TG Soft's C.R.A.M (Anti-Malware Research Centre .) examined the spear-phishing campaign spread on April 2, 2018 targeting  Samsung Italy service centers. The campaign analyzed, targeting Samsung Italy service centers, is a multi-stage attack  and we monitored it until july 2018. We thank Samsung Italy for the effective collaboration that  allowed us to obtain a detailed reconstruction of the spy case targeting tis own service centers. Download the report in PDF (in italian): "Centri assistenza Samsung sotto attacco" For fraudulent mass mailings, "social engineering" methods are used, developed by people/cyber-criminals to induce the victim to open infected attachments or click on links in the body of the message.  If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research)How to send suspicious emails   Analysis by: Gianfranco Tonello, Federico Girotto, Michele Zuin Last revision: 12 luglio 2018

INDEX ==> Campaign of spear-phishing targeting the service centers of Samsung Italy ==> Service center: HDMI SERVICE ==> Technical analysis of payload im6.exe ==> Technical analysis of RAT Revcode WM.exe ==> Technical analysis of payload njRAT nj.exe (Bladabindi) ==> Campaign evolution from May to July 2018 ==> Map of the infrastructure of cyber-attack ==> Conclusion ==> IOC   ==> How to protect yourself ==> How to send suspicious e-mails ==> Integrate your PC / Server protection with Vir.IT eXplorer Lite ==> For Vir.IT eXplorer PRO users..

 Spear-phishing campaign targeting Samsung Italy service centers

At the beginning of the month of April 2018 a spear-phishing campaign spread to the italian service centers of Samsung. The attack campaign started on 2 April 2018 at 2.15 pm with the spread of an email with the subject: "Comunicazione 18-061: gestione centri non autorizzati".

The attack seems to target only Samsung Italy service centers and it isn't a massive malspam campaign.

It seems that a similar attack was made at the end of March 2018 towards Samsung's Service Centers in Russia with the same modus operandi, as indicated by the Fortinet report:  "Non-Russian Matryoshka: Russian Service Centers Under Attack".

Now we will analyze the spear-phishing campaign that has spread in Italy.
The spear-phishing mail to perform the attack was perfect:

• the email seems to come from the official Samsung Italy headquarter
• the body of the message is in perfect Italian, contains elements and references to the Samsung company, the topics covered are known to the recipients of the message
• the attached file is an Excel document: "QRS non autorizzati.xlsx"
• the message is signed by the IT Service Manager of Samsung, a real person in Samsung Italy, and all his personal information as email and telephone numbers are shown
  

In the picture we can see the spear-phishing mail sent to the Samsung Service Centers:
As you can see in the body of the message, very specific terms are used, such as:

• Dealers who ship products "non scontrinati" (without a receipt) under their own business name
• Unauthorized service centers forwarding you  "volumi in garanzia" (volumes under warranty) that they cannot handle

The analysis of the text, makes us suppose that the message was written by an Italian mother tongue and no automatic translators were used. Besides industry terms were used as "non scontrinati" or "volumi in garanzia" that are directly connected to the recipients of the message.
As you can see from the picture of the email, the logo and company data are shown in the bottom of the message:

• "SAMSUNG ELECTRONICS ITALIA SPA", Via Mike Bongiorno, 9 - 20124 Milano (MI)  - Italy
• internal telephone number of the IM & IT Service Manager
  
• email address of the IM & IT Service Manager

The data in the email are real and do indeed correspond to the person mentioned in the message.

The email sent to Samsung's service centers contains the following Excel document:
Name: QRS non autorizzati.xlsx
Size: 18454 byte
MD5: 47EF2AE50AAE4AADF3B6BAEB412C7C6C
VirIT: X97M.DownloaderSam.A

The file "QRS non autorizzati.xlsx" contains the vulnerability CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability) on the module "eqnedt32.exe" Equation Editor of Excel, which downloads the malware from the site: lnx.hdmiservice[.]com/im6.exe.

