Detailed Technical Analysis Report of Fake Companies House Spam Campaign

Fake Companies House eReminder Spam Campaign Overview

Recently a new malware campaign has been seen in the UK, in which an attacker is sending phishing emails to Companies House Clients with an attachment of Office Document in the Email.

An attachment contains a malicious document contains an obfuscated malicious macro script that attempts to connect their C&C server to automatically downloads the Trickbot malware in the background on the user’s machine with the help of PowerShell.

Flow Chart:

Technical Analysis of Fake Companies House Spam Campaign

File Name: confirmation.doc

MD5: 1092EE9913FCD8F11C34CD17E01C7DFC

File Type: DOC

Spread Via:  E-mail

Detail Description Fake Companies House with Screenshot:

During execution of confirmation.doc, it’s launch Microsoft Word application in Protected View Mode.

Figure 1 Enable Content (Macros Disabled)

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

Also, Read Detailed Technical Analysis Report of Total Wipe Out Ransomware

In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically execute the malicious code in the background, without user concern.

As you can see below, in the background that an attacker has used the AutoOpen Function, which means, on opening the document malicious macro code will start its execution process.

Figure 2 AutoOpen Function

As shown below, WINWORD.exe creates several processes

Figure 3 Process Tree

As shown below, confirmation.doc contain obfuscated malicious macro which is not clearly visible and understandable by the normal user & it also contains various modules with the UserForm1.

Figure 4 Obfuscated Macro Code

To understand the obfuscated code, a person needs to be expertise or having the skillset to deobfuscate this kind of obfuscated code.

As shown below, this malicious macro code is using User Form & shell function to launch the final PowerShell command with the help of CMD.exe

Figure 5 Length to Calculate

Figure 6 Calling Malicious Function

By analyzing the above obfuscated macro code, we came to know that it's running the malicious PowerShell script in the background.

PowerShell script:

Figure 5 PS Script

As shown above, by analyzing the above PowerShell script, we came to know that it attempts to connect one of their C&C Server by using try-catch block method, if one URL fails to download the payload then it will pass to the catch block to download the payload on the victim machine.

If the URL is active, it will download the payload at following location C:\Users\admin\AppData\Local\Temp\yenrotta.exe

Thereupon, it automatically starts the downloaded payload process (yenrotta.exe) on the victim’s machine.

Once the Trickbot malware is downloaded (HASH: 5b0cbb6abbb24bcf52c189e9efdab9eb), it automatically initiated by the powershell.exe as shown in the above PowerShell script.

Following is the process tree of the trick but malware

Figure 6 Trickbot Process Tree

As shown above, Once the trickbot malware is activated then it deletes the windows defender service with the help of cmd.exe and sc.exe command. First, they stop the windows defender service and thereafter it deletes the windows defender service so, that windows defender didn’t detect their malicious behavior.

Figure 4 Service Deleted

As shown above, in the trickbot process tree after deleting the service it also attempts to disable the real-time monitoring through PowerShell command.

Thereafter, it copies itself into %appdata%\roaming\vsmcd\yentotta.exe

While the malware is running in the background it creates a task scheduler service with the name of MsSystemWatcher in C:\Windows\System32\Tasks

Trickbot malware drops the module and config files at the following location C:\Users\admin.admin-PC\AppData\Roaming\vcmsd\Modules as you can see in the following screenshot:

Figure 5 Trickbot Modules & Config Files

 As shown below trickbot malware injects the svchost.exe and initiated several processes of svchost.exe, cmd.exe, net.exe, ipconfig.exe, nltest.exe

Figure 6 Svchost.exe Process Tree

As shown below, it also creates the several files at following location C:\Users\admin.admin-PC\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Figure 7 Vault Files

As shown below, trickbot malware attempts to connect their C&C Server on following IP’s & URL to exchange the data.

