This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers NanoBot 8-22-2017

AhmedSonbol1
Employee
Employee
‎2017-08-25 12:59 PM

Malspam activity was noted on August 22nd 2017 delivering NanoBot malware via a 'detailed description.xls' Excel spreadsheet with an embedded malicious macro.  According to this threat profile from Microsoft, this backdoor has the following capabilities:

  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

 

In this threat advisory we will discuss the host and network behavior of the malware using RSA NetWitness Suite.

The malicious macro inside our 'delivery description.xls' delivery document contains heavily obfuscated VBA code as shown by RSA pre-release What's This File service in the screenshots below:

 

nanobot-wtf-1.png

 

nanobot-wtf-2.png

 

Upon running the VBA code starts cmd.exe in order to run an encoded powershell command to download, save and run an executable on the infected machine:

 

nanobot-processtree.png

 

nanobot-https.png

 

nanobot-dropped.png

 

According to VirusTotal scan results, the dropped file is a NanoBot variant. Here is the analysis report from hybrid-analysis.com.

Although the download activity took place over SSL, NetWitness Packets registered meta for the session to indicate a missing subject organizational name for the SSL certificate in use:

 

nanobot-ssl.png

 

The malware starts to communicate with its command and control (C2) server using a custom protocol over TCP on destination port 30314:

 

nanobot-other.png

 

nanobot-session.png

 

For this session, NetWitness Packets registered the meta value binary handshake under the indicators of compromise key:

 

nanobot-navigate.png

 

The C2 IP address is associated with other NanoBot samples according to VirusTotal results

Opening the delivery document on a machine with a NetWitness Endpoint agent shows the following chain of events:

 

nanobot-ecat-scandata.png

 

Our friend 'powershell.exe' connects to the delivery domain.

 

nanobot-ecat-powershell.png

 

The next screenshots show the module IIOC's for the newly created process. In addition, they show how it copies itself to a new location on the infected machine, modifies the registry to gain persistency on the system, and connects to the C2 IP address:

 

nanobot-ecat-tracking.png

 

nanobot-ecat-network.png

 

nanobot-ecat-paths.png

 

nanobot-ecat-autoruns.png

 

NanoBot delivery document (SHA256):

  • ab801421c0a70b96f974a575f29d31cdc22a587dc76bd87d341992db39731141

 

NanoBot variant (SHA256):

  • 26e22dc2d7018a728c6f2331361e265ad27aca8c60b6d4479116454880e4d84e
  • 6261814a313b99471d99454e37845d59d5b7425b1574d6408e6b5bc3e1672678

 

All the IOC will be added to FirstWatch C2 feeds as follows:

  • For download domain:
    threat.source = 'rsa-firstwatch'
    threat.category = 'malspam'
    threat.description = 'delivery-domain'

  • For C2 domain:
    threat.source = 'rsa-firstwatch'
    threat.category = 'cnc'
    threat.description = 'nanobot'

 

FirstWatch_banner.png

© 2022 RSA Security LLC or its affiliates. All rights reserved.