Interestingly, the Excel document "QRS non autorizzati.xlsx" (Quick Repair Service) actually contains the list of unauthorized service centers, as we can see in the picture (for privacy reasons names and addresses are obfuscated):



At this point we verified if the e-mail sent to the Service Centers actually started from Samsung Italy.
In the picture we can see the header of the infected email sent:

Received: from MT01EX03N01.MT01.mse.messcube.it (10.35.253.12) by  MT01EX03N04.MT01.mse.messcube.it (10.35.253.15) with Microsoft SMTP Server  (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id  15.1.1415.2 via Mailbox Transport; Mon, 2 Apr 2018 14:42:09 +0200 Received: from MT01EX06N04.MT01.mse.messcube.it (10.35.253.27) by  MT01EX03N01.MT01.mse.messcube.it (10.35.253.12) with Microsoft SMTP Server  (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id  15.1.1415.2; Mon, 2 Apr 2018 14:42:09 +0200 Received: from mx1.mse.messcube.it (10.35.254.147) by  MT01EX06N04.MT01.mse.messcube.it (10.35.253.27) with Microsoft SMTP Server  (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id  15.1.1415.2 via Frontend Transport; Mon, 2 Apr 2018 14:42:09 +0200 Received: from localhost (unknown [127.0.0.1])     by mx1.mse.messcube.it (MSG3smtpd) with ESMTP id 70736199B     for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 12:42:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at mse.messcube.it X-Spam-Flag: NO X-Spam-Score: 2.001 X-Spam-Level: ** X-Spam-Status: No, score=2.001 tagged_above=-9999 required=10     tests=[HTML_IMAGE_ONLY_24=2, HTML_MESSAGE=0.001,     RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,     RCVD_IN_MSPIKE_WL=-0.01, SPF_SOFTFAIL=0.01, URIBL_BLOCKED=0.01]     autolearn=disabled Received: from mx1.mse.messcube.it ([127.0.0.1])     by localhost (mx1.mse.messcube.it [127.0.0.1]) (amavisd-new, port 10024)     with ESMTP id 0BgHMPCU_p-2 for <galXXX@XXXXXXXX.191.it>;     Mon,  2 Apr 2018 14:42:08 +0200 (CEST) X-Greylist: delayed 00:24:41 by SQLgrey-1.8.0 Received: from qproxy4-pub.mail.unifiedlayer.com (qproxy4-pub.mail.unifiedlayer.com [66.147.248.250])     by mx1.mse.messcube.it (MSG3smtpd) with ESMTPS id 660B91998     for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 14:42:07 +0200 (CEST) Received: from cmgw2 (unknown [10.0.90.83])     by qproxy4.mail.unifiedlayer.com (Postfix) with ESMTP id B2763A0328     for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 06:17:24 -0600 (MDT) Received: from box1125.bluehost.com ([50.87.248.125])     by cmgw2 with     id VQHM1x0012j4P7W01QHQoF; Mon, 02 Apr 2018 06:17:24 -0600 X-Authority-Reason: s=1 X-Authority-Analysis: v=2.2 cv=M5g9E24s c=1 sm=1 tr=0  a=ip9sk82UPAQ/lpE5utroiw==:117 a=ip9sk82UPAQ/lpE5utroiw==:17  a=Kd1tUaAdevIA:10 a=VNXQTJTquIlysLCTy2YA:9 a=QEXdDO2ut3YA:10 a=hD80L64hAAAA:8  a=xGSJWl63D5C4vKWM0foA:9 a=OMArbbpFsjqrJjHB:21 a=_W_S_7VecoQA:10  a=4k4lOSeL9kw-s91eC94A:9 a=gNstRkxIVkbMzKS_:18 a=HXjIzolwW10A:10  a=KwgpVZE-ergA:10 a=Fx9ydsAayyh_TJjkqnAA:9 a=IKIoO-ieCDEA:10  a=7qx8gLC0iM8A:10 a=oQrlS-b8-hQA:10 a=ckal8g68nOMA:10  a=08aomhM6C-o7A7omF0Fb:22 a=X1c0k9nRQnjIoBfxGzdG:22 Received: from [127.0.0.1] (port=52965 helo=box1125.bluehost.com)     by box1125.bluehost.com with esmtpa (Exim 4.89_1)     (envelope-from <XXXXXXXX@samsung.com>)     id 1f2yMD-003zSm-6f; Mon, 02 Apr 2018 06:14:41 -0600 Content-Type: multipart/mixed; boundary="=_2c36885fcd61b6cbe3b9c4eecddf1ca4" Date: Mon, 2 Apr 2018 06:14:39 -0600 From: XXXXXXXX <XXXXXXXX@samsung.com> To: undisclosed-recipients:; Subject: Comunicazione 18-061: gestione centri non autorizzati Message-ID: <1c943c1a0c12fc59f4afdb39704d4d3f@samsung.com> X-Sender: XXXXXXXX@samsung.com User-Agent: Roundcube Webmail/1.2.7 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box1125.bluehost.com X-AntiAbuse: Original Domain - XXXXXXXX.191.it X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - samsung.com X-BWhitelist: no X-Source-IP: 127.0.0.1 X-Exim-ID: 1f2yMD-003zSm-6f X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (box1125.bluehost.com) [127.0.0.1]:52965 X-Source-Auth: zaragoza1@sam.gruposim.mx X-Email-Count: 325 X-Source-Cap: Z3J1cG9zaW07Z3J1cG9zaW07Ym94MTEyNS5ibHVlaG9zdC5jb20= X-Local-Domain: no Return-Path: XXXXXXXX@samsung.com X-MS-Exchange-Organization-Network-Message-Id: 809f8a03-b5df-4845-3b98-08d598972667 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-ABP-GUID: d7d8dc25-011d-41eb-8635-bf56c3cd3286 X-MS-Exchange-Organization-AuthSource: MT01EX06N04.MT01.mse.messcube.it X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.4068414 X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.002 MIME-Version: 1.0

