We explore the workings of a scam and the malware used for it.
PREMISE: An artist caught a scammer pretending to be a representative from “KnownOrigin”, a Digital Art Marketplace for “NFT art”. The lure was an archive of files under the pretext of an interview, but it turned out to be a malicious executable that led to another malware. While scamming is not new, the spearphishing attempt was interesting as someone who follows 3D/pixel artists. Given that the artist publicly disclosed the interaction and trolling, I saw it as an opportunity explore the phishing attempt and what was likely the malware.
OBJECTIVE: Share the step-by-step process of the investigation with the thoughts behind it and to provide transparency of the tools used, its purpose, and additional insight.
Events to Explore
The Phishing Email
Use of WeTransfer
First Stage Malware - Downloader
Second Stage Malware
Spearphishing Email
This interaction was shared on Twitter by the artist. While the artist cleared me to post his link, I’ll still err to caution in this article.
In this case, the artist in question did not take the bait, but with the details shared, there is an indicator to follow, as we’ll explore in the next section.
WeTransfer Usage
WeTransfer is a platform that provides a means to deliver large files to specific users for within a time limit. Even without registering, the sender is alloted 2 GB worth of data. It is not without its safety mechanism, as the user still have to validate their email before it can be sent. In hindsight, this provides means for threat actors to send phishing emails while minimizing attribution.
WeTransfer offered services
From the spearphishing email was the URL of interest, we.tl/t-iSJf8ybDZV.
I had two options to explore the malicious site, my own sandbox VM or browserling. Since I wanted to do a quick look, I decided to use the Browserling tool.
BROWSERLING OVERVIEW: Browserling is an interactive sandbox that enables interaction with the URL within a two minute timeframe. While there are additional capabilities for Premium accounts, 2 minutes will suffice for this investigation.
CAUTION: > It is highly recommended that it is not used for work as the URI will still show the complete URL. In order, the URI displays the chosen mode of the OS-type, browser, and then URL (e.g /browse/win/7/chrome/105/https%3A%2F%2Fwww.dndbeyond.com%2F). If it was a malicious site, this would set off the security alert at a work site.
Following the URL will lead to the WeTransfer landing page with an expected ‘Interview’ package in the form of a RAR file.
The next course of action is getting a hold of the sample for review, now requiring the personal sandbox.
Malware
Setting up a personal sandbox is generally either on Virtualbox or VMWare. I personally use VMWare Workstation.
Objective: Identify the masquerading document’s purpose.
Within the RAR file are two files that relate to the interview, one with the .DOCX extension and the other with a curious double extension (PDF.PIF). The PIF extension was the most curious given that it’s not typically used within the Windows environment.
PIF (Program Information File) consists of information used to determine how an MS-DOS-based program should run but can also be a shortcut to an executable (File Format Documentation). However, it is worth noting that it is not used these days due the absense of DOS software. More importantly, there is a malicious nature behind why the extension is used.
Once extracted, there was another observation that warranted a deeper look: The PIF extension did not render, only showing the PDF. This takes into the account that the computer is set to view extensions. Whether ‘File name extension’ is enabled or disabled, the PDF extension remains.
Using the PIF extension aids in obfuscating the file’s true nature. The extension is still viewable in command line. This is made to trick a less computer-savvy individual.
Before moving on to the next machine, I reviewed the other document. It is unknown if the document is supposed to be a decoy, but there was some content.
Swapping to Linux Machine
One thing that I’ll note is that the Tsurugi machine is set to EST (GMT-5). All references to the GMT-5 is tied to the system information of the machine.
File
First, we’ll take a look at the files to understand the true nature of the sample data. The file command is a good way of identifying the file based on its examination of the Magic Number, or the first two bytes, of the hex.
The last example identified that the file with the double extension is a 32-bit portable executable.
Exiftool
Exiftool is useful for grabbing the metadata. While typically associated with gathering the metadata from photos, it can also pull metadata from files such as documents and even executables. This can reveal some interesting details.
