1. Home > News >

Foreign criminal gangs have also resumed work and launched phishing attacks against relevant domestic units

Recently, during the daily sample monitoring process, Qi’anxin Virus Response Center discovered that overseas hacker groups sent phishing emails to relevant units in the name of a domestic bank to induce recipients to open attachments, thereby running malicious programs, resulting in unit information and confidential files Was stolen.
The sample uses the currently popular obfuscator, loads the memory several times during the execution process, and finally runs NanoCore remote control, connects to the remote server to upload sensitive data.
Through the monitoring of Qi'anxin big data platform, relevant domestic units have been recruited. In order to prevent the threat from spreading further, the Virus Response Center responsibly disclosed and analyzed relevant samples.
Mail Analysis

The sender Gao mimics the mail system of AVIC Ships (@avicships.com), and the real email address of AVIC Ships is @avicship.com, the difference is an "s", which is very confusing.

The attachment content is as follows:

From the attachment name, it can be judged that the hacker group does not seem to be Understand Chinese.
Sample analysis
File name
MD5
Packer/compiler
Type
CIBC payment instruction.exe
8aecbcff2863ca8fb5f6eb352f95d608
Asprotect
PE file
after unpacking, the obfuscator written for Delphi will copy itself to the %appdata%/Microsoft directory during execution, name it microsoft.exe and start it. Self-decrypting a piece of code:

Release microsoft.vbs in the startup directory for persistence:

Create itself for process replacement:

The PE that the process replaces is written by VC, and reads data from the resource section as a loader:

Finally, the memory is loaded. The NanoCore remote control written by .net, the Eazfuscator shell is added to the outer layer:

NanoCore's C2 domain name btcexchamge.duckdns.org, storexchange.duckdns.org
Association analysis
During the daily sample monitoring process, we found that In addition to the obfuscator written by the gang using Delphi, ransomware is also used. In the latest variant of Hakbit ransomware (.ravack), the obfuscator written by Delphi is also used, but the execution process is slightly different. During the execution process, no persistence operation was performed, but the existence of the virtual machine was judged, and then a block of memory was allocated, and a shellcode call operation was performed.

The function of Shellcode is still process replacement. The replaced PE is the same as in the above report. It is a Loader written for VC, and finally the Hakbit ransomware is loaded into the memory.
From the difference in the results of the outer Delphi execution, we can basically judge that the obfuscator is very mature, and there should be many options for users to choose. It is expected that a large number of malware will use the obfuscator in the future.
According to the association of QiAnXin's big data multi-dimensional platform, we found that the group would also impersonate Deutsche Bank to conduct similar attacks on German-related companies.

File name
MD5
Packer/compiler
Type
Deutsche Bank AG Instruction.exe
452fe9d3b013a98568355342b79e9b6a
Autoit
PE file
The Autoit script will inject NanoCore into the RegSvcs.exe process:

C2 and The same as above.
The group will also fake DHL mail:

File name
MD5
Packer/compiler
Type< br/>Parcel information.exe
744d77a3c5859d9acf5dd7b13ce7fab4
VB
PE file
VB code will inject NanoCore into the RegAsm.exe process. C2: doublegrace.ddns.net
In the past two years, the virus response center has detected more and more business letters that counterfeit the AVIC ship as the sender. It is difficult for the recipient to distinguish the authenticity if the recipient is not paying attention. In the end, Leading to the execution of malicious code and the theft of company data.
If the sender is @avicships.net:

File name
MD5
Packer/compiler
Type
New Project – Marine Altantic.doc
3bb5deb9ca20a1fe586b2a8a68ccc68f
Rtf
Word document
The document uses 11882 vulnerabilities, like remote server download payload (hxxp://dubem.top/ nwama/nwama.exe), the domain name is no longer accessible.

Summary
At present, more and more overseas hacker groups send carefully faked phishing For the email, because the content of the email was in Chinese and the forgery was too realistic, and the relevant personnel had a low security awareness, the company eventually suffered a large loss of property. Therefore, the Qi'anxin Virus Response Center reminds users to work remotely from home during the epidemic, and do not click on emails and executable files from unknown sources. At the same time, improve personal security awareness, so as to prevent the risk of users' private information being stolen. Qi'anxin Virus Response Center Will continue to dig and track domestic black production.
At the same time, a full line of products based on the threat intelligence data of the Qi’anxin Threat Intelligence Center, including the Qi’anxin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, and Qi’anxin NGSOC, have supported the family’s Accurate detection.
IOC
File Hash:
8aecbcff2863ca8fb5f6eb352f95d608
452fe9d3b013a98568355342b79e9b6a
744d77a3c5859d9acf5dd7b13ce7fab4
Domain:
chamgebr/>btuckdn.ddns.ddns. org
storexchange.duckdns.org

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/News/21852.html

Contact Us

Online consultation:click here to give a message