In the picture we can see the steps of sending the infected email:



The header analysis of the infected message showed that the email was sent by the webmail provider "bluehost.com". The webmail used would correspond to the machine box1125.bluehost.com (ip: 50.87.248.125) which is assigned to the Mexican company GrupoSim (gruposim.mx). As we can see from the MxToolbox record:

The access to the webmail seems to have happened with the email address: zaragoza1@sam.gruposim.mx.
So the infected email was not sent by Samsung Italy, but it was sent from a webmail of the Mexican company GrupoSim, whose login credentials to the email zaragoza1@sam.gruposim.mx may have been stolen by the actors of this cyber-espionage attack.

Service center: HDMI SERVICE

As we wrote previously, opening the infected document "QRS non autorizzati.xlsx", runs an OLE object embedded in the document, which exploits the CVE-2017-11882 vulnerability to download malware from the site: lnx.hdmiservice[.]com/im6.exe. Without bothering you with the shellcode technique used, we focus instead on the domain from where the malware of this espionage campaign, is downloaded.

The domain we are examining is  lnx.hdmiservice[.]com, hosted on Aruba .You can see the homepage in the picture. This domain is connected to an authorized Samsung service center, but for now we consider inappropriate to mention its name. [...Omissis...] (CENTRO ASSISTENZA SAMSUNG - TOSHIBA - HISENSE) Via [...Omissis...] Cap: [...Omissis...] Città: [...Omissis...] Prov.: [...Omissis...]

Public informations obtained from the service "Pagine Bianche":

The home page of the site lnx.hdmiservice[.]com is very "skinny" an it seems that the site  has been left to its own device.There is no information about the company, but according to our research, this domain seems to be connected to an official Samsung service center, as we can see from the website of the Korean manufacturer. See the picture.

To complete the perfection of the spear-phishing campaign against Samsung service centers, the document infected with the EX-QRS list, downloads the malware from a site of Samsung Italy service center .

We suppose that the domain of the "HDMI Service" was compromised before March 19, 2018, and the attack took place according to this scheme:

 

1. On March 19, 2018 Samsung Italy sends the communication "Comunicazione 18-061: gestione centri non autorizzati" to its authorized service centers.
2. We assume that one of these centers is spied on and that the email credentials where they received the communication 18-061, were stolen by the attackers.The original Samsung email is then exfiltrated by the cyber-criminal group.
3. The cybercriminal group re-packs the original Samsung email, keeping the body of the message in perfect Italian and relevant to the recipients, but modifies the document  "QRS non autorizzati.xlsx" making it malevolent through the insertion of the infected OLE object;
4. The fake infected Samsung email is sent on 02/04/2018 (Easter Monday) through the webmail of GrupoSim (Bluehost provider) to service centers of Samsung Italy.

