FortiGuard Labs Threat Research

Trying to Steal Christmas (Again!)

Much of the world’s population observes and celebrates Christmas every December to connect with friends and family and reflect on the year. Malware operators also observe the holiday, perennially attempting to compromise the systems of users who have let their guard down during the festivities.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Malware opens a backdoor and exfiltrates information from compromised machines
Severity Level: High


FortiGuard Labs has come across two holiday-themed phishing examples that exploit people’s interests in the holidays, leading to malware infection and further exploitation.

Giving the Gift of AgentTesla for Christmas

FortiGuard Labs found that an AgentTesla affiliate started Christmas activities early this year. Their email is disguised to look like it came from a jewelry shop in Dubai. It was sent to a company that specializes in water treatment in Chile. The email requests that the recipient provide quotes for the price and availability of jewelry for Christmas. An obvious red flag is that “Dubai” is spelled wrong (besides asking a company specializing in water treatment for jewelry pricing.)

Figure 1. Screenshot of the email

The email has two attachments: “new designs.gz” contains “new designs.exe,” and “Inquiry lists.gz” contains “Inquiry lists.exe.” Although the embedded files have different names, they share the same file hash (SHA2: c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5).

Figure 2. “new designs.exe” inside “new designs.gz”
Figure 3. “Inquiry lists.exe” inside “Inquiry lists.gz”

When executed, c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5 drops fkkvzetzm.exe, jfwxswcu.au3, igqyivch.prc, and kywyozha.x into the %usertemp% directory. It then calls an AutoIt script (jfwxswcu.au3) by launching fkkvzetzm.exe (a legitimate copy of AutoIt3) with jfwxswcu.au3 as an argument.

The file jfwxswcu.au3 is an obfuscated AutoIt script designed to read and deobfuscate igqyivch.prc, which contains shellcode. The shellcode is then loaded into memory via VirtualAlloc. The shellcode, in turn, loads kywyozha.x into memory. Once loaded, kywyozha.x performs several tasks, including launching a copy of the running process and checking to see if it’s running inside a 64bit process.

To avoid being detected by system monitors such as AV and EDR, it copies ntdll.dll into memory so it can use that instead of the one on the disk. It then checks to see if specific APIs in ntdll.dll have been modified or hooked with trampolines. It then finally injects kywyozha.x into the copy of the running process.

The file kywyozha.x is an executable file. It calls itself 8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe (SHA2: 0FCAE5DB73D10B022E86F7E0799073623FA5063A29054807E1F93A4016D8FC99). 8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe is a variant of the AgentTesla infostealer Trojan that uses Telegram (hxxps://api.telegram[.]org/bot5018340186:AAFKw8ktzY7O_6e1fhgEWq27H2aE-rsBGjA/) for its Command-and-Control (C2) server. The malware can download and delete files, steal credentials from browsers and FTP and email applications, and perform keylogging

Fortunately, the company that received the email is not in the jewelry business and is unlikely to have opened and executed AgentTesla.

“Welcome to the party, pal!”

We also recently came across a strange email with a theme familiar to Christmas movie viewers. The email was crafted to appear as being sent from Klaus Hans Gruber to John McClane - fictional characters from the original Die Hard movie. The email has a heartfelt message requesting to settle their long-time feud and asks the recipient (in this case John McClane) to open the attachment, “good_time.zip.”

Figure 4. “Die Hard” email.

The archive file contains a series of what appear to be JPEG image files. However, a closer look revealed that “image6” is not actually a JPEG file.

Figure 5. List of images in the “Die Hard” email

Rather than a photo, image6 is a batch file that displays “image7.jpg.jpg” (shown below) and also loads and executes PowerShell code from hxxps://pastebin[.]com/raw/PeJLUFC4. While these PowerShell commands claim to be for “educational purposes,” they create a reverse shell backdoor to the email sender.

This backdoor allows for the execution of arbitrary PowerShell commands. The obvious tactic used by the attacker is to get the recipient to go through a set of amusing images attached to the email and inadvertently run the malicious batch file.

Figure 6: Screenshot of image7.jpg.jpg

While the email is crafted as a joke, the attachment can still cause real harm to users by opening a backdoor on compromised machines.

Conclusion

While the attacks covered in this blog are not new by any means, such attacks are repeated every year because threat actors believe that “if you take enough shots, you will eventually make a basket.” That’s especially true when attacks exploit things like holidays and major events, like Christmas or the World Cup. Taking advantage of distracted recipients continues to be a successful strategy, and users are cautioned to remain vigilant during the holiday season.

To that end, the Cybersecurity and Infrastructure Security Agency (CISA) has created several tips to help users with online safety and handling email attachments.

FortiGuard Labs wishes everyone a safe holiday season!

 

Fortinet Protection

The Fortinet Antivirus engine detects all binaries discussed in this blog using the following AV signatures:

  • MSIL/AgentTesla.919C!tr
  • AutoIt/Agent.WKO!tr.
  • PowerShell/Agent.0D84!tr
  • PowerShell/Agent.36F7!tr

The FortiGuard Web Filtering service rates the AgentTesla C2 server and the location where malicious PowerShell script is hosted as ‘Malicious’ and blocks them accordingly.

FortiMail and FortiSandbox can detect and quarantine the malicious attachments in this campaign, and Fortinet’s CDR (Content Disarm and Reconstruction) service can disable them.

In addition to these protections, Fortinet can help train users to understand and detect phishing threats:

Our FREE NSE training program—NSE 1 – Information Security Awareness—includes a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

File IOCs

  • c94eac21e05336aa64ccbc1726d0a2961880627973dae4c5483aaed33150eec5 (Inquiry lists.exe)
  • 0FCAE5DB73D10B022E86F7E0799073623FA5063A29054807E1F93A4016D8FC99 (8845e90c-374f-4f68-a7a8-4bc7bad7be20.exe)
  • 1f4118f5e843334e23e325784b5c4a8249315da7211c7c69d94d7a5a60d00d84 (image6.jpg.bat)
  • 5e715ff174547e66f9566232bc7edccebd93ae7f99e5cd3818040c13acec36f7 (malicious PowerShell scripts hosted on pastebin[.]com/raw/PeJLUFC4)
  • 543d26c5081bdcda693c8dc3586a874319413e8e8ab762b8ad99341f37c4b3fa (good_times.zip)

 

Network IOCs

  • api.telegram[.]org/bot5018340186:AAFKw8ktzY7O_6e1fhgEWq27H2aE-rsBGjA/
  • pastebin[.]com/raw/PeJLUFC4
 
 
 
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.