Spam email campaigns have increased with the use of multiple random techniques which improve the efficiency of payload distribution to spread malware to more number of users. These attacks have been randomly observed to have increased rapidly in numbers; similar techniques, observed first time in mid-2014, were used in the distribution of the Poweliks fileless malware.
Technical analysis of the observed campaign
In this campaign, the attacker uses an XML script and has a Windows Script Component (WSC) to deliver the malicious payload – this technique has the ability to easily modify obfuscation. A small XML script having a set of instructions is used to download another script file from compromised websites. The attacker uses this XML file because they can easily change the code and deliver a new variant.
Attack chain sequence
The set of instructions works as follows
Here, rundll32 is used for running the DLL file and placing its library in the memory with the following command line.
Rundll32.exe <DLL name>, <entry point>
Let’s understand how Rundll32 is successfully able to parse the parameters and the argument. Rundll32 internally parses the command line and searches for the comma (‘,’) to locate the DLL name and space to locate the entry point name.
The XML file-delivered script file has the actual malicious payload location and instructions to de-obfuscate malware. Every time, the payload location varies.
The same technique is used by the TrickBot malware having macro scripting in Microsoft Office documents which then downloads the actual payload.
Quick Heal detection
How to stay away from such threats
Subject Matter Expert
Prashant Tilekar | Quick Heal Security Labs