Threat Research

Delivery of Malware: A Look at Phishing Campaigns in Q3 2022

By Erin Lin | October 04, 2022

Entering the second half of 2022, phishing attacks and campaigns continue to be the top threats targeting organizations, using a variety of techniques to infect users and organizations. Following our observations posted last quarter, FortiGuard Labs has continued to track many malware families, including Emotet, Qbot, and Icedid. We continually find malicious files delivered via phishing emails using Microsoft Excel files, Microsoft Word Documents, Windows shortcut files, and ISO image files to deliver their malware.

To help organizations better identify and prevent phishing attacks and infections, this blog provides some of the most common details and techniques used by these malicious files for malware deployment.

Affected Platforms: Microsoft Windows
Impacted Users: Windows users
Impact: Controls victim's devices, collects sensitive information, and delivers other malware
Severity Level: Critical

Phishing Emails

Phishing emails combined with social engineering continue to be the most common malware campaign strategy. Similar to previous quarters, the phishing emails we have tracked in Q3 of 2022 include a malicious file attachment or a link to a malicious site that downloads a malicious file. We have also observed a technique known as HTML Smuggling—an evasive malware delivery technique widely used to create a password-protected ZIP file and save it on a victim's device. This could be an HTML Smuggling attachment or an HTML Smuggling link. Both open in the browser, resulting in the download of a malicious file or files.

Figure 1 shows an HTML Smuggling file attached to an email. Once opened, a password-protected ZIP file is dropped, and the password in the email is required to unzip it.

Figure 1: Email with an HTML Smuggling attachment

Figure 2 showcases another HTML Smuggling attachment. It is disguised as an Adobe PDF document download page and uses a simple lure to get its victim to open the local downloaded file. The password to unzip the downloaded ZIP file is displayed on the page instead of in the body of the email.

Figure 2: Email with an HTML Smuggling attachment

Analyzing Samples and Their Behaviors

Three samples we captured between July and September of 2022 were active in malware campaigns and provide good examples of what we have been observing. Many are familiar, some are new, and others are older attacks with a new twist. The first is an Excel file with Excel 4.0 macros using the same macros and behaviors as a sample we described in our Q2 update. The second is new. It is a Word Document with VBA macros. The third sample is an ISO file we disclosed in our Q2 blog, but this time there are changes to the included files and the techniques used.

Excel file with Excel 4.0 Macros

Emotet campaigns containing malicious Excel attachments have been observed since November 2021. The appearance of Excel files and malware payloads are constantly changing to evade detection. We captured this latest sample in July. As the analysis in this previous blog shows, this sample uses macros to download and execute malware payloads.

Figure 3 shows an Excel 4.0 Macro sheet, “Sheet 7," which includes a malicious formula. Cell F2 in this Macro sheet is named "Auto_Open" to automatically run the formula once the file is opened. When the macros are enabled, several formulas are written into the cells to execute. Then the API "URLDownloadToFileA" is called to download the malware files, and "regsvr32.exe" is used to execute the malware payloads.

Figure 3: The malicious formulas in the Macro sheet

Word Document with VBA Macros

This second sample is a Word document using VBA macros to drop an Icedid malware DLL file. Figure 4 shows a screenshot of this opened Word document. It displays a blurred document image behind an Italian language request for the victim to click the "Enable Content" button in the security warning bar.

Figure 4: Screenshot of the Word document content when opened

The VBA code shown in Figure 5 is a function that gets its text from a custom XML file in "customXml/item1.xml". The grabbed text is a long string starting with "4d5a", indicating that this is a PE file. Figure 6 shows the "Document_Open()" function. It converts the text to a byte data type and writes to a file called "c:\ProgramData\xxx.dll" once the Word document is opened. Next, "rundll32.exe" is called to load this malicious DLL file.

Figure 5: The VBA code used to grab the text contained in the custom XML file

Figure 6: The VBA code used to execute the malicious DLL file

ISO Files

ISO files became a popular vehicle for malware deployment this summer. The malware families involved were Qbot, Icedid, and Bumblebee. We captured several malicious ISO files containing different files, as described below.

