• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Endpoint Security • Enterprise Security • Mail Protection • Malware • Phishing • Security  /  Beware! Email attachments can make you victim of spear phishing attacks
21 June 2019

Beware! Email attachments can make you victim of spear phishing attacks

Written by Prashant Tilekar
Prashant Tilekar
Endpoint Security, Enterprise Security, Mail Protection, Malware, Phishing, Security
Estimated reading time: 4 minutes

In the last few months, we’ve seen a sudden increase in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses social engineering tricks and some business transactions or deals to entice end-user in believing that the email message is genuine and from a known person or contact. The agenda of these emails, like any other cyber fraud, is to either gain access to the user’s system or obtain other classified information. Spear phishing is considered as one of the most successful cyber-attack techniques because of the superior level of personalization done to attack users, which makes it highly believable.

Technical Details:

The entry point for this infection chain is a benign looking email with an XLS file as an attachment. The attachment names look like some Important Notifications/Updates related to private operation, government source. Due to this, the victim would try to open this type of attachments. When the recipient opens the XLS attachment, it prompts the user to enable macro in excel.

Fig 1. XLS file (Enable Macro Prompt)

Once the user clicks on the “Enable Macros” button, the XLS file is opened for viewing. One of the attachments which we analyzed further, had two user forms with different names and a module with the source code of the macro present. The first form, “WsHAfi Box” contains data in Decimal form.

Fig 2. Form “WsHAfi Box” in macro

After further analyzing this form, we found that replacing apostrophe (‘) with space gives us some data in the decimal format. We converted the decimal data into ASCII to get a Zip file. This zip file contains the actual malware payload. Here are the screen-shots of original form data, data in decimal form and data in the zip file.

Fig 3. Steps to get to the zip file.

Execution starts from Module1 using Sub userHafizaiLoadr() function. In the “WsHAfi Box” user form, it creates one variable named ByteArray and copy data from “WsHAfi Box” user form into this variable which is further used to create a zip file in “C:\Users\Documents” folder.

Fig 4. userHafizaiLoadr() function

For extracting contents of this zip file, Sub unHafizaizip() function is used. Finally, the payload (“dtiardhues.exe”) is executed using Shell command.

Fig 5. Executable file with Payload dropped at a predefined location

As we observed, contents of this executable file are different for different Windows NT versions (like 6.1 is for Windows 7, 6.2 is windows 8 and 6.3 is Windows 8.1). The payload, dtiardhues.exe, is a remote access trojan. It gets executed automatically without a user’s intervention and connects to a remote CnC Server. Once the victim host connects to the CnC server, it waits for the further commands from it. We noticed that this CnC server supports a wide list of commands for data collection and ex-filtration.

Fig 6. Commands received from CnC Server

Initially, this CnC server collects information from victim host such as Hostname, user name, OS version, IP, AV Software name, if any. etc. It also collects information about the current running processes from the victim Host and then commands the victim Host to ex-filtrate all the gathered data.

We analyzed the CnC server’s communication through different victim Hosts and could identify the following commands used and their functionality.

command description command description
info it sends machine info (host name, user, AV). dirs send list of drives in system
clping set time cscreen take and send screenshot
fldr send list of folders fles search file on disk.
filsz size of file delt delete file
procl list of process runf run executable file
listf search for file afile exfiltrate file to server
cnls cancel functionality endpo end process

 

Fig 7. CnC Communication Traffic

IOC’s-


Conclusion
:

Though identifying Spear Phishing emails is little difficult for an end user, one can always be careful while opening any email attachment. Users should consider the following points before opening any email attachment:

  1. Verify the sender’s email id
  2. Don’t get lured by freebies mentioned in the email subject or body
  3. Do not click on any link from mail body.
  4. Open the Office document files in Read Only mode; don’t enable the macros by default.

Quick Heal and Seqrite enterprise security solutions protect its users from such malicious email attachments and can also help in identifying remote Command and Control server communication. So, remember to keep the endpoint security solutions always updated.

Subject Matter Expert:

Prashant Tilekar, Anjali Raut | Quick Heal Security Labs

 

 Previous PostMake Seqrite UTM the first line of defense for your enterprise
Next Post  Email technology and its security in nutshell
Prashant Tilekar
About Prashant Tilekar

Prashant Tilekar is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Prashant Tilekar »

Related Posts

  • Seqrite Endpoint Security 7.6 supports macOS Big Sur 11

    Seqrite Endpoint Security 7.6 supports macOS Big Sur 11

    November 14, 2020
  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020
  • Seqrite Endpoint Security supports Windows 10 October 2020 Update

    Seqrite Endpoint Security Supports Windows 10 October 2020 Update 20H2

    October 26, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.