TG Soft's C.R.A.M (Anti-Malware Research Centre .) examined the spear-phishing campaign spread on April 2, 2018 targeting Samsung Italy service centers.
The campaign analyzed, targeting Samsung Italy service centers, is a multi-stage attack and we monitored it until july 2018.
We thank Samsung Italy for the effective collaboration that allowed us to obtain a detailed reconstruction of the spy case targeting tis own service centers.
For fraudulent mass mailings, " social engineering" methods are used, developed by people/cyber-criminals to induce the victim to open infected attachments or click on links in the body of the message.
Analysis by: Gianfranco Tonello, Federico Girotto, Michele Zuin
Last revision: 12 luglio 2018
Spear-phishing campaign targeting Samsung Italy service centers
At the beginning of the month of April 2018 a spear-phishing campaign spread to the italian service centers of Samsung. The attack campaign started on 2 April 2018 at 2.15 pm with the spread of an email with the subject: "Comunicazione 18-061: gestione centri non autorizzati".
The attack seems to target only Samsung Italy service centers and it isn't a massive malspam campaign.
It seems that a similar attack was made at the end of March 2018 towards Samsung's Service Centers in Russia with the same modus operandi, as indicated by the Fortinet report: "
Non-Russian Matryoshka: Russian Service Centers Under Attack".
Now we will analyze the spear-phishing campaign that has spread in Italy.
The spear-phishing mail to perform the attack was perfect:
- the email seems to come from the official Samsung Italy headquarter
- the body of the message is in perfect Italian, contains elements and references to the Samsung company, the topics covered are known to the recipients of the message
- the attached file is an Excel document: "QRS non autorizzati.xlsx"
- the message is signed by the IT Service Manager of Samsung, a real person in Samsung Italy, and all his personal information as email and telephone numbers are shown
In the picture we can see the spear-phishing mail sent to the Samsung Service Centers:
As you can see in the body of the message, very specific terms are used, such as:
- Dealers who ship products "non scontrinati" (without a receipt) under their own business name
- Unauthorized service centers forwarding you "volumi in garanzia" (volumes under warranty) that they cannot handle
The analysis of the text, makes us suppose that the message was written by an Italian mother tongue and no automatic translators were used. Besides industry terms were used as "non scontrinati" or "volumi in garanzia" that are directly connected to the recipients of the message.
As you can see from the picture of the email, the logo and company data are shown in the bottom of the message:
- "SAMSUNG ELECTRONICS ITALIA SPA", Via Mike Bongiorno, 9 - 20124 Milano (MI) - Italy
- internal telephone number of the IM & IT Service Manager
- email address of the IM & IT Service Manager
The data in the email are real and do indeed correspond to the person mentioned in the message.
The email sent to Samsung's service centers contains the following Excel document:
QRS non autorizzati.xlsx
Size: 18454 byte
VirIT: X97M.DownloaderSam.A
The file "
QRS non autorizzati.xlsx" contains the
vulnerability CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability) on the module
"eqnedt32.exe" Equation Editor of Excel,
which downloads the malware from the site:
Interestingly, the Excel document "
QRS non autorizzati.xlsx" (Quick Repair Service)
actually contains the list of unauthorized service centers,
as we can see in the picture (for privacy reasons names and addresses are obfuscated):
At this point we verified if the e-mail sent to the Service Centers actually started from Samsung Italy.
