FortiGuard Labs Threat Research
Droppers are malicious files that deploy malware payloads to a victim's device, and are used in many threat campaigns. During the second quarter of 2022, FortiGuard Labs observed some active droppers, including Microsoft Excel files, as well as Windows shortcut files and ISO image files. We captured these samples from phishing emails that were combined with social engineering to trick victims into loading the malware onto their devices. Recently, we found common malware families involving these samples to be Emotet, Qbot, and Icedid. In addition, a malware called Bumblebee, a previously rarely observed malware loader, was also found in some ISO files.
This blog reveals how droppers are delivered to a victim's device and how they drop malware payloads onto the victim's local disk.
Affected Platforms: Microsoft Windows
Impacted Users: Windows users
Impact: Controls victim's device and collects sensitive information, plus delivers other malware
Severity Level: Critical
The droppers are spread through phishing emails in three ways. An email may:
The first observation was in May. The download link in the email pointed to a web page containing HTML smuggling. By June, the HTML smuggling file was sent directly to victims as an HTML attachment.
This quarter, we captured three different samples active in the threat campaign. The first sample is an Excel file with Excel 4.0 macros. The second is an LNK file (Windows shortcut file). The third sample is an ISO file (optical disk image).
This Excel sample is not new. It has been heavily used in Emotet campaigns since last year, as mentioned in the previous blog. Some sheets of this sample are hidden, as shown in Figure 5, including an Excel 4.0 macro sheet "IJEIGOPSAGHSPHP" that contains the malicious formulas. Cell A1 in this macro sheet is named "Auto_Open9939689536899569357795948589489469636486898953895396378943986" and includes a built-in macro that automatically runs the formula from that cell once the file is opened.
This macro sheet includes formulas that call the API "URLDownloadToFileA" to download the malware payloads from several different URLs. The malware payloads are actually DLL files and executed using "regsvr32.exe".
A Windows shortcut file (commonly referred to as LNK) is created to point to a specific target. Double-clicking on the shortcut file will execute the target.
As shown in Figure 6, this sample includes a PowerShell code snippet in its target field. The PowerShell code converts a base64 string into a script that contains multiple URLs to download the malware payload. Next, it attempts to download the malware payload from each URL and execute it with "Regsvr32.exe" until it succeeds.
We also captured other samples containing different malicious code in their target field. As shown in Figure 7, there is a command line to download a malware payload from a URL and execute it with "Regsvr32.exe".
Figure 8 shows another malicious PowerShell code in the target field. The data is decoded to a .hta URL and executed using "mshta.exe". Next, the VBScript code in the web page of the .hta URL extracts a PowerShell code that includes encrypted data. In the end, the encrypted data is transformed into script code to get the payload URL and download malware.
All three examples above download and execute a malware payload, despite the differences.
An ISO file (often called an ISO image), is an archive file that stores the contents of a physical disk. In Windows 10, opening an ISO file by double-clicking it mounts the file on a virtual optical disc drive. Once mounted, the contents of an ISO file can be accessed in File Explorer.
Threat actors store a malware DLL file and a malicious LNK file in the ISO file. As shown in Figure 9, the DLL file is set to a hidden attribute, so it is not visible in File Explorer by default. On the other hand, the shortcut file is used to execute the DLL file using "Rundll32.exe".
In recent threat campaigns, all droppers mentioned in the previous section are very active and used by more than one malware family. Below is the malware payload of each captured dropper.
Emotet and Qbot
Emotet, Qbot, and Icedid
Qbot, Icedid, and Bumblebee
Figure 10 shows the notable malware activities during the past three-month period. In early April, Microsoft Excel files were the only file type used to spread malware. We then captured a shortcut file with the Emotet malware payload, which first appeared on April 23. This new malware attack technique was soon followed by Qbot and Icedid, spreading using shortcut files as well in early May. Later, ISO files for droppers began appearing in the middle of May, and the malware families involved included Qbot, Icedid, and Bumblebee. Next, HTML smuggling attacks emerged in late May and June, including web pages and HTML file attachments. This builds malware locally instead of delivering malicious files directly through the network to bypass the firewall.
Microsoft Office files have been a favorite vehicle for threat actors because of the macros. However, things seem to be changing as Microsoft has added more security controls in Office files with macros. In July of 2021, Microsoft disabled Excel 4.0 macros by default when opening an Excel file. In early April 2022, Microsoft created another setting to block VBA macros in files from the internet by default. With more restrictions on the use of macros for Microsoft Office files, threat actors turn to other types of files to increase compromise rates. At this point, shortcut files provide a solid option due to double-click execution. ISO files can be automatically mounted and opened on modern versions of Windows with just a double click. In addition, ISO files take advantage of bypassing the Mark-of-the-Web trust control, making them easier to evade antivirus detection than other archive files. The HTML smuggling technique creates malicious files locally to bypass the restrictions on receiving files from the internet and emails. This explains the proliferation of shortcut files and ISO files, as well as HTML smuggling used for malware deployment at this time.
Fortinet customers are protected from this malware by FortiGuard’s Web Filtering, Antivirus, FortiMail, FortiClient, FortiEDR, and Content Disarm & Reconstruction (CDR) services as follows.
The phishing email with its attached malicious file can be disarmed by the FortiGuard CDR service.
FortiEDR detects the Excel, shortcut, ISO, and malware payload DLL files as malicious based on their behavior.
Fortinet customers are protected from these malicious files and malware by FortiGuard Antivirus, which is included in FortiMail. It detects all malicious macro file types, including Excel 4.0 macro samples.
All malicious samples described in this report are detected by FortiGuard Antivirus as follows:
The malware payloads are detected by FortiGuard Antivirus as follows:
In addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
We also suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on internet threats to train end users on how to identify and protect themselves from phishing attacks.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.