Suspected BEC Campaign Targeting Banks

In the past week we’ve been receiving reports of different—but seemingly related—email malware campaigns targeting banks in both the US and Europe, specifically in the form of Excel Workbooks containing a malicious macro being sent as an attachment to emails. What’s interesting is that even though the email themes used are varied, the attached bait documents are mostly similar.

Below we have provided an example email and a step-by-step analysis of the malicious Excel Workbook attachment being utilized, along with Indicators of Compromise listed at the bottom. We have not been successful in acquiring the final payload from the malware servers, so we have no idea what the main purpose of this campaign is at this moment. We will update this blog with any new information.

Example email from one of the related campaigns utilizing the Excel Workbook attachment.

How It Works: Payload Analysis 

Excel Workbook Attachment

1. Once you open this Excel Workbook, you will see a decoy image prompting you to enable the macro content from the Office Security Options

   

   

   

2. Drops embedded XLSX to the Windows temporary directory as 13.xlsx
3. Renames XLSX file 13.xlsx.zip
4. Extracts either carpc2.dll for 64-bit or carpc2.dll for 32-bit Windows
5. Loads the extracted DLL with LoadLibrary API and calls the Get2 export function

DLL Behaviour

1. Once loaded, the DLL decrypts a needed function, which also decrypts and decompresses the main DLL at runtime.
2. The 32-bit main DLL is packed with UPX unlike the 64-bit version which is not.
3. The main DLL will then gather the following information from the affected system:
   
   1. Computer Name
   2. User Name
   3. OS Version
   4. Currently running process names
4. This information is then used as parameters for the beacon to its server/s
5. Depending on the server’s response, it may attempt to download and execute a final payload into the affected system.

URL Parameter format

&D=<COMPUTERNAME>&U=<USERNAME>&OS=<OS VERSION>&PR=<URL ENCODED PROGRAM NAME LIST>

Example:

&D=PWNM3&U=M3PWN&OS=6.2&PR=ApplicationFrameHost%2eexe%7cMSASCuiL%2eexe%7cMicrosoft%2ePhotos%2eexe%7cOneDrive%2eexe%7cRuntimeBroker%2eexe%7cSearchUI%2eexe%7cShellExperienceHost%2eexe%7cSystemSettings%2eexe%7cdllhost%2eexe%7cexplorer%2eexe%7cida%2eexe%7cjusched%2eexe%7cloaddll%2eexe%7collydbg%2eexe%7cprocexp%2eexe%7cprocexp64%2eexe%7csihost%2eexe%7csvchost%2eexe%7ctaskhostw%2eexe%7ctbzrcache%2eexe%7cvmtoolsd%2eexe%7c

User-Agent

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; CIBA; MS-RTC LM 8)

Indicators of Compromise and Cyren Detections

If you are thinking about evaluating new email security services, why not try Cyren’s Email Security Gap Analysis assessment, which is easy to deploy alongside your existing email security and free of charge to qualifying companies.