In the picture we can see the header of the infected email sent:
Received: from ( by ( with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.1415.2 via Mailbox Transport; Mon, 2 Apr 2018 14:42:09 +0200
Received: from ( by ( with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.1415.2; Mon, 2 Apr 2018 14:42:09 +0200
Received: from ( by ( with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.1415.2 via Frontend Transport; Mon, 2 Apr 2018 14:42:09 +0200
Received: from localhost (unknown [])
by (MSG3smtpd) with ESMTP id 70736199B
for <>; Mon, 2 Apr 2018 12:42:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-9999 required=10
tests=[HTML_IMAGE_ONLY_24=2, HTML_MESSAGE=0.001,
Received: from ([])
by localhost ( []) (amavisd-new, port 10024)
with ESMTP id 0BgHMPCU_p-2 for <>;
Mon, 2 Apr 2018 14:42:08 +0200 (CEST)
X-Greylist: delayed 00:24:41 by SQLgrey-1.8.0
Received: from ( [])
by (MSG3smtpd) with ESMTPS id 660B91998
for <>; Mon, 2 Apr 2018 14:42:07 +0200 (CEST)
Received: from cmgw2 (unknown [])
by (Postfix) with ESMTP id B2763A0328
for <>; Mon, 2 Apr 2018 06:17:24 -0600 (MDT)
Received: from ([])
by cmgw2 with
id VQHM1x0012j4P7W01QHQoF; Mon, 02 Apr 2018 06:17:24 -0600
X-Authority-Reason: s=1
X-Authority-Analysis: v=2.2 cv=M5g9E24s c=1 sm=1 tr=0
a=ip9sk82UPAQ/lpE5utroiw==:117 a=ip9sk82UPAQ/lpE5utroiw==:17
a=Kd1tUaAdevIA:10 a=VNXQTJTquIlysLCTy2YA:9 a=QEXdDO2ut3YA:10 a=hD80L64hAAAA:8
a=xGSJWl63D5C4vKWM0foA:9 a=OMArbbpFsjqrJjHB:21 a=_W_S_7VecoQA:10
a=4k4lOSeL9kw-s91eC94A:9 a=gNstRkxIVkbMzKS_:18 a=HXjIzolwW10A:10
a=KwgpVZE-ergA:10 a=Fx9ydsAayyh_TJjkqnAA:9 a=IKIoO-ieCDEA:10
a=7qx8gLC0iM8A:10 a=oQrlS-b8-hQA:10 a=ckal8g68nOMA:10
a=08aomhM6C-o7A7omF0Fb:22 a=X1c0k9nRQnjIoBfxGzdG:22
Received: from [] (port=52965
by with esmtpa (Exim 4.89_1)
(envelope-from <>)
id 1f2yMD-003zSm-6f; Mon, 02 Apr 2018 06:14:41 -0600
Content-Type: multipart/mixed; boundary="=_2c36885fcd61b6cbe3b9c4eecddf1ca4"
Date: Mon, 2 Apr 2018 06:14:39 -0600
To: undisclosed-recipients:;
Subject: Comunicazione 18-061: gestione centri non autorizzati
Message-ID: <>
User-Agent: Roundcube Webmail/1.2.7
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-BWhitelist: no
X-Exim-ID: 1f2yMD-003zSm-6f
X-Source-Sender: ( []:52965
X-Email-Count: 325
X-Source-Cap: Z3J1cG9zaW07Z3J1cG9zaW07Ym94MTEyNS5ibHVlaG9zdC5jb20=
X-Local-Domain: no
X-MS-Exchange-Organization-Network-Message-Id: 809f8a03-b5df-4845-3b98-08d598972667
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-ABP-GUID: d7d8dc25-011d-41eb-8635-bf56c3cd3286
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.4068414
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.002
MIME-Version: 1.0 |
In the picture we can see the steps of sending the infected email:
The header analysis of the infected message showed that the email was sent by the webmail provider "".
The webmail used would correspond to the machine (ip:
which is assigned to the Mexican company GrupoSim (
As we can see from the MxToolbox record:
The access to the webmail seems to have happened with the email address:
So the infected email was not sent by Samsung Italy, but it was sent from a webmail of the Mexican company GrupoSim, whose login credentials to the email may have been stolen by the actors of this cyber-espionage attack.
Service center: HDMI SERVICE
As we wrote previously, opening the infected document "
QRS non autorizzati.xlsx", runs an OLE object embedded in the document,
which exploits the CVE-2017-11882 vulnerability to download malware from the site:
lnx.hdmiservice[.]com/im6.exe. Without bothering you with the shellcode technique used, we focus instead on the domain from where the malware of this espionage campaign, is downloaded.
The domain we are examining is lnx.hdmiservice[.]com, hosted on Aruba .You can see the homepage in the picture.
This domain is connected to an authorized Samsung service center, but for now we consider inappropriate to mention its name.
- Via [...Omissis...]
- Cap: [...Omissis...] Città: [...Omissis...] Prov.: [...Omissis...]