 Payload im6.exe analysis

When you open the infected document "QRS non autorizzati.xlsx", which exploits the CVE-2017-11882,  vulnerability, it downloads and executes the malware from the site: lnx.hdmiservice[.]com/im6.exe. The downloaded im6.exe file is saved with name notepad.exe inside the folder: %appdata%\notepad.exe

Name: notepad.exe
Size: 675840 byte
Description of file: Pidgin - Versione 2.3.7.2 - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C750536CD26C071C97B91CB3CEDF50B0
Compilation timestamp: 02 april 2018 12.24.36
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.A

Description:
The notepad.exe file is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0. Inside notepad.exe we find another executable file called BootstrapCS.exe in encrypted form


The BootstrapCS.exe file is compiled in MSIL, but isn't obfuscated . Inside we can find a resource called  "settings" for the malware configuration.

As we can see in the figure, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of: anti_fiddler anti_sandboxie anti_vm anti_wireshark This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active. Interesting is the parameter "injection" set to 2, which allows you to indicate in which application to perform the injection of malware. In this case, it executes the injection on the RegAsm.exe process, as we can see from the figure below.

The malware injects the resource "_mainFile" into the RegAsm.exe process. The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key. From the decrypted resource "_mainFile", you get another executable file im3.exe:


The im3.exe file is nothing more than the Imminent-Monitor client, a commercial remote administration program (https://imminentmethods.net), in which we can read the following watermark:

please contact abuse@imminentmethods.net with the hardware id: "916581c30ad99fa570e8172ea42e3af8" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode

Injection scheme used by notepad.exe to inject im3.exe into the RegAsm.exe process:

The client Imminent-Monitor inside the file im3.exe is a commercial remote administration program, which allows:

File Explorer Gathering Computer Specifications (Client Identifier, Unique Identifier, Public IP Address, Private IP Address, MAC Address, Operating System, Computer Name, Computer Username, System Privileges, Installed Screens, Processor, Graphics Card, Ram, Ram Usage, Battery Usage, Last Reboot, Installed Anti-Virus, Firewall Status) Clipboard Manager RDP Manager Password Recovery Camera Surveillance

Remote Desktop Task Manager Window Manager Registry Manager Startup Manager Command Prompt TCP View Reverse Proxy Machine Management Keystroke Logging Elevate Client Permissions Remote Execute Scripting

Inside the file im3.exe written in MSIL too, we find 3 resources:

• 0x90
• im3.Resources.resources -> _7z
• im3.Resources.resources -> application

The resource 0x90 contains 7 strings in Base64, these strings are encrypted:

• im3.Resources
• application
• 28d6cea3-468a-47a7-99e1-ad87edd5d5ab
• System.Reflection.Assembly
• Load
• im3.Resources
• _7z

The resource 0x90 is used to decrypt the resource "application" through the key "28d6cea3-468a-47a7-99e1-ad87edd5d5ab". The decrypted resource obtained is compressed with 7z (lzma). After decompressing it, the malware executes it.

Inside the "application" resource we find Imminent, which creates the folder of the same name in %appdata% (%appdata%\roaming\Imminent), where we find 2 subfolders:

• Logs
• Monitoring

In the "Logs" folder we find the daily log files captured by Imminent (eg 02-07-2018), instead in the "Monitoring" folder we find two files:

• network.dat
• system.dat

The malware connects to the command and control server (C2) cb5cb5.noip[.]me through port 3339.
The command and control server is not always active, but when the RAT can connect to cb5cb5.noip[.]me through port 3339, the first command it receives is to connect to the domain www.iptrackeronline.com, to get the victim's IP address. At this point, in addition to sending the exfiltrated information to the C2 server, it can receive commands to download new versions of RAT malware.

