New Spam Campaign Uses Fake Resumes, Legitimate Microsoft BITS Feature to Spread Malware
A new wave of spam emails is delivering evasive malware via fake job applications and resumes.
Timely attack campaign: Attackers are taking advantage of the New Year, a time when hiring initiatives and the number of job applications companies recieve is up, to send fake resumes hiding malware.
Word document attachments are password-protected: This allows them to evade detection from sandboxing and filtering.
Attack abuses legitimate Windows tool: Once enabled, a macro embedded in the Word document launches Windows Background Intelligent Transfer Service (BITS) to download the payload (a trojan called "Smoke Loader"). Because it is a legitimate service, use of BITS can bypass detection and whitelisting.
Malware payload is stealthy and difficult to remove: Once on a machine, the Smoke Loader trojan evades detection by injecting itself into legitimate processes and establishes persistence by making changes to the registry.
Barkly blocks Smoke Loader: Barkly blocks the Smoke Loader payload from executing, but also prevents it from even touching the machine by blocking the execution of the malicious Word document macro.
See what the Smoke Loader attack looks like and watch Barkly block it.
A new wave of malicious phishing emails is currently infecting victims with Smoke Loader, malware that provides remote control to perform a plethora of activities ranging from stealing credentials to downloading other malware payloads.
According to My Online Security, the trojan is being delivered via a spam campaign that utilizes password-protected Word document attachments, which allows them to evade sandboxes (because they require human interaction to open) and make email and AV scanning more difficult.
With the new year right around the corner, tis the season of recruiting and job applications, and these nefarious actors are leveraging that to their benefit. The email is floating around with the subject line of ‘Website Job Application’ and is just convincing enough to potentially persuade a busy end user to open the attachment.
On opening the file, the user is prompted for the password (123456), and after successful login, the user is asked to run the macro by clicking the Enable Editing or Enable Content button.
Fake resume Word document attachment.
The Word document is embedded with VBA macros, which contains the ‘AutoClose’ function that prohibits it from running until the Word document has been closed — another technique utilized to avoid sandbox analysis.
Abusing Windows Background Intelligent Transfer Service (BITS) to download the payload
At this point, instead of launching PowerShell to download a payload from the Internet — as we've seen the majority of similar malware campaigns do — this campaign utilizes Background Intelligent Transfer Service (bitsadmin.exe), a legitimate Microsoft command-line tool. In non-malicious cases, BITS is used to create valid download or upload jobs, primarily for Windows and third-party software updates. In this case, however, it’s abused to download the malicious Smoke Loader payload.
Because BITS is a valid component of Windows, use of it can blend into legitimate system activity and be very difficult for many security solutions to detect. This tactic of "living off the land" is a dangerous trend we've seen gaining traction throughout the year.
The Smoke Loader payload
Smoke Loader, also known as “Dofoli, ” is downloaded from hxxp://126.96.36.199/paddle.jpg (a domain in Africa) and is renamed as ASxas.exe. It is primarily used to download a variety of other malware onto the infected machine. Recent examples include the TrickBot banking trojan, GlobeImposter ransomware, and most currently, cryptocurrency miners.
injecting its code into legitimate processes like explorer.exe and svchost.exe to evade detection
stealing credentials from browsers, email and FTP clients, etc.
adding registry entries to achieve persistence and load itself on each startup
disabling some AV solutions
Because of its evasive, persistent nature, it is important to prevent Smoke Loader infections from taking hold in the first place. The best way to do that is by reminding users not to trust documents they receive over email, blocking macros in Office files downloaded from the Internet (here's how to use Group Policy to do that), and using a solution like Barkly designed to provide defense in depth against these attacks.
Watch Barkly block this attack before the payload can be delivered
Blocking old and new techniques that deliver malware
Gaining control of machines via spam emails is one of the oldest tricks in the book for attackers. Yet they’re constantly introducing new variations and techniques to this routine in attempts to bypass security.
Barkly, unlike traditional AVs, is designed to provide protection against malware like Smoke Loader at multiple stages of the attack chain. Not only does it prevent the trojan from executing, it prevents the macro embedded in the Word document from launching, thereby stopping the attack before the payload can even touch the machine. As a result, no damage is incurred.