An LNK file and a PNG file contained in an ISO file

The contents of this ISO file are shown in Figure 7. A PNG file and an LNK file is disguised with an image icon. The target of this LNK file is a command line that, after opening the image file, uses “curl.exe” to download a malware DLL file and execute it using “rundll32.exe”.

Figure 7: The target of the LNK file contained in an ISO file

An LNK file and a folder contained in an ISO file

This ISO file contains an LNK file and a folder named “one”, which includes a BAT file, JS file, TXT file, and an empty folder. This sample uses multiple script files to obfuscate the execution of the malware DLL. As shown in Figure 9, the LNK file executes "alsoThing.bat" from folder "one". Next, the file "weTo.js" is executed with four arguments by the BAT file. In the JS file, "rundll32.exe" is used to run "thenTake.txt", which is actually a malware DLL file with a .txt extension.

Figure 8: The files contained in the ISO file

Figure 9: The script files in the ISO file

A CHM file and a DLL file contained in an ISO file

This ISO file contains a CHM (Compiled HTML Help) file and a DLL file, as shown in Figure 10. A script snippet is appended to the end of the CHM file. Once started, it executes the script and uses "rundll32.exe" to launch the malicious file "app.dll".

Figure 10: The files contained in the ISO file

An LNK file, two DLL files, and a calc.exe contained in an ISO file

Figure 11 shows that an ISO file contains an LNK file and three hidden files ("WindowsCodecs.dll", "102755.dll", and "calc.exe"). First, the LNK file runs "calc.exe", a legitimate file. On startup, "calc.exe" loads several dependencies, including a file named "WindowsCodecs.dll". As you can see, one of the filenames in this ISO file is the same.

It then uses a technique called DLL Search Order Hijacking. If loading a DLL file without specifying a full file path, it uses the standard search order to find it.

In this case, the "WindowsCodecs.dll" in the ISO file is in the same folder as the executable application. As a result, it loads this version instead of the valid one in the Windows directory. This loaded library is a malicious copy that creates a process to execute the malware "102755.dll", as shown in Figure 12.

Figure 11: The files contained in the ISO file

Figure 12: Creating a process to execute the malware "102755.dll"

Figure 13 shows a screenshot of the process where "calc.exe" loads the malicious "WindowsCodecs.dll" from the ISO file. After that, it creates a process for "regsvr32.exe" using the command line "C:\Windows\SysWOW64\regsvr32.exe 102755.dll".

Figure 13: The process of "calc.exe"

Summary: The Delivery Chains

To provide an overview of malware delivery, we have illustrated the execution flow of their implementation. Below is the delivery chain for each malware family, including Emotet, Qbot, and Icedid.

All deliveries start with a phishing email that attaches a malicious file or contains a download link. Emotet uses an Excel file as a downloader to drop the Emotet malware payload and then execute it.

Figure 14: Delivery Chain for Emotet

Figure 15 shows the Qbot installation chain. The malicious ISO file is either extracted from an HTML Smuggling file or downloaded from a malicious link. The files contained in the ISO file vary and result in different executions. Each execution is triggered by clicking on an LNK file contained in the ISO file. The following steps in the process can include a download, tricks like obfuscated scripts, and DLL search order hijacking. Ultimately, the Qbot malware payload can run in any of these ways.

Figure 15: Delivery Chain for Qbot

As shown in Figure 16, the execution chains of Icedid and Qbot are similar. The ISO file plays an essential role in the chain. The difference is an original way of using a CHM file to run the Icedid malware payload. In addition, a malicious Word document attachment is involved in dropping and executing the payload.

Figure 16: Delivery Chain for Icedid

Conclusion

Over the past three months, we have seen a significant reduction in malware campaigns compared to the first half of the year. Since discovering an Emotet campaign in mid-July, nothing has been seen. Qbot activity also stopped in mid-July before resuming its spread in September. And while Icedid malware distribution has been continuous, it has not been as frequent.

