Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

Nowadays Email campaign playing major role to spreading Malwares, backdoor and advance exploit to take over the single target and Enterprise networks.

A New Backdoor Contained Malicious Email champaign that carries Malicious scripts which are spreading in Russian Language and it seems that , this malicious email campaign is developed for attacking Russian Enterprises.

This Malicious Backdoor delivering by a combination of exploits and Windows components helps to take over the infected victims Machine.

This Malicious component not only developed to infect the Enterprise network but also capable of attacking the other industries such as financial institutions, including banks, and mining firms.

Also Read   A Complete Fileless Malware “JS_POWMET” with Highly Sophisticated Evasion Technique

Backdoor Infection Chain

A Social Engineering Method Called Spear Phishing Champaign has played major role in this Part to infect the target Via Email.

A Malicious Email that contains legitimate information and it’s completely looks like an actual Sales and Billing information which is given in Russian Language.

“Email also having an Attached Document file as .DOC in Different file names in russian Language.Инструкция для подключения клиентов.doc (Instructions for connecting clients) and Заявление на оплату услуги .doc (Application for payment of the service).”

Malware Attacked Email

Attacked Document has Embedded with Malware Rich Text Format (RTF) file Detected as TROJ_EXPLOYT.JEJORC by Trend Micro.

Further, Analyse  Revealed that, the Malicious file contains embedded .XLS Malicious javascript files from this URL ( hxxps://wecloud[.]biz/m11[.]xls).

All the malicious URL used for this attacks are controlled by the attacker that was Registered on July ,Trend Micro said.

Attack Chain

This Malicious javascript file dropped Two Powershell script . One script used to download and launch the Malformed Document and another script continue the chain of infection.

After Download the another file by second Powershell script , downloaded file will be decrypted using AES-CBC Cipher Algorithm.

Once Decryption has done ,file will be saved as .TXT Extension to the %Appdata% .The decrypted file is a dynamic-link library (DLL) file detected as TROJ_DROPNAKJS.ZGEG-A.

The JavaScript code in m11.xls will then execute the file using the following command line:

odbcconf.exe /S /A {REGSVR C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt}

Dropped file into %Appdata% has malicious, obfuscated JavaScript file (JS_NAKJS.ZIEG-A).

Finall, DDL will Execute the following Command that uses MS Regsvr32 (Microsoft Server Registry)that has used to register and unregister the OLE controls.

regsvr32.exe /s /n /u /i:”C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt” scroBj.dll

This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts. It also means evading application whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.

Finally after Deobfuscated done ,it will execute another XML file then later the file serves as the main backdoor .