by RSS Joie Salvio and Rommel Joven  |  Oct 12, 2017  |  Filed in: Security Research

Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions. Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign, the binary payload, which was later found to be a NanoCore RAT client, is actually embedded in the obfuscated HTA. This way, the HTA effectively serves as a wrapper to try and slip passed traditional file type-based scanning in the network as well as anti-spam services.

Kill Chain Analysis

Fig. 1 Kill Chain

In this spam email campaign, threat actors bait French-speaking users to open a PDF attachment through a fake bank loan offer.

Fig. 2 Spam mail in French with attached malicious PDF

When an unsuspecting user opens the PDF, an embedded Javascript is executed that attempts to download a malicious HTA file from a Google Drive shared link. Fortunately, this event triggers a security warning prompt from Adobe Reader. To get past this warning, however, the threat actors exploit the reputation of the Google download site, which many users may assume to be secured, helping assure them that the file to be downloaded can be trusted. In addition, the PDF text also falsely claims that the user has an outdated Flash Player, implying that the file to be downloaded is a required update.

Fig. 3 Javascript in PDF attempts to download from Google Drive

Google Drive has its own security measures and scans a requested file for viruses before the file is downloaded or shared. Below is the image shown by Google Drive for shared links that are flagged as malicious.

Fig. 4 Google Drive shared link flagged as malicious

In our analysis, however, for some reason the infected file wasn’t detected as malicious, making it an effective attack vector. The downloaded file is an HTA with a VBScript that decodes the embedded binary payload, which is then written to the user’s %TEMP% and executed. After further investigation, the payload was found out to be NanoCore RAT (Remote Administration Tool).

Fig. 5 HTA with embedded binary payload

NanoCore

NanoCore is not a new name in the RAT industry. With a price tag of US$25, NanoCore has been in circulation since as early as 2013 according to some reports. RATs have been hanging in that delicate balance between surveillance and theft, or between simply being an administration tool and an arsenal for cybercrime. As a case in point, it has been reported that NanoCore’s author has pled guilty to selling the tool to cybercriminals. This has not stopped crooks from distributing it however, especially since cracked versions of the tool’s builder are being distributed in hacking forums for free.

Fig. 6 Decompiled NanoCore client

Remote control, file manipulations, download-execute, and password retrievers are just some of the capabilities that NanoCore offers to whoever gets their hands on the builder. Below is a screenshot of a cracked version of the latest NanoCore Builder (1.2.2.0), which was released way back in 2015.

Fig. 7 Cracked version of NanoCore (1.2.2.0 builder)

Solution

  1. FortiMail blocks all spam emails.
  2. FortiGuard Antivirus service detects all related samples. (see IOC)
  3. FortiGuard Webfilter service blocks and tags the download URL and C&C as malicious.

*Download URL has been reported to Google Drive.

Conclusion

Focusing on intrinsic details such as the filename and the download site’s reputation, threat actors continue to use creative ways to gain the trust of users. As shown in this article, this campaign abuses the reputation of Google Drive to deliver a malware, which also includes its own techniques to evade basic security measures.

Furthermore, it seems clear that the case of a RAT developer being found guilty of aiding cybercriminals has not affected the credentials of similar applications circulating in the security industry. And with cracked versions of the tool being accessible to all, along with all the potential benefits of a free administration tool, some curious minds are certain to take the bait. As a result, we are giving the same advice for NanoCore that we did in our previous Ozone RAT article. Not only is its distribution a free ticket to jail, there are scammers out there baiting users with “cracked versions” of the builder, which might turn out to be trojanized or the malware client itself.

-= FortiGuard Lion Team =-

IOC

3f4541fd800b71b1cfc25b665174e8ba7f1ef2c467e124252fea408598d89a65 - PDF/Dloader.GD!tr

cce86a03876eac85f779fa248d86ecaea6aecef9a783a58899f5ea3ed3b8c857 - MSIL/Nanocore.BT!tr

d547a836f83e166be6c1e639c61889bdbcf429a9b1ea50a45e2f51e80a2eff31 - VBS/Dropper.GD!tr

C&C:

42.202.71.145:47581

41.207.196.84:47581

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

by RSS Joie Salvio and Rommel Joven  |  Oct 12, 2017  |  Filed in: Security Research