As a security researcher who trusts my instincts, I’ve been feeling the need to monitor my Gmail account’s Spam folder for quite some time. Being an active Gmail user since 2006, I was certain that, over the span of 13 years, my email address had found its way onto the lists of malicious entities (spammers) sending unsolicited messages from various regions, including Nigeria and Papua New Guinea.
One day, while reviewing the Spam folder again, I noticed an overwhelming number of unwanted emails that made me feel like a celebrity. 🙂 These emails prompted me to think about how I could track the volume of messages that had landed in my Gmail Spam folder over the years, as well as identify the types of malicious attachments they contained (such as spyware). Eventually, I decided to create a Python program that would monitor the Spam folder and upload any attached files to a sandbox environment.
I decided to use Hybrid Analysis, which incorporates the Falcon sandbox system in the background, as my choice for a sandbox service that I frequently use for malicious software analysis and have always been satisfied with. However, in order to automatically upload detected files to Hybrid Analysis’ API, an unrestricted API key was required. Fortunately, thanks to them providing this for free to security researchers, I was able to obtain an API key in a short period of time.
After creating and deploying a Python-based tool called Spam Analyzer, it wasn’t long before the tool identified a suspicious file named “PO.docx” in the Spam folder.
he Spam Analyzer tool connects to your Gmail account through the Gmail API, using the connection details from the “client_secret.json” file (available for download from the Google API Console). It scans all emails in the Spam folder, saves the attached files to the “attachments” folder, and uploads them to the Hybrid Analysis system. The tool logs the details of all uploaded files in the “hashes.txt” file. After the files are uploaded, it writes the Hybrid Analysis report and the file’s malicious status into the “hashes.txt” file after 1 hour.
When I began analyzing the “PO.docx” file with the Pestudio tool, I discovered that, except for ZoneAlarm, no other security software flagged it as suspicious. I then opened the file using an outdated patch of Microsoft Office 2010 and monitored its activity with the Fiddler tool. I observed that it initially downloaded and executed the “svch.doc” file from the shortened URL “http://urlz[.]fr/6uQM” (expanded URL: “http://23[.]249[.]161[.]109/ace/“). Afterward, it tried to download the “svchost32.vbs” file from “http://jopittex[.]zapto[.]org/windows/” via “svch.exe”.
As I continued analyzing the “PO.docx” file using tools such as Notepad++ and rtfdump.py, I found that the file leveraged the CVE-2017-8570 vulnerability by exploiting Microsoft Word’s frameset feature, a technique commonly used in penetration testing.
The “svch.exe” file, which had its code obfuscated using the Confuser tool, downloaded and executed the “svchost32.vbs” file. This file, in turn, fetched the “profile.exe” file, which was protected with ASProtect, from the URL “http://www[.]bluesw[.]net/wp-admin//user/“. It saved this file in the “%Public%” folder as “svchost.exe” and executed it from there.
When I analyzed the “svchost.exe” (profile.exe) program using the x64dbg debugger tool, the primary malicious software, which turned out to be the Remcos RAT malware, was finally exposed, much like a matryoshka doll.
Matryoshka dolls, also referred to as stacking dolls, nesting dolls, Russian tea dolls, or Russian dolls, are a set of wooden figures of decreasing size placed one inside the other. The name “matryoshka,” which translates to “little matron,” is a diminutive form of “Matryosha,” itself a shortened version of the Russian female first name Matryona.
I hope to see you in the next articles.