In the analyzed campaign we saw that it has downloaded new RAT malware from:

• lnx.hdmiservice[.]com/WM.exe
• lnx.hdmiservice[.]com/nj.exe

The first malware "WM.EXE" belongs to the Revcode WebMonitor family, whereas the second "nj.exe" belongs to the njRAT (Bladabindi) family.

Technical analysis of RAT Revcode WM.exe

As we have seen, from the command and control server cb5cb5.noip[.]me, the attackers can download other types of RAT into the victim's computer. In the attack examined, the malware was downloaded and executed from the site: lnx.hdmiservice[.]com/WM.exe. The downloaded WM.exe file is saved with the name VBC.exe inside the startup menu folder:
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe

Name: vbc.exe
Size: 802816 byte
Description of file: Pidgin - Versione 2.10.12 - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C966F4A0916A1B5403E10F15F3591F06
Compilation timestamp: 01/04/2018 22.07.17
Malware family: Spyware - RAT Revcode
VirIT: Backdoor.Win32.SamRATwm.F

Description:
The vbc.exe file is compiled in MSIL and is obfuscated with the SmartAssembly. When the vbc.exe file runs, the following files are created in %temp%: 

• thfdfdnewa-.txt
• agdfdffhit.bat
• agdfnwinvss.vbs
• ru33dde11.bat

The file thfdfdnewa-.txt is a copy of vbc.exe
The file ru33dde11.bat contains the command: wscript.exe "%temp%\agdfnwinvss.vbs" "%temp%\agdfdffhit.bat
The file agdfnwinvss.vbs contains the comamnd: CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
The file agdfdffhit.bat runs the command dos copy:
copy "%users%\AppData\Local\Temp\thfdfdnewa-.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe"

Inside vbc.exe we find, in encrypted form, another executable file compressed with UPX. This file isn't saved on the disk, but is used for the injection on RegAsm.exe process.


The file compressed with UPX, it is decrypted in memory through this algorithm:

and then injected into the RegAsm.exe process.
The module compressed with UPX is a commercial RAT (written in Visual Basic) called  Revcode WebMonitor (https://revcode.eu/), which permits to perform various operations of data exfiltration as:

• WebCam
• Screen Capture
• Keylogger
• Audio recorder
• Injection
• Clipboard

The RAT WM.exe (vbc.exe), aka RevCode, connects to the following C2 server irvingl.wm01 [.] to (ip: 5.206.224 [.] 22), to the following page: https: // irvingl. WM01 [.] to / recv3.php

The exfiltrated information is sent via "post", with the following structure:
code=bF6kAccY8yON[..]Jw== &data=BnvYaTa52ClOqYNyUuGC[..]EB47jQ== &key=YuqeS5by2ufBL[..]y &uid=57823F7953[..]20 &cmp=1 &enc=1

Technical analysis of payload njRAT nj.exe (Bladabindi)

In the attack analyzed, in addition to the download of the previous RAT, in some cases we noticed that in the victim's computer was downloaded and executed another malware from the site: lnx.hdmiservice[.]com/nj.exe. The downloaded file nj.exe is saved with the name server.exe inside the folder %appdata%\Roaming.

Name: server.exe
Size: 365056 byte
Description of file: Sonork Messenger - Versione 4.2.0.0 - Copyright © 2003-2006 by GTV Solutions, Incorporated
MD5: D1642488C5A0181FE57C474069DF8C04
Compilation timestamp: 02 april 2018 12.33.27
Malware family: Spyware - njRAT (Bladabindi)
VirIT: Backdoor.Win32.SamRATnj.B

Description:
The file server.exe is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0 program. Inside server.exe we find another executable file in encrypted form BootstrapCS.exe



The file BootstrapCS.exe is compiled in MSIL, but isn't obfuscated. Inside we can find a resource called  "settings" for the malware configuration.

As we can see in the picture, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of: anti_fiddler anti_sandboxie anti_vm anti_wireshark This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active. Interesting is the parameter "injection" set to 6, which allows you to indicate in which application to perform the injection of malware. In this case, it executes the injection on itself, ie on the server.exe process, as we can see from the figure below.