The first example highlights the difference between exif and exiftool. The former will not provide any metadata for non-images and may also break on certain images. In contrast, the latter command will reveal the metadata of any type of file as shown below.
Before moving on to the next example, there are some important parts to highlight for interpretation.
File Modification Date/Time: The date shown was when the document was first created, which appears to be on 20 September 2022. The timezone noted was 13:30 GMT-4. GMT-4 is the timezone out in the Carribean.
Creator/Last Modified By: ‘Windows User’ as a name is generally considered default, even likely tied to a virtual machine.
Create/Modify Date: The time is similar based on on 20 September, but the date is shown in UTC.
CONCLUSION: A point of interest is that it is possible that the developer, or at least, judging by the system was at the Carribean. It is important to take into account that it was developed on a throwaway VM so it is also possible that the time was used randomly. Given the date of the document, it is possible that the targeting was planned ahead of time.
Moving on to the malware itself, there are some characteristics to look at.
File Modification Date/Time and Timestamp: The timestamp shows the GMT-4 which is consistent with the Carribean location of the system where the malware was created at. The difference is that it was made on 4 October 2022, about two weeks after the document was drafted.
Internal / Original File Name: Instead of the fake document name, the original name of the application is ‘coolnow.exe’. The purpose around the name is not known.
Strings
In order to get a good quick analysis on the files, strings command is a good down and dirty way to get the required information. I consider this an analyst’s best friend, especially if you want to get to quick details.
Based on the initial details, I already have an indication that the malware is not packed and there is another indicator to follow, particularly the URL that appears to have a ‘jpeg’ image.
With the URL, I would check the domain to understand when it was registered and who is its Registrar as it could link to a campaign depending on how often it’s seen.
In this case, it’s creation time was in July of 2022, but it’s difficult to make any other inference beyond its current use.
There are a few more strings that is useful for reviewing the APIs that are called.
Windows Static Analysis
On the Windows machine, PEStudio is one of the more useful tools for static analysis because it’s useful to get quick details in the GUI.
First off is the overview, which will give the hashes, the magic number, the kind of executable as well as the time that it was compiled.
The next section are the indicators: The URL has shown up again. In addition are the identity of the application and its original name.
VirusTotal (VT) section will be called upon if it’s connected to the internet and if the sample was already uploaded (which I did prior).
Lastly, the version has the useful details of the ‘Internal name’ and ‘Original Filename’.
CONCLUSION: Given the URL tied to the malware, it’s identified as a downloader. If the user had clicked on the obfuscated ‘PDF’, it would download the next payload, currently considered a ‘jpeg’ image, ‘Avjgbjt.jpeg ‘.
Second Stage Malware
In order to grab the second payload, I used Wget from the Linux machine to retrieve the next sample to examine.
As a recap on the identifying, I reverted to using file to understand if it is actually an image.
In this case, it turned out that it was not a JPEG, but ASCII text. I would review the through concatonating cat Avjgbjt.jpeg.
What stood out is was the magic number 4D 5A, which correlates to MZ, which is for a portable executable.
The next step was to turn it into a binary so that I could examine it more. In order to do that, I would read the output and convert it using the xxd, which is used to create a hexdump with -r -p to read the dump without the line number information, then convert the output into a filename, which I’ve affectionately chose “demonlord”.
The next step is collecting the metadata on the file.
We were able to uncover that it was not an image file, but a text file that would had been converted into a binary called “Tfvifjufqv.dll”. It’s notable that the compilation date, according to the Time Stamp, was on 4 October from GMT-4.
Identifying the capabilities of the malware, at this point, was a little outside of my wheelhouse, but it was quite the exercise exploring the functionality up to this point.
Investigation Key Takeaways
Threat actors can use the PIF extension as a means of bypassing the “view file extensions” functionality and obfuscate the file’s real purpose
WeTransfer provides an additional phishing capability
Indicators of Compromise
While this is not terribly useful for the readers, I offer this out of practice and maybe spark interest in reviewing the samples. The samples can found on VirusTotal.
