The payload is a commercial version of the Imminent Monitor tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way – which bad actors are clearly ignoring.
Imminent Monitor includes two modules for recording video from a victim’s webcam, along with three others that contain different spy and control functionalities, such as looking at file contents on the victim’s machine.
A Long and Winding Kill Chain
FortiGuard Labs said that the multi-stage attacks use a whole bag of tricks to carry out their dirty work, including spoofed emails, malicious Office documents and a variety of unpacking techniques for Imminent Monitor, which functions as a remote access trojan (RAT).
The kill chain starts, as many attacks do, with fraudulent emails. In this case, they purport to be from Korean consumer electronics giant Samsung. FortiGuard researchers said that the nature of the mails suggests a targeted attack, not just a “spray-and-pray” random spam campaign.
“The email was specifically sent to the service company that repairs Samsung’s electronic devices,” the firm said in an analysis on Thursday, adding that the emails contain Excel files with the same naming convention that the targeted company uses in legitimate transactions.
Further, the spreadsheet files, which may have been lifted from a legitimate source, have been weaponized with an exploit for a vulnerability, CVE-2017-11882, in a 17-year-old piece of software.
“The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years,” the team said. “It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.”
Interestingly, the vulnerability exists in an Office component called the Equation Editor (eqnedt32.exe), which allows users to insert mathematical and scientific equations into documents. It was kept around for compatibility reasons despite being flawed. Last year, Microsoft manually patched a buffer overflow bug in it — the flaw used in these campaigns.
Rumors have gone around that choosing to patch the binary file rather than fixing the code itself suggests Microsoft lost the source code of the flawed feature, FortiGuard pointed out.
“The malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms,” the researchers said.
From there, the exploit’s shellcode takes a look at the export directory of the kernel32.dll on the targeted machine and locates the addresses of two key functions: LoadLibraryA and GetProcAddress. These are then used to obtain the addresses of the other necessary functions for the attack, including an important capability to determine the exact landing location for the payload, since this will vary, according to platform.
Finally, the shellcode downloads the Imminent Monitor payload and then tries to execute it: The RAT is tucked into five different protective layers, including the ConfuserEx packer, which obfuscates objects names, as well as names of methods and resources, to make it hard to read and be understood by humans. ConfuserEx actually shows up twice; the second time, it includes a Rick-Rolling attempt.
Another packer used is the BootstrapCS executable, which performs anti-analysis checks; and eventually, for the final unpacking procedure of the RAT itself, the file uses the legit “lzma.dll” library from 7Zip.
Not Their First Rodeo
Even though the emails are written in Russian, the attacks are coming from outside the country, carried out by a group known for other campaigns.
The analysts said that it’s “highly unlikely” that a native Russian speaker wrote the email text, but rather, it seems to be run through a translator. Also, even though the “from” address appears to be Russian in origin, an examination of the headers revealed that IP address of the sender isn’t related to the email address’ domain.
Also, in analyzing the C2 servers used in the attacks, FortiGuard found, based on the registrant data, that 50 domains were all registered on the same day.
“Some of these domains have already been used for malware spreading,” the firm said. “Another group was linked to the phishing campaigns.”
FortiGuard also searched its collection of samples and found several spreadsheet samples that use the same C2 servers as the samples from these attacks.
“The samples are older and use different vulnerabilities,” the researchers said. “We believe that this same group of attackers are behind both groups of samples.”
While it’s unclear who exactly is behind the attacks, it’s clear that this campaign is not the first – and will probably not be the last – for the bad actors.