[German]The Internet Storm Center (SANS ISC) warns about some new attack scam that is attempted via phishing emails. The attackers are trying to distribute malicious content to users via an ISO file embedded in an HTML page. What was interesting to me was that the ISO cannot be mounted with Windows 10, but contains a VBS file with a dropper for further downloads. It looks like there is an attack vector in testing that tries to disguise the malware from the usual detection methods. That's why I'm posting the whole thing here on the blog.
Advertising
I came across the warning that the Internet Storm Center (SANS ISC) is currently spreading via the following tweet. However, it doesn't seem to be a large-scale attack campaign yet, it's more a trial.
In this explanation, Xavier Mertenswrites that he came across an interesting phishing email. As usual, the message was delivered with a malicious attachment Order_Receipt.html, which is a simple HTML page. On VirusTotal, only a few scanners detect the malware (VT score of 5/59).
Note: If you receive such mails, I do not advise you to open them quickly in your browser to see what is hidden behind them. There could be a drive-by download embedded, which already leads to an infection. Just the other day I received a similar mail (from a sender that looked familiar) that had an HTML attachment. But since no information was given in the email – the body was mostly empty, it was clear that this was an attack attempt. Instead of quickly inspecting this attachment in the browser, I saved it to disk and opened it in an editor. There was a Bitly-shortened HTML link to a target page and some obfuscated HTML code. When I then copied and pasted the target URL to VirusTotal, two (out of 93) virus scanners confirmed that the target page was malicious.
The attachment mentioned in the above mail from SANS ISC is a text file and, according to Mertens, therefore looks less suspicious. When the page is opened in the victim's browser, it displays a simple message offering the victim to download an ISO file (see screenshot in above tweet). The top of the page is filled with superfluous text that is not displayed:
<center>
<p align="left"> <p style="font-size: 0px; display: none">In this day and age, an appetizer can be difficult to
...</p>
Mertens suspects that this is intended to bypass the basic security controls that only check the beginning of files in the attachment. The actual ISO file is embedded in a Javascript function and, as usual, Base64 encoded. After decryption, the payload has a VT value of 10/55. The HTML file is brand new, but the ISO file was used 2 months ago, according to VirusTotal.
Advertising
Windows 8.x and later versions can indeed mount ISO files without any additional software. But what is interesting, according to Xavier Mertens, is that this ISO file cannot be mounted with Windows 10. Rather, a message appears that the ISO is not formatted with the NTFS file system.
However, Mertens managed to mount the ISO file under Linux. There he found out that the ISO file contains an obfuscated VBScript file APVSTYS43574.vbs, which is not detected as malicious by Virustotal. The VBScript code can be found here. The VBScript attempts to download the next level of malware from an (infected) website. But the page is not accessible by now, the infection must have been noticed.
This is not a huge problem, but an example of how cybercriminals try very different ways to disguise malware and bypass incoming mail controls. That's why I put the example here on the blog for administrators, so they can adjust their security rules if necessary.
Advertising