[BreachExchange] Phishers imitate SEC, abuse Microsoft feature, to distribute DNSMessenger malware

Mon Oct 16 20:39:16 EDT 2017

https://www.scmagazine.com/phishers-imitate-sec-abuse-microsoft-feature-to-distribute-dnsmessenger-malware/article/699918/

A spear phishing campaign impersonating the U.S. Securities and Exchange
Commission was recently discovered attempting to infect victims with
DNSMessenger malware, using malicious Word attachments that abuse Microsoft
Windows' Dynamic Data Exchange (DDE) protocol.

Discovered earlier this year, DNSMessenger is a fileless malware program
that avoids detection by secretly establishing command-and-control
communications using an infected machine's Domain Name System TXT record
queries and responses. Previous phishing campaigns delivered the malware as
a final payload following a series of PowerShell commands. According to
researchers from Cisco Talos, the SEC phishing operation employed a similar
infection chain, with the added twist of leveraging DDE for code execution,
as opposed to more commonly used macros or OLE (Object Linking and
Embedding) objects.

DDE is a protocol used for interprocess communications, such as the
transferring of data between applications. Earlier this year, researchers
at SensePost determined that DDE could be essentially exploited to execute
malicious code in Microsoft Word.

Microsoft Corporation reportedly chose not to act on the findings, calling
this functionality an intentional feature. However, SensePost noted in a
blog post that Microsoft said it would consider reclassifying the feature
as a bug in the next version of Windows. In the meantime, however, "We are
now seeing it actively being used by attackers in the wild, as demonstrated
in this attack," Talos reported in a blog post authored by researchers
Edmund Brunaghin and Colin Grady, with contributions from Dave Maynor and
@Simpo13.

Asked for comment, a Microsoft spokesperson offered the following
statement: “This technique requires a user to disable Protected Mode and
click through one or more additional prompts. We encourage customers to use
caution when opening suspicious email attachments.”

Craig Williams, senior threat researcher and global outreach manager at
Talos, told SC Media that Cisco's threat intelligence team first observed
the SEC phishing campaign on October 10. In its report, Talos does not
elaborate on which companies were specifically targeted by the phishing
operation, other than to note that the intended victims were similar to
those targeted in prior DNSMessenger campaigns. But Williams informed SC
Media that the targets included insurance, finance, and IT companies.

In this latest attack, the phishers distributed emails that were spoofed to
look like they came from the SEC's Electronic Data Gathering, Analysis, and
Retrieval (EDGAR) system, a platform that corporations use to file their
financial reports. The malicious Word document attached to these emails
contained logos and branding that contributed to the illusion that the SEC
was the sender.

Opening the attachment would trigger a notification indicating that the
document contains links to external files, and asking the user for
permission to import and display this content. Agreeing to do so triggered
the infection, as the document would use the Windows DDE protocol to
retrieve malicious code from a compromised government website owned by the
state of Louisiana.

The downloaded code, executed via Powershell, would then commerce the
complex infection chain, at which time key blocks of code are decoded and
deobfuscated, and the malware studies the infected system to determine how
best to achieve persistence, based characteristics such as the user's
privilege level. The malware then sets up the DNS-based C&C infrastructure,
including defining a list of domains that will be used for communications,
before presumably executing the final payload. (Talos is crediting another
researcher known as Wraith Hacker with documenting the final stage of this
infection chain.)

"This attack shows the level of sophistication that is associated with
threats facing organizations today," Talos notes in its blog post. "The use
of DNS as a conveyance for later stage code and C2 communications is also
becoming more and more commonplace."

Unrelated to this phishing campaign, the SEC's EDGAR platform was also
recently breached by hackers who accessed various companies' documents and
used the information gleaned to profit from insider trading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171016/024860b4/attachment.html>