A generic trojan (Trojan.GenericKD.31288648) has been distributed via email inside a compacted .rar file that is attached and sends to the victim. These files have the following pattern: “faktura_****_****.rar”; and when unzipped the file with the same name; but with the .vbs extension; is available to be executed by the victim — it is a trojan built in Visual Basic.

At the moment of publication, the trojan files presented below were known (both have the same signature: 15f570598cdcd25d7d90039286775696).

• faktura_161018_108750087.rar > faktura_161018_108750087.vbs
• faktura_161018_108750081.rar > faktura_161018_108750081.vbs
• faktura_161018_108750084.rar > faktura_161018_108750084.vbs
• faktura_161018_1087500810.rar > faktura_161018_1087500810.vbs
• faktura_161018_108750083.rar > faktura_161018_108750083.vbs
• faktura_161018_108750085.rar > faktura_161018_108750085.vbs
• faktura_161018_108750088.rar > faktura_161018_108750088.vbs

This malware has been distributed via e-mail from compromised servers in Central and Eastern European countries such as Russia, Poland, and Czech Republic.

According to the data obtained by SI-LAB, the first occurrence of this trojan horse was on October 16, 2018.

In the email body attackers are sending the following message:

Witaj,=20
W zalaczeniu zestawienie do rozliczenia kosztow.=20
Pozdrawiam,=20
Tomasz Wozniak=20

Translated it into English we get the following:

Hello,
Included in the statement for cost settlement
Regards
Tomasz Wozniak

The subject of the email is “Faktura“.

As an indicator of compromise, this malware communicates with the IP addresses (i): www.ti.com, (ii): macmall.fun and (iii): 192.3.207.126. A file called general[1].htm is also dropped during the trojan execution. This .html file has the following content: Fax id: 00147241534, however, it is not used during malware offensive.

Finally, a shell is executed on the victim’s machine that could receive connections from criminals so that they invade the victim’s machine and thus steal sensitive content, install new malware, or even implant a persistent threat on the infrastructure.

Recommendation: Have prudence at the time to download and execute suspicious files from your email inbox.

Deep Analysis

The malicious email was extracted from a POP3 communication between two machines in a corporate network (see Figure 1 below).

Figure 1: TCP Follow – malicious email.

By analyzing the e-mail header, it is possible to identify that the attackers used a compromised service geo-localized in Poland. The attackers used this service and sent fraudulent campaigns through third-party servers where they attach specially crafted malware to compromise victims’ computers.

Malware Static Analysis

Since this threat was produced and distributed in VBS, we analyzed the source-code as it is fully readable.

Trojan details
MD5: 15f570598cdcd25d7d90039286775696
SHA-1: 53b414f69ce294433a42394b7d1bb3f49b1bd709
Magic: ASCII text
File Size: 3.18 KB

Figure 2: Part of the trojan source-code.

Filenames with the same signature:

• faktura_161018_108750087.vbs
• faktura_161018_108750081.vbs
• faktura_161018_108750084.vbs
• faktura_161018_1087500810.vbs
• faktura_161018_108750083.vbs
• faktura_161018_108750085.vbs
• faktura_161018_108750088.vbs

The IOCs are presented in the list identified as “iocs” — please, view pseudo-code below.

iocs = {
[0] = "macmal.fun"
[1] = “www.ti.com”
[2] = “192.3.207.126”
}

During its execution, the trojan attempts to access the URLs in order to obtain some information (probably C2) and even to inform the trojan author that a new machine is available to be exploited in-the-wild.

The trojan executes every 7.1 seconds, and randomly requests the IOCs — as you can see from the pseudo-code below.

Next, a Windows Shell is started on the infected machine. If the shell is executed successfully, the skey value from the Windows registry “HKEY_CURRENT_USER\” is obtained, and if it has the value “saa” the command with the argument 2341 is executed.

This value is part of the “malicious_intructions” list defined by the malware author.

Pseudo-code

Figure 3: Trojan – pseudo-code.

Trojan behavior was attempted and the following file was dropped (general [1] .htm) when the following request was performed.

GET http://www.ti.com/general.php?fix=227626&&opt=147241534&see

This file contains the following content:

Fax id: 00147241534

We were unable to identify the usability and importance of this file during malware execution.

IOCs
23.60.24.192
192.64.119.37
192.3.207.126

Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.