According to our recent observations, the most active files for malware delivery are disk image files like the ISO files described in this report. They take advantage of bypassing the Mark-of-the-Web trust control to evade antivirus detection. Moreover, they can be easily mounted and opened on modern versions of Windows with just a double click. In addition to the ISO files mentioned above, organizations are cautioned to watch for other formats of image files, such as IMG and VHD files, which can also be used to deliver malware.

The HTML Smuggling technique is used to bypass restrictions on receiving files from the Internet by creating files locally. The execution triggers are covered by LNK files and CHM files, as they can be easily launched with a simple double-click.

At the same time, Microsoft Office files with macros continue to be distributed, though usually in small numbers. Interestingly, threat actors do not appear to have stopped working on Word documents and Excel files despite Microsoft adding more restrictions on the use of macros.

Although malware distribution has constantly been changing, with new updates and techniques regularly being added, all the attacks we have observed started with phishing emails. As a result, it is vital to be aware of social engineering, including training end users, to avoid these threats.

Fortinet Protections

Fortinet customers are protected from the malware described in this report by FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and Content Disarm & Reconstruction (CDR) services as follows.

The FortiGuard CDR service disarms the phishing emails with their attached malicious files.

FortiEDR detects the involved files as malicious based on their behavior.

Fortinet customers are protected from these malicious files and malware by FortiGuard Antivirus, which is included in FortiMail. FortiMail also detects phishing emails and can block or disarm attachments.

All malicious samples described in this report are detected by FortiGuard AntiVirus as follows:

VBA/Agent.CSH!tr
XF/CoinMiner.Z!tr
HTML/Agent.6123!tr
HTML/QBotDrop.A!tr
LNK/Agent.A8FC!tr.dldr
W32/QBotEXE.A!tr
W32/QBot.F!tr
W32/PossibleThreat

The malware payloads are detected by FortiGuard AntiVirus as follows:

W64/GenKryptik_AGen.EE!tr
W64/Kryptik.DJT!tr
W64/GenKryptik.FYWZ!tr
W32/PossibleThreat
W32/Emotet.FTN!tr

Fortinet’s Digital Risk Protection Service, FortiRecon, continually monitors for credentials stolen using Stealers (such as Redline) being sold by threat actors on the dark web that can be used to breach a network. Request a test drive to see how FortiRecon can provide an early warning of imminent threats to your network and data.

In addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing threats:

Our turnkey Security Awareness Training SaaS service helps organizations deliver regular, timely training on cybersecurity threats such as phishing to their end-users.

The FortiPhish Phishing Simulation Service provides additional, ongoing training by using real-world simulations to help organizations test user awareness and vigilance to phishing threats and train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness that includes a module on Internet safety and phishing.

IOCs

Malicious sample (SHA256):

ca15f68eb58e61313dda1d34c4d20f1582b8506481436c1bfd5c354922ddf7e0
84e281b7755da1f89e3ed2b109556002c40547292deed3f7a7754707c69396fd
9ce84380614d0eb61fd657c42593e5cd91d122f614c00c5edea6514241951854
d3b3627a34b3738327449653acfc5509be290722648fd1f55ee09bd0a6ff941f
37663652d075edfbbd48085c787ba12bc95b6492863d21f334850d78e203b12b
97ef6f319bf880412459655f70a32801241e551c6cf51c85ceb9f39eb86054e6
f5c16248418a4f1fd8dff438b26b8da7f587b77db9e180a82493bae140893687
6e3661049bde832369781afa1d9034315442b1e4b87aa92d571cbe73186997c5

Malware payload (SHA256):

84197619db6a80282ae8d96e40e107de9596a020cd9397f780c07fab3c4576d7
2c87388d5f2eba48cd479c05c837a5e4a661927fc0ade00b986489a449ad0e3c
f2b8c976c683e0e00377b393a817ff5aae6ead4751e984767a477c60045cf135
effc431f13997a896d07082c4c018a77feee075097fd80de167c20c7515d1516
f39deb0e0acbd4738ece9a5e0075a580cb7be6090b070fa2b3299a13effd833d
38efd88227ca093b3b1d9b10de3ba3e6f27a4b837155741cc776b1212e0f70b1

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.