These days, there have been widespread phishing emails pretending a particular national organization. The Excel document file(ex: certificate.xls, inquiry.xls) attached to the email contains a malicious macro.
Recently during their malware monitoring process, AhnLab ASEC detected the code change that the malware began targeting corporates. From the fact that the Ammyy backdoor program and CLOP ransomware are distributed by utilizing the same certificate, AhnLab ASEC assumes that Ammyy backdoor is exploited to target corporate users to steal information from AD server.
Figure 1. Infection flow of the malicious document
A malicious Excel file distributed via phishing email is spread, as seen in Figure 1. To be noted, recently changed malware targets the corporate user environment by identifying the workgroup name of the ground where the file was executed.
The code to find out the name of the workgroup was discovered in the final backdoor downloader in the distribution flow above(Figure 1)
Figure 2 is a part of the downloader code analyzed in the previous blog post and recently discovered. Comparing these two codes can be noticed that the new ‘if statement’ highlighted in the red box has been added. Besides, there was a modification on the list which checks the running process and forces termination, if there is any. Among the list which was meant to check the infection targets, “V3LITE”, “V3MAIN”, “V3SP” were excluded. In other words, V3 product users also have been included in the target of Ammyy backdoor infection.
Figure 3 is the complete code of the newly added if statement. The code performs the task described in Table 1. In case of a general individual, WORKGROUP string will be printed when implementing cmd.exe /c net user /domain command while the set group name will be printed for a corporate user. The operator designed the malware not to carry out additional malicious behavior(Ammyy backdoor download) if the WORKGROUP string is printed, representing a general individual.
|1. Run cmd.exe /c net user /domain command (workgroup and domain name are printed) |
2. Save to a specific directory as TMPUSER.DAT file
3. Read the file and if workgroup and domain name is not WORKGROUP, return TRUE
The default of workgroup for Windows 7 or higher version is “WORKGROUP”. In conclusion, the malware is operated via the code in a corporate environment where a specific group name is used.
AhnLab detects the malware above under the following aliases:
– X97M/Downloader (2019.03.08.04)
– MSI/Downloader (2019.02.13.09)
– MSI/Installer (2019.02.13.03)
– BinImage/Encoded (2019.02.13.09)
– Trojan/Win32.Agent (2019.02.13.09)
– Trojan/Win32.Downloader (2019.02.27.03)
– Backdoor/Win32.Agent (2019.27.04)