The malware injects the "_mainFile" resource into the server.exe process. The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key. From the decrypted resource "_mainFile", you get another executable file in memory for injection:


The decrypted file in memory, which we will call again server.exe, is the njRAT, known as Bladabindi, a remote administration program.

The version used is 0.7d, as we can see from the configuration parameters.

The njRAT (Bladabindi) malware used in this campaign, connects to the command and control server cb4cb4.ddns [.]net port 1604, where the exfiltrated data is sent. The peculiarities of this RAT are: keylogging, screen capture, update and data exfiltration.

In the table below, we can see some commands used by njRAT (Bladabindi):

Commands	Options	Comments
ll		informations of system (ID campaign, name pc, user, version of o.s., version of RAT, etc)
inf		parametersi of configuration (name  server C2, port, process, etc)
act		name of active window
kl		keylogger
prof	~ ! @	write/read/delete value of registry
rn		download and execute  file
inv		open a local port
ret		???
pl		???
CAP		screen capture
un	~ ! @	uninstall
sc	~ PK	partial screen capture  (area)
up		update file
Ex	fm ~ ! @	execute shell comands
FM	! # @	file manager: enumerate file e directory
PLG		plugin
MSG		message

Campaign evolution from May to July 2018

In the months from May to July 2018, we have monitored the current campaign by analyzing each individual stage.

24 May 2018

On May 24th the Imminent RAT (payload im6.exe), after injecting into the RegAsm.exe process, connected to the command and control server cb5cb5.noip[.]me, from which the command was sent to download and run malware from the site: lnx.hdmiservice[.]com/net.exe. The downloaded net.exe file is saved with the random name 61869.exe inside the folder%temp%, and then copied into %appdata%\Roaming\Oracle\svhost.exe.

Name: net.exe (61869.exe)
Size: 512352 byte
Description of file: SoftEther VPN - Versione 4.22.0.9634
MD5: F16108CF7A03F9E94F91EDEEA32EBE22
Compilation timestamp: 18/05/2018 23.06.49
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.A

Description:
The net.exe file is compiled in MSIL and is obfuscated with the SmartAssembly program.
Inside net.exe we find another executable file in encrypted form. This file is not saved on disk, but used to inject the svhost.exe process (itself). In the picture we can see a part of the decryption algorithm used.

Interesting is the string we found inside net.exe:

where it is indicated a date (in English format) that coincides with that of compilation, most likely it was inserted by the obfuscator SmartAssembly.

Net.exe is another RAT of the Netwire family (https://www.rekings.com/shop/netwire/), with keylogger functionality, password recovery (Firefox, Thunderbird, SeaMonkey, Microsoft Outlook, Internet Explorer), etc. Inside the folder %appdata%\roaming we find the subfolder "Logs", inside which there are logs divided by day with the information exfiltered. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.
We do not have much information on this RAT, because during the analysis phase, the attackers have always preferred to send the command to uninstall their malware, most probably the computer was not of interest to them.

28 May 2018

On May 28th we "re-downloaded" a new version of the Imminent RAT, from lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218). The im6.exe file is obfuscated with SmartAssembly. At runtime it is copied into %temp% with the name svchost.exe and does the injection in the process %temp%\svhost.exe. This version also connects to the command and control server cb5cb5.noip[.]me, from which it receives the command to download and run malware from the site: tafe[.]org/net.exe. The domain tafe[.].org is a site linked to the association of firefighters in Texas (Texas Association of Fire Educators), which has been most likely  compromised.
The downloaded net.exe file is saved with the random name 10800.exe inside the folder %temp%, and then copied to %appdata%\Roaming\Oracle\svhost.exe.  

Name: net.exe (10800.exe)
Size: 432128 byte
Description: GTV Program Launcher (CAB Type) - Versione 2.9.2.4
MD5: 4AFFDFB7FB38DE5065FDA1B5CE87EC8E
Compilation timestamp: 27/05/2018 17.27.04
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.B

Description:
The file Net.exe is compiled in MSIL and is obfuscated with the program ConfuserEx v0.6.0.
Inside net.exe we find another executable file in an encrypted form. This file is not saved on the disk, but used to inject the process svhost.exe. This is the RAT Netwire, another variant of the case seen on May 24, 2018, with keylogger functionality and password exfiltration. Inside the folder %appdata%\roaming
we find the subfolder "Logs", in which there are logs divided by day with the information exfiltrated. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.

28 June 2018

On June 28th we downloaded a new version of njRAT (Bladabindi), from lnx.hdmiservice[.]com/nj.exe (md5: 7B777263642CD694415ACCDB45B19DE6). The nj.exe file, after being copied into %appadata%\roaming\server.exe, connects to the command and control server cb4cb4.ddns[.]net through port 1604. This time the file is downloaded from the C2 server tmpCEE0.tmp.exe and saved inside the folder %temp%.

Name: tmpCEE0.tmp.exe
Size: 829440 byte
Description: Microsoft Corporation - Versione 60.48.6058.5862
MD5: 124CFF35E00D6F361E1DD73161833638
Compilation timestamp: 16/01/2016 06.27.22
Malware family: Downloader
VirIT: Trojan.Win32.DownloaderSam.A

The file tmpCEE0.tmp.exe contains the resource ">AHK WITH ICON<", as we see in the picture:



The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from https://paste.ee:

• https://paste[.]ee/r/hW6I2
• https://paste[.]ee/r/fsU10

The site https://paste.ee  is similar to Pastebin, but in this case it downloads 2 pages in Base64.
In the page https://paste[.]ee/r/fsU10 there is a binary code (shellcode), instead in the https://paste[.]ee/r/hW6I2 page another malware is contained, which we will call im.exe.
The tmpCEE0.tmp.exe file connects to the two url of https://paste.ee to download the malware im.exe and to inject it into the process: C:\WINDOWS\Microsoft.NeT\Framework\v2.0.50727\MSBuild.exe

Name im.exe (https://paste[.]ee/r/hW6I2 decodificato)
Size: 330240 byte
Description of file: im.exe - Versione 1.0.0.0
MD5: 1D85471A6C233A1BC926494A5EB3E400
Compilation timestamp: 06/03/2018 07.12.01
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.I

The  im.exe  file is nothing more than the Imminent-Monitor client, a commercial remote administration program (https://imminentmethods.net),  where we can read the following watermark::

please contact abuse@imminentmethods.net with the hardware id: "b3cd0d50be0504f870d91ece52b73941" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode

This version of Imminent connects to the following command and control server:
Server: frpfrp.ddns[.]net
Port: 3338

03 July 2018

On July 3rd we downloaded a new version of Imminent, from  lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218). The im6.exe file, after the injection on RegAsm.exe, connects to the command and control server cb5cb5.noip[.]me. This time we get the WM.EXE file from http://tafe[.]org/WM.exe and saved in the folder %temp% with the name 17303.exe.

Name: WM.exe (17303.exe)
Size: 811008 byte
Description: Versione 1.1.23.0
MD5: 5094EBA48CCF4225D8AB547A2D88F5A0
Compilation timestamp: 16/01/2016 06.27.22
Malware family: Downloader
VirIT: Trojan.Win32.DownloaderSam.B

The file 17703.exe (WM.exe) contains the resource ">AHK WITH ICON<", as we saw in the case of June 28th.

The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from https://paste.ee:

• https://paste[.]ee/r/KC3M6
• https://paste[.]ee/r/fsU10

The page https://paste[.]ee/r/fsU10 contains a binary code (shellcode), whereas on the https://paste[.]ee/r/KC3M6 page another malware is contained (that we will call  Revcode Rat) which will perform an injection on the RegAsm.exe process Name: Revcode Rat (https://paste[.]ee/r/KC3M6 decodificato)
Size: 351232 byte
Description:
MD5: 733F247FED91B9ACB833C547C6988C8E
Compilation timestamp: 25/06/2018 17.21.26
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATwm.H

This module is a commercial RAT (written in Visual Basic) called  Revcode WebMonitor (https://revcode.eu/), which we have already seen in April.
This new release connects to the C2 server irvingl.wm01[.]to (ip: 5.206.224[.]22) and to the page: https://irvingl.wm01[.]to/recv4.php

09 July 2018

On July 9th from the control command server of the Rat Imminent frpfrp.ddns[.]net  we received the command to download the WM.EXE file from http://tafe[.]org/WM.exe and save it in the folder %temp% with the name 3064.exe.