Public informations obtained from the service "Pagine Bianche":
The home page of the site lnx.hdmiservice[.]com is very "skinny" an it seems that the site has been left to its own device.There is no information about the company, but according to our research, this domain seems to be connected to an official Samsung service center, as we can see from the website of the Korean manufacturer. See the picture. |
To complete the perfection of the spear-phishing campaign against Samsung service centers, the document infected with the EX-QRS list, downloads the malware from a site of Samsung Italy service center .
We suppose that the domain of the "HDMI Service" was compromised before March 19, 2018, and the attack took place according to this scheme:
- On March 19, 2018 Samsung Italy sends the communication "Comunicazione 18-061: gestione centri non autorizzati" to its authorized service centers.
- We assume that one of these centers is spied on and that the email credentials where they received the communication 18-061, were stolen by the attackers.The original Samsung email is then exfiltrated by the cyber-criminal group.
- The cybercriminal group re-packs the original Samsung email, keeping the body of the message in perfect Italian and relevant to the recipients, but modifies the document "QRS non autorizzati.xlsx" making it malevolent through the insertion of the infected OLE object;
- The fake infected Samsung email is sent on 02/04/2018 (Easter Monday) through the webmail of GrupoSim (Bluehost provider) to service centers of Samsung Italy.
Payload im6.exe analysis
When you open the infected document "
QRS non autorizzati.xlsx",
which exploits the CVE-2017-11882,
vulnerability, it downloads and executes the malware from the site: lnx.hdmiservice[.]com/im6.exe. The downloaded im6.exe file is saved with name notepad.exe inside the folder: %appdata%\notepad.exe
Size: 675840 byte
Description of file: Pidgin - Versione - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C750536CD26C071C97B91CB3CEDF50B0
Compilation timestamp:
02 april 2018 12.24.36
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.A
The notepad.exe file is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0. Inside notepad.exe we find another executable file called BootstrapCS.exe in encrypted form
Name: BootstrapCS.exe
Size: 352768 byte
Description of file: BootstrapCS - Versione - Copyright © 2017
MD5: FBF757927F16ABE4F80B051C56445798
Compilation timestamp: 02 april 2018 12.24.36
VirIT: Backdoor.Win32.SamRATim.B
BootstrapCS.exe file is compiled in MSIL, but isn't obfuscated . Inside we can find a resource called "settings" for the malware configuration.
As we can see in the figure, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of:
- anti_fiddler
- anti_sandboxie
- anti_vm
- anti_wireshark
This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active.
Interesting is the parameter "injection" set to 2, which allows you to indicate in which application to perform the injection of malware. In this case, it executes the injection on the RegAsm.exe process, as we can see from the figure below.
The malware injects the resource "_mainFile" into the RegAsm.exe process.
The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key.
From the decrypted resource "_mainFile", you get another executable file im3.exe:
Name: im3.exe
Size: 330240 byte
Description of file: im3.exe - Versione
MD5: 8568B119697FC8187E31988887599DAB
Compilation timestamp: 13/03/2018 07.39.57
VirIT: Backdoor.Win32.SamRATim.H
The im3.exe file is nothing more than the Imminent-Monitor client, a commercial remote administration program (, in which we can read the following watermark:
please contact with the hardware id: "916581c30ad99fa570e8172ea42e3af8" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode |
Injection scheme used by notepad.exe to inject im3.exe into the RegAsm.exe process: |
The client
Imminent-Monitor inside the file
im3.exe is
a commercial remote administration program,
which allows:
- File Explorer
- Gathering Computer Specifications (Client Identifier, Unique Identifier, Public IP Address, Private IP Address, MAC Address, Operating System, Computer Name, Computer Username, System Privileges, Installed Screens, Processor, Graphics Card, Ram, Ram Usage, Battery Usage, Last Reboot, Installed Anti-Virus, Firewall Status)
- Clipboard Manager
- RDP Manager
- Password Recovery
- Camera Surveillance
- Remote Desktop
- Task Manager
- Window Manager
- Registry Manager
- Startup Manager
- Command Prompt
- TCP View
- Reverse Proxy
- Machine Management
- Keystroke Logging
- Elevate Client Permissions
- Remote Execute
- Scripting
Inside the file
im3.exe written in MSIL too,
we find 3 resources:
- 0x90
- im3.Resources.resources -> _7z
- im3.Resources.resources -> application
The resource 0x90 contains 7 strings in Base64, these strings are encrypted:
- im3.Resources
- application
- 28d6cea3-468a-47a7-99e1-ad87edd5d5ab
- System.Reflection.Assembly
- Load
- im3.Resources
- _7z
The resource 0x90 is used to decrypt the resource "application" through the key "28d6cea3-468a-47a7-99e1-ad87edd5d5ab". The decrypted resource obtained is compressed with 7z (lzma). After decompressing it, the malware executes it.
