A targeted phishing campaign was active in early August 2017 delivering "Подписать документы.doc" (translates to "Sign Documents.doc"), a MS Word document with an embedded macro responsible for dropping both the CHTHONIC banking trojan and DIMNIE spyware to an infected machine. CHTHONIC was discovered in 2014 by Kaspersky security researchers and is considered to be an evolution of ZeusVM malware. DIMNIE is a modular information stealer profiled earlier this year by security researchers at PaloAlto's Unit 42, who found the malware in targeted phishing attacks against open-source developers.
Preliminary investigation of VirusTotal submissions provides some potential insight into the possible targets. In addition to the prevalence of 'RU' country codes, FirstWatch has moderate-to-high confidence that this campaign targeted Russian government and heavy industry (steel in particular).
Submitting the "Подписать документы.doc" delivery document to RSA's pre-release What’s This File service results in a maximum threat score and also provides details as to the embedded VBA code.
Although most of the VBA scripting is obfuscated, the readable strings suggest that the code is writing data to local files, and using cmd.exe and wscript.exe. This activity executes in the background as the user is distracted with the below fake error message.
Upon running the malicious macro, the process tree below depicts the dropping and execution of '3ce8.exe' (SHA256: 7e0712cbc8d75d2d5bd00e689fc69a03a9b7799cba125a88d6bae728cd24b647), a CHTHONIC variant.
Observed post infection traffic generated from this executable appears similar to the traffic to other recent CHTHONIC deliveries as documented in recent RELST campaign activity.
NetWitness Packets tagged this session with different meta keys indicating a highly suspicious outbound network traffic:
NetWitness Endpoint (aka ECAT) agent shows the following tracking data and module Instant IOC’s for '3ce8.exe'.
ECAT also reveals a second payload from our CHTHONIC variant, '3ce8.exe', which drops a new DLL (SHA256: 350fba7fe181a9a4bbbbffabb6442e32456a9b5fc486d3086d55c19fd91db31) and starts a new service using the dropped file to initiate network connections, before finally deleting itself.
While the name of this observed DLL appears to vary from one infected machine to another, this secondary payload is DIMNIE spyware, and closely matches the description as documented in the aforementioned Unit 42 report. In the network traffic below, we observed DNS lookups for C2 domains (spoilerultimate[.]pw, babslarbab[.]host, and babsmarbab[.]top), who's IP addresses are then used to "route" (not really) HTTP proxy requests to legitimate google domains, specifically toolbarqueries[.]google[.]com and gmail[.]com. As thoroughly described in the Unit 42 report, outbound traffic to these two domains appears to be encrypted (AES 256 in ECB mode) C2 and data exfiltration respectively.
While attribution for this campaign remains undetermined, there are several potential nation-state candidates that seem logical given the recent course of political and cyber events in the region.
Thanks to Ahmed Sonbol (who did the bulk of this work!) and Kent Backman for their assistance with this analysis and investigation.