54.38.201.122:443

162.247.155.150:443

As shown below it creates the user folder on their server

hxxps://54.38.201.122/182.72.1.90/ser0828/ADMIN-PC_W6xxxxxxxx/send/

Trickbot malware contains the list of some bank names for their targets following are the partial names of them:

IOC’s

Associated Hash

File Name: confirmation.doc

MD5: 1092EE9913FCD8F11C34CD17E01C7DFC

Filename: Policy.vpol

MD5: C4603D24852540F89C091D85395E9C1B

SHA1: F2D3F26770EA66C084C9836021757519DB99C4AB

CRC32: B417EC37

Filename: FAQ

MD5: 44E7721ED085027D1692DFA4356AA2E1

SHA1: 98B36A149810315716AE99B98D9BC0FC8A8B95E1

CRC32: ADB1BA40

Filename: info.dat

MD5: 41CF4BFD5591F3A74D4B2A9FEC6D276E

SHA1: 2282C4FC3039D3999106195648CD0FA980EA140D

CRC32: 38C1EA73

Filename: README.md

MD5: 9E8CC02038685D7661E547BDA5E10D9B

SHA1: 425A0EA1306E8DF70253FEC77B6D9408764AEC36

CRC32: 98EC0E89

Filename: yentotta.exe

MD5: 5B0CBB6ABBB24BCF52C189E9EFDAB9EB

SHA1: C5D115AD42E6DCA5FD08E17EFA50C69CC8A300FB

CRC32: B66C42CB

Filename: mailsearcher32

MD5: F877C696C4082654FE64E135966FFCC6

SHA1: 34D44FFB9F57FAABF77528DD81F4D9990D2ED983

CRC32: 622D8C91

Filename: networkDll32

MD5: 30562B6FE4D8EFDCE3783CDD0909FFE6

SHA1: 05B8E3B60512EC12372B817814E436F39E2C801B

CRC32: CAED28C5

Filename: systeminfo32

MD5: B3A9D059584418A2A0803FB0C6753EA9

SHA1: D19EF63CCEF78C785CBDE5008FBFE7721625D02F

CRC32: AE0D7F34

Filename: importDll32

MD5: 3C0A14D3E4E5F1968434ECB017A4689B

SHA1: F98CA6A41521EC9655F750578111D6E2D08D43A9

CRC32: FA2B7317

Filename: injectDll32

MD5: 2E3B973AA67FDC9104498685AA02954C

SHA1: EF7AC76C22351FC3B3CCBFB115EA5E845D896787

CRC32: ADFCC5C8

Filename: dinj

MD5: 64078E299D391D5D3CD7CE2B1DFF76B5

SHA1: 5F05E6DDBA3E87F2E9DDC58A266DA63E7F591D29

CRC32: C1B06A4D

Filename: dpost

MD5: 2F3AC7FA7304C0AE2F83C9C66015F782

SHA1: 4800128B06405C9AF469F14304773EA1980869A6

CRC32: 7555D155

Filename: sinj

MD5: 78229773D899AFE223388286608EC099

SHA1: ACEAE19663A8C8FA84CA67CC5A9F8C396D5C570A

CRC32: 9E9E51B8

Filename: mailconf

MD5: CFA2A959539E47465537DE5300B7D5E4

SHA1: 44C041248E5BD3B8FAB2DACC46C1E2B63DFD70C3

CRC32: 4A6259F9

Filename: dpost

MD5: 2F3AC7FA7304C0AE2F83C9C66015F782

SHA1: 4800128B06405C9AF469F14304773EA1980869A6

CRC32: 7555D155

Filename: etorador.bat

MD5: 4A97DBD24537980ACC99C1F4354BA3D8

SHA1: 683646B8A20848EF5AD35C00D890AF8B04378770

CRC32: B7D945F0

Associated URL

hxxps://inventeksys[.]com/odjbas[.]dlknxaaa

hxxp://apps[.]identrust[.]com/roots/dstrootcax3[.]p7c

hxxp://bathroomsign[.]com/odjbas[.]dlknxaaa

hxxp://www[.]download[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab

Associated Path

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\info.dat

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\systeminfo32

C:\Users\admin.admin-pc\AppData\Roaming\Mozilla\Firefox\Profiles\renpv6dn.default\prefs.js

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\sinj

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\dpost

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32_configs\dpost

Associated IP

54.38.201.122:443

162.247.155.150:443

Associated Registry Entry

Similar Read Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware