Saturday, March 3, 2018

The strange case of Adwind embedded in a MS-DOS file

A few days ago there was a malspam campaign mimicking one bank and delivering a PDF file and some DOC files exploiting CVE-2017-11882

The PDF file contains several images and and two interesting URLs

The first URL, http://dropboox[.]ga clearly is a phishing link for Dropbox, however in this case it is not being used.

The other link, is still active by the time of writing this post, https://urlz[.]fr/6DWd,  redirects to http://mineralsconventionregistration[.]ca/Scann%20copy.z which it is a compressed file. In VT this file is being flagged:

The first time I tried to detonate the file in several sandboxes it did not work, so I was interesting to understand a bit more. The file inside has .JAR extension, however the magic number for this file doesn't really correspond with the extension of the file, as it is MS-DOS

A first analysis of the file shows interesting things.  The beginning of the file is a MS-DOS file:

However, it contains several more files inside:

The analysis from previous tools seems is not accurate as one of the MS-DOS file has 7.2MB, however the total file is only around 800k. Checking with other tools, the analysis is different, for example, with foremost the MS-DOS files doesn't show

When unzipping the the .jar file, there is some warning :

I did a manual analysis on the file and as first look I even see some HTML, PHP and JavaScript code, right after the first MS-DOS code

When dumping the first PHP file, the content clearly is a phishing website to get passwords from email.

Then I forced my sandbox to detonate the file as JAR file, and ignoring the magic number, this worked and I could see they typical Adwind behaviour.

The connection to the Jrat C&C is  ( That IP is not new to me, as I have seen this IP linked to Qrat / Qrypter / Adwind in some analysis I i did in the past . 

As I said in the beginning, the file doesn't detonate in some sandboxes, due to how it is built. For example, this is the analysis from HA with no detonation
Other sandboxes, detects that the extension doesn't match the magic number

Regarding the AV, it seems some of them detectes the HTML, in the beginning of the file, as phishing. While other detect it as Adwind

The behavior of the DOC files is very similar. However, instead of including the URLs in the PDF file,  CVE-2017-11882 is exploited to download the maliciuos file:


In the end, the final payload is exactly the same in bot cases, however the URL is not exactly the same:


Regardless of what the AV / Sandboxes detect, and what the magic number is,  when the user opens the file via the explorer, the file is executed like a normal Java file, hence it gets infected with Adwind. It seems that bad guys are trying with this techniques to by-pass some detection controls.