live casino online

By?Marshall Chen, Loseway Lu, Rubio Wu

live casino online researchers recently discovered a new spam campaign being distributed with a downloader under the guise of a .WIZ (detected by live casino online as W2KM_DLOADER.WIZ) and a .PDF file (PDF_MDROP.E), which then drops a backdoor (BKDR_COBEACON.QNA) payload. This spam campaign has been noted to target financial institutions.

live casino online has observed this spam campaign sending email to several email addresses associated with banks. WIZ is short for Wizard files used to guide users through steps on how to perform intricate or repetitive document types or tasks in Microsoft programs. Threat actors may have chosen the banking industry as its target because of its use of Wizards for processing documents such as bank and billing statements, and guiding their customers on filing income tax returns. Threat actors may have abused this to easily trick bank customers into accessing malicious .WIZ files via spam emails.

This malspam campaign is related to the recently discovered Marap, a downloader with modular features that allow cybercriminals to download other modules and payloads on affected machines. As observed by live casino online researchers, both of these malware campaigns share the same X-Originating-IP. However, instead of an .IQY file as its attachment of choice, the new spam campaign distributes .WIZ and .PDF files via a spam campaign that we¡¯ve seen hit users in India, Taiwan, and Italy, among other nations.

live casino online also observed and closely monitored the .IQY-distributing spam campaign around the time Marap was first . On August 28, 2018, we saw another malware campaign carrying .WIZ, and .PDF files.

[READ: ]

This malware campaign has two file attachments with the following infection chains:

Attachments with .WIZ Files

Threat actors send victims a spam email with a .WIZ file attachment. In this example, the threat actors used a fake invoice to lure potential victims into accessing the .WIZ file.

Figure 1. A screen capture of a malspam campaign with a .WIZ file attachment

Once recipients open the .WIZ file, a malicious macro inside the .WIZ attachment downloads a portable executable payload (BKDR_COBEACON) from a malicious website.

Attachments with .PDF Files

A malicious .PDF file is sent via the spam campaign. In this example, potential victims receive phony flight booking information.

Figure 2. A screen capture of a fake booking confirmation email with a .PDF attachment.

Once the recipient opens the .PDF file, the JavaScript inside opens an embedded .PUB file (P2KM_DLOADR.YSU).

Figure 3. JavaScript inside the malicious .PDF file that opens an embedded .PUB file.

The .PUB file hosts malicious macros that will then download a portable executable file from a malicious website.

After analyzing both infection chains, live casino online researchers discovered that both the .WIZ and .PUB spam email attachments had the same malicious macro.

The backdoor can execute several commands such as executing PowerShell and file system commands, code injection, uploading and downloading files, and using and purging Kerberos tickets, among others.

The results of the commands below are sent via DNS back to the C&C server:

• cmd.exe /C net view /all ¨C finds all the computers that are visible on the network.
• cmd /C arp ¨C displays current ARP entries by interrogating the protocol data.
• cmd /C tasklist /V ¨C ?displays currently running processes on the computer.

The backdoor can also steal a user¡¯s machine information such as computer name, IP address, OS system, and username, and malware process ID, to name a few.

live casino online Solutions

For protection against spam and threats, enterprises can take advantage of live casino online? endpoint solutions such as live casino online Smart Protection Suites and Worry-Free? Business Security. Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs. live casino online Deep Discovery? has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs.

live casino online? Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. live casino online? Email Reputation Services? detects the spam mail used by this threat upon arrival.

live casino online? OfficeScan? with ? endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence, offering comprehensive protection against advanced malware.


Indicators of Compromise

With additional analysis by Noel Llimos, Kawabata Kohei and Anita Hsieh.