAReport-2023-7-31_1557716.vbs https://www.virustotal.com/gui/file/a530527430ce3bbedcd2b631f315ce68a3391b708f8b73a523ec6c8d04a4839e/detection – Source code: https://controlc . com/be9a939d

This VBS file has obvious and trivial obfuscation. (When referring to the obfuscation used throughout, I mean like

$HBxx = ("{1}{0}" -f'LQXPPBMCQXRQMNWGMTBBWRyLQXPPBMCQXRQMNWGMTBBWRpLQXPPBMCQXRQMNWGMTBBWReLQXPPBMCQXRQMNWGMTBBWR'.Replace("LQXPPBMCQXRQMNWGMTBBWR","") 

etc. as an example. They do this with variables and payloads alike)

—————————————

Running this retrieves the first payload file .forcpVOxm0gJB0kE8QpU.txt. https://www.virustotal.com/gui/file/9ce2a4f4223bd544ebaef2bc672063b8a2ba74353de3304096d4deb0344dd044/detection – Source code: https://controlc . com/77315772
which is actually a Powershell script). The contents of the payload script are read into memory in a byte array rather than saved to disk to elude discovery. The payload is then executed.

This PowerShell script has obvious and trivial obfuscation. Running this downloads one of three payloads, seemingly dependent on whether you have installed McAfee, Norton, or neither and then renames it to ChromeRobot69.ps1, opens a shell, and then executes the PowerShell file.

The McAfee file is https://www.virustotal.com/gui/file/000f0001c24f7ba5d85610e3beb4230bef1e85241df33c730dc2ac4d1361e1fd/detection – Source code: https://controlc . com/0fecccd4

The Norton file is https://www.virustotal.com/gui/file/9dfc49efa0a5d98c346ce2a10d495ab65c93c4913eca07fb7a90d6b3bfcc2205/detection – Source code: https://controlc . com/d222b31c)

The default file is https://www.virustotal.com/gui/file/89078ce756d59de0e9dac9343618187053a107bd7720566d0d08e29a814695d9/detection – Source code: https://controlc . com/5cbbd638)

—————————————

The McAfee ChromeRobot69.ps1 again uses obfuscation and has two shellcode payloads; an executable and a .dll.

The first payload https://www.virustotal.com/gui/file/d391692283a5dee65d00f4e3163e736da942ad2562136094da8613ac106fd5f0/detection

The second https://www.virustotal.com/gui/file/3e7f5f5353c6721f98499f3036ac90b2528378df2906db14531ccf0d2444a738/detection

The Norton ChromeRobot69.ps1 also has two shellcode payloads; an executable and a .dll. (This drops a RAT)

The first payload https://www.virustotal.com/gui/file/1161883d40a79bc4339a69d68b2297dbfa5c48d71fa916041aca764c0a46a810/detection

The second https://www.virustotal.com/gui/file/f29dea448fe69ae5d7b874be225db808abca82a878ddcd69b6a0e4fd134d31a4/detection

The default ChromeRobot69.ps1 uses the most obfuscation but still trivial. It also has two shellcode payloads; an executable and a .dll.

The first payload https://www.virustotal.com/gui/file/d391692283a5dee65d00f4e3163e736da942ad2562136094da8613ac106fd5f0/detection

The second https://www.virustotal.com/gui/file/92c19d73d55bfd852d39a81ed471f48f6fb0fb4619022ab2e6853ebaecd85b8e/detection

I haven’t had an opportunity to go through the different shellcode myself and I’m very curious how much deeper this thing goes if someone has the time and inclination to take a stab at it.

submitted by /u/Sybarit
[link] [comments]

August 8, 2023
Read More >>