Inside the "application" resource we find Imminent, which creates the folder of the same name in %appdata% (
where we find 2 subfolders:
In the "Logs" folder we find the daily log files captured by Imminent (eg 02-07-2018), instead in the "Monitoring" folder we find two files:
The malware connects to the command and control server (C2) cb5cb5.noip[.]me through port 3339.
The command and control server is not always active,
but when the RAT can connect to cb5cb5.noip[.]me through port 3339, the first command it receives is to connect to the domain,
to get the victim's IP address.
At this point, in addition to sending the exfiltrated information to the C2 server, it can receive commands to download new versions of RAT malware.
In the analyzed campaign we saw that it has downloaded new RAT malware from:
- lnx.hdmiservice[.]com/WM.exe
- lnx.hdmiservice[.]com/nj.exe
The first malware "
belongs to the Revcode WebMonitor family,
whereas the second "
belongs to the njRAT (
Bladabindi) family.
Technical analysis of RAT Revcode WM.exe
As we have seen, from the command and control server cb5cb5.noip[.]me,
the attackers can download other types of RAT into the victim's computer. In the attack examined, the malware was downloaded and executed from the site: lnx.hdmiservice[.]com/WM.exe. The downloaded WM.exe file is saved with the name VBC.exe inside the startup menu folder:
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe
Size: 802816 byte
Description of file: Pidgin - Versione 2.10.12 - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C966F4A0916A1B5403E10F15F3591F06
Compilation timestamp:
01/04/2018 22.07.17
Malware family: Spyware - RAT Revcode
VirIT: Backdoor.Win32.SamRATwm.F
vbc.exe file is compiled in MSIL and is obfuscated with the SmartAssembly. When the vbc.exe file runs, the following files are created in %temp%:
- thfdfdnewa-.txt
- agdfdffhit.bat
- agdfnwinvss.vbs
- ru33dde11.bat
The file thfdfdnewa-.txt is a copy of vbc.exe
The file ru33dde11.bat contains the command: wscript.exe "%temp%\agdfnwinvss.vbs" "%temp%\agdfdffhit.bat
The file agdfnwinvss.vbs contains the comamnd: CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
The file agdfdffhit.bat runs the command dos copy:
copy "%users%\AppData\Local\Temp\thfdfdnewa-.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe"
Inside vbc.exe we find, in encrypted form, another executable file compressed with UPX. This file isn't saved on the disk, but is used for the injection on RegAsm.exe process.
Name: <without name
Size: 147968 byte
Description file:
MD5: 31664036A9917EE12DDA6688C72E878F
Compilation timestamp: 29/12/2017 00.08.39
VirIT: Backdoor.Win32.SamRATwm.G
The file compressed with UPX, it is decrypted in memory through this algorithm:
and then injected into the RegAsm.exe process.
The module compressed with UPX is a commercial RAT (written in Visual Basic) called Revcode WebMonitor (,
which permits to perform various operations of data exfiltration as:
- WebCam
- Screen Capture
- Keylogger
- Audio recorder
- Injection
- Clipboard
The RAT WM.exe (vbc.exe), aka RevCode, connects to the following C2 server irvingl.wm01 [.] to (ip: 5.206.224 [.] 22), to the following page: https: // irvingl. WM01 [.] to / recv3.php
The exfiltrated information is sent via "post", with the following structure:
code=bF6kAccY8yON[..]Jw== &
data=BnvYaTa52ClOqYNyUuGC[..]EB47jQ== &
key=YuqeS5by2ufBL[..]y &
uid=57823F7953[..]20 &
cmp=1 &
Technical analysis of payload njRAT nj.exe (Bladabindi)
In the attack analyzed, in addition to the download of the previous RAT, in some cases we noticed that in the victim's computer was downloaded and executed another malware from the site:
lnx.hdmiservice[.]com/nj.exe. The downloaded file nj.exe is saved with the name server.exe inside the folder %appdata%\Roaming.
