This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MalSpam Delivers ZBot Variant 9-6-2017

RajasSave
Respected Contributor Respected Contributor
Respected Contributor
‎2017-09-08 04:18 PM

On September 6th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a remote code execution (RCE) Vulnerability in the Windows API, CVE-2017-0199 [1][2]. This document has been spotted in-the-wild travelling as an email attachment with different names; one of which is “Remittance details.doc” (VirusTotal analysis).  

docfileVT.PNG

docfilevtSub.PNG

Opening the document in a vulnerable Microsoft Word application led to the following network events:

nwactivity.png

Below is a breakdown of the network activity.  First "blabla.hta" (VirusTotal and Hybrid-Analysis) was downloaded; this file contains an obfuscated script with a powershell command.  

nwhtapacket.PNGnwFile.PNG

  

Next the powershell command runs and downloaded an executable, “halizeuskins.exe” (VirusTotal and Hybrid-Analysis). 

nwpacketexe.PNG

fileexenw.PNG

 

Once the download is complete, the binary is executed and post-infection traffic started.

zbot-post-infection-1.png

zbot-post-infection-2.png

Current RSA NetWitness detection populates following meta for the download sessions:

nwMeta.PNG

nw2Meta.PNG

For communication with the C2 domain, the following meta was populated for those sessions in NetWitness Packets:

reedlingNwMeta.PNG

reedlingNwMeta2.PNG

Pivoting off the registration information of the C2 domain "reedling.com[.]ng", FirstWatch found a group of domains registered using the same e-mail address (see appendix).

zbot-graphic2.png

Some of those domains are associated with different malware samples (see appendix). The post-infection network behavior of one of them (SHA256:e078e842c1006c972a65dcb71cf6ae5b38ba5074ea19f999f9879e8ec73a65f2) is similar to the one under our investigation. VirusTotal analysis results for that sample suggest it is a Zbot variant.

 

zbot-similar-traffic.png

  

More information about Zbot variants and their detection using RSA NetWitness Suite:

 

You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199,
https://community.rsa.com/community/products/netwitness/blog/2017/08/31/malspam-and-cve-2017-0199 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

FirstWatch_banner.png

References:

ZBot Domains and Malware Hashes Appendix.txt.zip
ZBot Domains and Malware Hashes Appendix.txt.zip
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.