Cyren : Christmas Eve Warning! Malware Targeting Amazon Shoppers

Shopping for Christmas gifts has never been easier, especially with Amazon-and who doesn't use Amazon? This is why using fake Amazon orders is a favorite method bad actors have been using this time of year to bait rushed Christmas shoppers. As a warning to anybody (everybody?) caught up in receiving last-minute Amazon deliveries, we've come across a malicious email campaign (see image below) to install a variant of the Emotet malware, a polymorphic banking Trojan that is virtual machine-aware and primarily functions as a downloader or dropper of other malwares.

The gift that keeps on giving

Since it's a Trojan, that means the malicious campaign could have one of many objectives (or multiple objectives!)-once a user has installed it, what happens next depends on what module the cybercriminal decides to deploy, although it's usually a module intended to steal passwords or to steal emails.

Figure 1: Fake email pretending to be an Amazon order confirmation

The above email, which appears to be an order confirmation from Amazon, is anything but-it is part of a large malware campaign which is proving very active during this Christmas 2018 holiday season. If the recipient is puzzled by the suggestion of an Amazon order they don't believe they made (which they didn't) and clicks on the order details button, a file named 'ORDER_DETAILS_FORM.doc' is downloaded that contains a malicious macro, and the user is asked to enable the content.

Figure 2: User is asked to enable content to view online Word doc

Under the hood: Garbage code and obfuscation used

Checking the contents of the macro code, at first glance it appears to be obfuscated. But careful inspection reveals that most of it is just garbage code. The important part is the interaction where the Shell method executes a command line.

Figure 3: Shell method executed command line

The shell command content is also a bit obfuscated, including a directory traversal at the start of the command and uses: '%PROGRaMDatA:~0,1%%prOGrAMdatA:~9,2%' which is equal to 'CmD'

Figure 3: PowerShell script variable shown in red box

The value of '2khP' shown in the red box in figure 3 is a PowerShell script which is reversed. (The image of the code shown below was organized for readability.) Here we can see that the 'PowerShell' string is also obfuscated by using 'pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll'. The script will try and download the EXE payload on one of the following sites:

• hxxp://patrickhouston.com/yGW2p6bq
• hxxp://parii.com/piwik/tmp/4KfmNmAnm1
• hxxp://psyberhawk.com/kDjKJgkew1
• hxxp://panjabi.net/79yH0YT
• hxxp://pcmindustries.com/FsABdpKjM

Figure 4: Destination download sites shown

Emotet Config

RSA key:

MGgCYQC85l/bn+S+cQ/4lPukQ3PWwsNtZzOqJQJRNdoN+sTQx8cd86j1WD/K8ZfcuvW0TUmvm3U13lLQ7ZsyGl1dppBePSSl8/PvdaIbbC/x/sJ8mp/7Q1IiwRuojhHT4yJap28CAwEAAQ==

CnC:

103.9.226.57:443
109.104.79.48:8080
115.160.160.134:80
130.241.16.154:80
133.242.208.183:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
179.60.24.164:50000
181.168.130.219:8090
181.197.253.133:8080
185.86.148.222:8080
187.137.178.62:443
187.140.90.91:8080
190.13.222.120:8080
190.147.19.32:443
190.73.133.66:8080
192.155.90.90:7080
198.199.185.25:443
198.61.196.18:8080
201.190.150.60:443
210.2.86.72:8080
213.120.119.231:8443
219.94.254.93:8080
23.254.203.51:8080
49.212.135.76:443
5.9.128.163:8080
60.48.92.229:80
69.198.17.20:8080
70.28.2.171:8080
70.55.69.202:7080
78.189.21.131:80
81.150.17.158:50000
81.150.17.158:8443
86.43.100.19:443
92.48.118.27:8080

Indicators of Compromise and Cyren Detection

SHA256	Object Type	Remarks	Detection
5748091ed2f71992fac8eda3ca86212d942adfad28cfd7c1574c5f56b4d124d4	Email	Your Amazon.com order.eml	HTML/Downldr.BE
d17017dd6b262beede4a9e3ec41877ee1efcd27f7dff1a50fc1e7de2d45c1783	DOC	ORDER_DETAILS_FORM.doc	W97M/Agent.gen
40583fafdb858bef8aace8ae91febbbc98eded8c0590e01fb4fafe269fdf002c	W32 EXE	compareiface.exe	W32/Emotet.LD.gen!Eldorado