Amazon Zero Day Exploit

Share/Follow Us:
LinkedIn115
RSS
Email

On October 07, 2015  our platform monitoring systems detected a new wave of spam emails with malicious doc files. The decoy, which purported to be an Amazon invoice, was directly attached to an email targeting small businesses. The originator field was auto-confirm@amazon.com and each email had an attachment with name like amazon_invoice.doc.

The email usually reads:

1

The Securolytics monitoring system triggered an alert so we could analyse the data-

  • Each message had a different envelope sender address.
  • 27% of the the senders failed SPF check.
  • They were sent from 27 different countries with 29% never seen by our SMTP servers before. The messages were sent from following countries: Italy,United Kingdom,Republic of Korea,Malaysia, Turkey, Uruguay, Vietnam, Dominican Republic, Spain, Japan
  • The file size was 196 KB.
  • It was first detected on 2015-10-07 and last seen 2015-10-20 (similar modifications)

Attached was a doc file with macro.

2

FINAL ANALYSIS

A standard attachment filtering system does not stop it because its extension match MS Office files and the announced mime type is correct. In general it is a basic ms word file,

but it contains embedded VBA macros with keywords that indicate auto-execute behavior.

The de-obfuscated code available for review in pastebin:

http://pastebin.com/TkuRNY79

Analysis from Cyphort 

TROJAN_ARTITEX.CY Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word

When Trojan was launched following files were created and started in background-

C:\Aaa\d1.exe

C:\Users\Al\AppData\Local\Temp\d1.exe

Hexdump of the doc file indicates the trail of an Visual Basic objects and procedures:

C:\Beendigungen\Leistungswettbewerb\VB98\VB6.OLB

 

Files opened for writing:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{655FBE34-A6B7-490C-83FC-D1A0D66E4E0E}.tmp
C:\Program Files\Windows Journal\AsScrPro\CI_TMPvBjTlJ.doc
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8191.tmp
C:\Program Files\Windows Journal\AsScrPro\~$_TMPvBjTlJ.doc
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{A81B1C7A-12CE-4D43-BF0E-2D5F0505A66A}.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\CI_TMPvBjTlJ.doc.LNK
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\AsScrPro.LNK
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRF{220BDA3E-6DD3-4017-A5A4-1B14EEC2E555}.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\70E6BCB.emf
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

How to Protect Yourself

  • Most importantly, don’t open links and attachments from an unknown source.
  • Use an antivirus and antimalware product and keep it up-to-date and running.
  • Review the Amazon security page, it contains some great advice for avoiding scams and hackers. Note that they currently have an alert up-

“If you received an e-mail regarding the cancellation of an order you don’t recognise, please check Your Orders in Your Account. If you can’t find a matching order, the e-mail you received wasn’t from Amazon. We recommend that you delete the e-mail”

  • Always check the sender’s email address.
  • When Amazon sends emails about an order, they wouldn’t CC a dozen or more additional email accounts
  • Never, ever download and run an executable from a random email.

Contact us Now to Learn More

The engineers at Securolytics recommend that all organizations have an email filtering system which has been tested and approved for use.  This way you can prevent AMAZON INVOICE ZERO DAY and  other malicious emails from ever entering your system.

Konstantin Nor | Senior Systems Engineer | Securolytics

Share/Follow Us:
LinkedIn115
RSS
Email

Leave a Reply

Your email address will not be published. Required fields are marked *