Name: WM.exe (3064.exe)
Size: 781312 byte
Description: muUwRdRRkCsIliuyGILx - Versione 2.3.2.0
MD5: 22DF9F6F208CAE2FDAD6EB76954B56B4
Compilation timestamp: 06/07/2016 06.57.39
Malware family: Spyware - RAT
VirIT:  Backdoor.Win32.SamRATwm.E

This downloaded module is the commercial RAT Revcode WebMonitor (https://revcode.eu/), which always connects to the C2 server irvingl.wm01[.]to (ip: 5.206.224[.]22) and to the page: https://irvingl.wm01[.]to/recv4.php

Attack infrastructure map

In the picture below, we can see the infrastructure used by the attackers at Samsung Italy service centers. The infrastructure was rebuilt starting from the spear-phishing attack on 2 April 2018. From here the multi-stage attack was analyzed from 3 April to the beginning of July 2018.




Attackers use 5 command and control servers:

• cb5cb5.noip[.]me
• cb4cb4.ddns[.]net
• cb7cb7.ddns[.]net
• frpfrp.ddns[.]net
• irvingl.wm01[.]to

A RAT is placed on each command and control server:

1. Imminent -> cb5cb5.noip[.]me
2. Imminent -> frpfrp.ddns[.]net
3. njRAT -> cb4cb4.ddns[.]net
4. Netwire -> cb7cb7.ddns[.]net
5. RevCode WebMonitor -> irvingl.wm01.to

Conclusions

We examined the campaign of spear-phishing, targeting the service centers of Samsung Italy, which started on 2 april 2018 . The attack campaign is a multi-stage type. This means that it starts to download an Excel file containing a vulnerability (payload im6.exe) and, If the computer hacked is of some interest for the authors of the campaign, then new payloads (RAT) are downloaded for the next stages of the attack.

The target of these attack campaign are the service centers of Samsung Italy, therefore it is a targeted and not massive campaign. We assume that the possible victims are between 200 and 300.  The spear-phishing campaign implemented is of high quality with a spread of an email in perfect italian sent from Samsung, with attached an Excel document relevant to the recipients. As we have seen, the fake email for spear-phishing would be an original one sent from Samsung Italy on 19th March 2018.
It's interesting that, a similar attack campaign with the same modus operandi, was registered at the end of March 2018, targeting the service centers of Samsung Russia. In that case an email written in russian was used  that seemed to be sent from Samsung Russia, with attached an Excel file infected, probably stolen from an egyptian company connected to Samsung and called "MTI MM Group" (https://mti-mmgroup.com/samsung/).
Therefore this campaign is not only targeting Samsung italy service centers, but it could involve more countries as, for example, Russia.
 
The vulnerability used is CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability), linked to the Equation Editor and it can work on all versions of Microsoft Office.

The attack campaign used mainly commercial RAT, which can exfiltrate data and spy the victim. We did not found "custom" spy programs, as can applies to cases of APT attack.

The comand and control servers use services, such as noip.me or ddns.net that, toghether with a VPN, make it impossible to identify the PC and / or the true IP address, to which exfiltrated information are sent. During the analysis phase it happened that C2 servers were not online and the RAT failed the connection for many hours, and then got back on line with a new IP address.

The actors of this attack remain unknown, even if the comand and control servers have already been used in previous campaigns some years ago.

IOC

MD5:

---

How to protect yourself

For Vir.IT eXplorer PRO owners it is always possible to contact or forward suspicious e-mails for free to the TG Soft technical support, the e-mail address for sending suspicious e-mails is: assistenza@viritpro.com (the suspicious e-mail goes sent as an attachment).  C.R.A.M. Technicians will analyze the material recived to evaluate every possible danger without any risk for our customers.

Go check our TG Soft support.

C.R.A.M.
Anti Malware Research Center by TG Soft