Size: 365056 byte
Description of file: Sonork Messenger - Versione - Copyright © 2003-2006 by GTV Solutions, Incorporated
MD5: D1642488C5A0181FE57C474069DF8C04
Compilation timestamp:
02 april 2018 12.33.27
Malware family: Spyware - njRAT (Bladabindi)
VirIT: Backdoor.Win32.SamRATnj.B
The file server.exe is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0 program. Inside server.exe we find another executable file in encrypted form BootstrapCS.exe
Name file: BootstrapCS.exe
Size: 46592 byte
Description of file: BootstrapCS - Versione - Copyright © 2017
MD5: ABBE16193144DAC74DAE7B9DE653D84F
Compilation timestamp: 02 april 2018 12.33.27
VirIT: Backdoor.Win32.SamRATnj.E
The file
BootstrapCS.exe is compiled in MSIL, but isn't obfuscated
. Inside we can find a resource called "settings" for the malware configuration.
As we can see in the picture, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of:
- anti_fiddler
- anti_sandboxie
- anti_vm
- anti_wireshark
This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active.
Interesting is the parameter "injection" set to 6, which allows you to indicate in which application to perform the injection of malware. In this case, it executes the injection on itself, ie on the server.exe process, as we can see from the figure below. |
The malware injects the "_mainFile" resource into the server.exe process. The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key. From the decrypted resource "_mainFile", you get another executable file in memory for injection:
Name: <without name>
Size: 24064 byte
MD5: B2A604500E1555A7A13413C0F7A69732
Compilation timestamp: 18/07/2017 08.10.01
VirIT: Backdoor.Win32.Generic.AWM
The decrypted file in memory, which we will call again server.exe, is the njRAT, known as Bladabindi, a remote administration program.
The version used is 0.7d, as we can see from the configuration parameters.
The njRAT (Bladabindi) malware used in this campaign, connects to the command and control server cb4cb4.ddns [.]net port 1604, where the exfiltrated data is sent. The peculiarities of this RAT are: keylogging, screen capture, update and data exfiltration.
In the table below, we can see some commands used by njRAT (Bladabindi):
Commands |
Options |
Comments |
ll |
informations of system (ID campaign, name pc, user, version of o.s., version of RAT, etc) |
inf |
parametersi of configuration (name server C2, port, process, etc) |
act |
name of active window |
kl |
keylogger |
prof |
~ ! @ |
write/read/delete value of registry |
rn |
download and execute file |
inv |
open a local port |
ret |
??? |
pl |
??? |
screen capture |
un |
~ ! @ |
uninstall |
sc |
~ PK |
partial screen capture (area) |
up |
update file |
Ex |
fm ~ ! @ |
execute shell comands |
FM |
! # @ |
file manager: enumerate file e directory |
plugin |
message |
Campaign evolution from May to July 2018
In the months from May to July 2018, we have monitored the current campaign by analyzing each individual stage.
24 May 2018
On May 24th the Imminent RAT (payload im6.exe), after injecting into the RegAsm.exe process, connected to the command and control server cb5cb5.noip[.]me,
from which the command was sent to download and run malware from the site:
lnx.hdmiservice[.]com/net.exe. The downloaded net.exe file is saved with the random name 61869.exe inside the folder%temp%, and then copied into %appdata%\Roaming\Oracle\svhost.exe.
net.exe (61869.exe)
Size: 512352 byte
Description of file: SoftEther VPN - Versione
MD5: F16108CF7A03F9E94F91EDEEA32EBE22
Compilation timestamp:
18/05/2018 23.06.49
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.A
The net.exe file is compiled in MSIL and is obfuscated with the SmartAssembly program.
Inside net.exe we find another executable file in encrypted form. This file is not saved on disk, but used to inject the svhost.exe process (itself). In the picture we can see a part of the decryption algorithm used.
Interesting is the string we found inside net.exe:
where it is indicated a date (in English format) that coincides with that of compilation, most likely it was inserted by the obfuscator SmartAssembly.
Net.exe is another RAT of the Netwire family (, with keylogger functionality, password recovery (Firefox, Thunderbird, SeaMonkey, Microsoft Outlook, Internet Explorer), etc. Inside the folder %appdata%\roaming we find the subfolder "Logs", inside which there are logs divided by day with the information exfiltered. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.
We do not have much information on this RAT, because during the analysis phase, the attackers have always preferred to send the command to uninstall their malware, most probably the computer was not of interest to them.
28 May 2018
On May 28th we "re-downloaded" a new version of the Imminent RAT, from lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218).
The im6.exe file is obfuscated with SmartAssembly. At runtime it is copied into %temp% with the name
svchost.exe and does the injection in the process %temp%\svhost.exe.
This version also connects to the command and control server cb5cb5.noip[.]me,
from which it receives the command to download and run malware from the site:
tafe[.]org/net.exe. The domain tafe[.].org is a site linked to the association of firefighters in Texas (Texas Association of Fire Educators), which has been most likely compromised.
The downloaded net.exe file is saved with the random name 10800.exe inside the folder %temp%, and then copied to %appdata%\Roaming\Oracle\svhost.exe.
net.exe (10800.exe)
Size: 432128 byte
Description: GTV Program Launcher (CAB Type) - Versione
Compilation timestamp:
27/05/2018 17.27.04
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.B
The file
Net.exe is compiled in MSIL and is obfuscated with the program ConfuserEx v0.6.0.
Inside net.exe we find another executable file in an encrypted form. This file is not saved on the disk, but used to inject the process svhost.exe. This is the RAT Netwire, another variant of the case seen on May 24, 2018, with keylogger functionality and password exfiltration. Inside the folder %appdata%\roaming
we find the subfolder "Logs", in which there are logs divided by day with the information exfiltrated. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.
28 June 2018
On June 28th we downloaded a new version of njRAT (Bladabindi), from lnx.hdmiservice[.]com/nj.exe (md5: 7B777263642CD694415ACCDB45B19DE6).
The nj.exe file, after being copied into %appadata%\roaming\server.exe,
connects to the command and control server cb4cb4.ddns[.]net through port 1604. This time the file is downloaded from the C2 server tmpCEE0.tmp.exe and saved inside the folder %temp%.
Size: 829440 byte
Description: Microsoft Corporation - Versione 60.48.6058.5862
MD5: 124CFF35E00D6F361E1DD73161833638
Compilation timestamp:
16/01/2016 06.27.22
Malware family: Downloader
VirIT: Trojan.Win32.DownloaderSam.A
The file
tmpCEE0.tmp.exe contains the resource ">AHK WITH ICON<", as we see in the picture:
The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from
- https://paste[.]ee/r/hW6I2
- https://paste[.]ee/r/fsU10
The site is similar to Pastebin, but in this case it downloads 2 pages in Base64.
In the page
https://paste[.]ee/r/fsU10 there is a binary code (shellcode), instead in the https://paste[.]ee/r/hW6I2 page another malware is contained, which we will call im.exe.
tmpCEE0.tmp.exe file connects to the two url of to download the malware im.exe and to inject it into the process:
Name im.exe (https://paste[.]ee/r/hW6I2 decodificato)
Size: 330240 byte
Description of file: im.exe - Versione
MD5: 1D85471A6C233A1BC926494A5EB3E400
Compilation timestamp:
06/03/2018 07.12.01
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.I
im.exe file is nothing more than the Imminent-Monitor client, a commercial remote administration program (,
where we can read the following watermark::
please contact with the hardware id: "b3cd0d50be0504f870d91ece52b73941" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode |
This version of Imminent connects to the following command and control server:
Port: 3338
03 July 2018
On July 3rd we downloaded a new version of Imminent, from lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218).
The im6.exe file, after the injection on RegAsm.exe, connects to the command and control server cb5cb5.noip[.]me.
This time we get the WM.EXE file from http://tafe[.]org/WM.exe and saved in the folder %temp% with the name 17303.exe.
WM.exe (17303.exe)
Size: 811008 byte
Description: Versione
MD5: 5094EBA48CCF4225D8AB547A2D88F5A0
Compilation timestamp:
16/01/2016 06.27.22
Malware family: Downloader
VirIT: Trojan.Win32.DownloaderSam.
The file
17703.exe (WM.exe) contains the resource ">AHK WITH ICON<",
as we saw in the case of June 28th.
The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from
- https://paste[.]ee/r/KC3M6
- https://paste[.]ee/r/fsU10
The page
https://paste[.]ee/r/fsU10 contains a binary code (shellcode), whereas on the https://paste[.]ee/r/KC3M6 page another malware is contained (that we will call
Revcode Rat)
which will perform an injection on the RegAsm.exe process
Revcode Rat (https://paste[.]ee/r/KC3M6 decodificato)
Size: 351232 byte
MD5: 733F247FED91B9ACB833C547C6988C8E
Compilation timestamp:
25/06/2018 17.21.26
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATwm.H
This module is a commercial RAT (written in Visual Basic) called Revcode WebMonitor (,
which we have already seen in April.
This new release connects to the C2 server irvingl.wm01[.]to (ip:
and to the page:
09 July 2018
On July 9th from the control command server of the Rat Imminent frpfrp.ddns[.]net we received the command to download the WM.EXE file from http://tafe[.]org/WM.exe and save it in the folder %temp%
with the name 3064.exe.
WM.exe (3064.exe)
Size: 781312 byte
Description: muUwRdRRkCsIliuyGILx - Versione
MD5: 22DF9F6F208CAE2FDAD6EB76954B56B4
Compilation timestamp:
06/07/2016 06.57.39
Malware family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATwm.E
This downloaded module is the commercial RAT Revcode WebMonitor (,
which always connects to the C2 server irvingl.wm01[.]to (ip:
and to the page:
Attack infrastructure map
In the picture below, we can see the infrastructure used by the attackers at Samsung Italy service centers. The infrastructure was rebuilt starting from the spear-phishing attack on 2 April 2018. From here the multi-stage attack was analyzed from 3 April to the beginning of July 2018.
Attackers use 5 command and control servers:
- cb5cb5.noip[.]me
- cb4cb4.ddns[.]net
- cb7cb7.ddns[.]net
- frpfrp.ddns[.]net
- irvingl.wm01[.]to
A RAT is placed on each command and control server:
- Imminent -> cb5cb5.noip[.]me
- Imminent -> frpfrp.ddns[.]net
- njRAT -> cb4cb4.ddns[.]net
- Netwire -> cb7cb7.ddns[.]net
- RevCode WebMonitor ->
We examined the campaign of spear-phishing, targeting the service centers of
Samsung Italy, which started on 2 april 2018 .
The attack campaign
is a multi-stage type. This means that it starts to download an Excel file containing a vulnerability (payload im6.exe) and, If the computer hacked is of some interest for the authors of the campaign, then new payloads (RAT) are downloaded for the next stages of the attack.
The target of these attack campaign are the service centers of
Samsung Italy, therefore it is a targeted and not massive campaign. We assume that the possible victims are between 200 and 300. The spear-phishing campaign implemented is of high quality with a spread of an email in perfect italian sent from Samsung, with attached an Excel document relevant to the recipients. As we have seen, the fake email for spear-phishing would be an original one sent from Samsung Italy on 19th March 2018.
It's interesting that, a similar attack campaign with the same
modus operandi, was registered at the end of March 2018, targeting the service centers of Samsung Russia. In that case an email written in russian was used that seemed to be sent from
Samsung Russia, with attached an Excel file infected, probably stolen from an egyptian company connected to Samsung and called "
MTI MM Group" (
Therefore this campaign is not only targeting Samsung italy service centers, but it could involve more countries as, for example, Russia.
The vulnerability used is
CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability), linked to the Equation Editor and it can work on all versions of Microsoft Office.
The attack campaign used mainly commercial RAT, which can exfiltrate data and spy the victim. We did not found "custom" spy programs, as can applies to cases of APT attack.
The comand and control servers use services, such as or that, toghether with a VPN, make it impossible to identify the PC and / or the true IP address, to which exfiltrated information are sent. During the analysis phase it happened that C2 servers were not online and the RAT failed the connection for many hours, and then got back on line with a new IP address.
The actors of this attack remain unknown, even if the comand and control servers have already been used in previous campaigns some years ago.
Server C2:
Anti Malware Research Center by TG Soft