Converged security and networking to securely connect any user, device, or site to any workload or application.

Versa Secure Access Fabric Versa Zero Trust Everywhere Versa Titan Versa SASE Architecture Versa AI
SASE ROI Calculator

SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.

Top Energy Firm Achieves Comprehensive “Work-From-Anywhere” with Versa SASE

A large, publicly traded energy company operating in all areas of the oil and gas industry has dramatically simplified their network stack and realized huge cost savings with Versa SASE.

 
Availability and Buying Options in the Emerging SASE Market

EMA evaluates the different SASE vendors and their approaches to architecture, go-to-market, and support for their cloud-delivered and hybrid services.

Gartner Magic Quadrant for WAN Edge Infrastructure

Gartner Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

Versa SASE (Secure Access Service Edge)

SASE is the simplest, most scalable way to continuously secure and connect the millions points of access in and out of the corporate resources regardless of location.

 
Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

The Versa Networks Blog

Research Lab

FIN7 — the New Avatar

winny-thomas
By Winny Thomas
Principal Security Architect
November 2, 2017

Fin7 is a cybercrime group that employs spear phishing attacks to deliver malware that uses fileless malware techniques, sophisticated evasions and persistence. They mostly target the financial sector. In this blog, we are going to take a high-level look at one such sample seen in the wild, which employs several layers of obfuscated JScript, powershell and DLL embedded within a Microsoft Word document. The sample analyzed has the MD5 hash 29a3666cee0762fcd731fa663ebc0011. Through a series of deeply embedded base64 encoded scripts, obfuscated code and use of powershell, this strain achieves stealth and evasion.
The document arrives as an email attachment in the “docx” format. On clicking the document it shows a message to the user that entices the user to double click on the image in order to unlock the embedded content.

If the user double clicks on the image, an OLE object embedded in the document is invoked. This embedded OLE object is a “CMD” command script stored in the file “word/embeddings/oleObject1.bin” that is part of the docx package of this sample. The command script extracts a JScript embedded within it into the file “tt.txt” under “%HOMEPATH%”. Next, the command launches “tt.txt” using “wscript.exe” as can be seen from the output of “Process Explorer” in Figure 2. wscript.exe, or Windows Script Host, in Windows allows execution of VBScript or JScript. JScript is Microsoft’s version of JavaScript and can be used to run JavaScript code that is not contained within a browsers execution model. The primary method used by this malware strain to load and deliver its malicious payload is via several JScript codes which use different types of obfuscation tricks to make detection and manual analysis hard.

Running the JScript in “tt.txt” sets the stage for the remainder of the action that leads to infection. Through a series of deeply embedded JScript code, with each embedded code being base64 encoded and using code obfuscation, the sample defeats traditional detection mechanisms. In some of the nested code, it was noticed that the embedded JScript was first base64 encoded and the encoded string was split into substrings that were members of an array. These were concatenated and decoded at runtime, before passing these to obfuscated calls to “eval”, like the following, which was seen in one of the analyzed JScript that was extracted via manual analysis:

nsgOixaGDUN.MaQ8WGf0zp()[String.fromCharCode(101)+’va’+’l’](RwcOCYLSq(dalRrAqtXOJ));

The above code excerpt was taken from “db.CHM” which is a file into which the malware extracts one of its deeply embedded JScripts. Another trick seen in some of the scripts were the use of embedded scripts whose function body seem to be commented out but were uncommented at runtime, as was seen with one of the scripts named “whatis.ini” extracted at runtime. Tracing the execution of the embedded scripts using “Procmon” to track all
wscript.exe activities, it was noticed that the sample leads to wscript.exe running the following JScripts.

The script db.CHM is particularly interesting. It extracts a series of “.txt” files into “%HOMEPATH%/{2DF6ACDA-8FF7-8208-77F5-8581F0D479E9}”. This can be seen in the command terminal output in figure 4. These were base64 encoded strings within do.CHM before they were extracted. Some of these contain JScript which are launched by Wscript as seen in figure 3. And some are “.xml” files which are used by db.CHM to schedule tasks using the “schtasks.exe” command. This is seen in the fifth line of the grep output in figure 3. One of the extracted scripts started by db.CHM has an embedded powershell script, which in turn uses another powershell script to reflectively load a malicious DLL into a process. do.CHM also has embedded URL’s with which it communicates for further commands. Via a series of GET and POST requests sent to the URL’s , the JScript launched by this malware can have information exfiltrated or commands received.

In the next post of this blog series, the embedded JScripts will be analyzed in detail to understand what all the scripts do, especially the command and control part. In the final part of this series, the powershell scripts and the injected DLL will be dissected and studied to understand the malware’s activities on an infected machine. The end result of being infected by this malware is that internal information could get exfiltrated, outlook contacts can be harvested for further spear phishing attacks, machines could have more malicious code downloaded and can be controlled remotely. MS office documents were seen as primary carriers in some of the recent ransomware outbreaks. When documents contain embedded macros or command scripts,- the users are warned by MS office before they get to run it. It is important that users be careful when opening documents that arrive even from trusted sources. The anti-virus engine in Versa VOS™ (formerly FlexVNF) detects this malicious document as Trojan.MWKX-1.


Topics





Recent Posts








Top Tags



Gartner Magic Quadrant for WAN Edge Infrastructure

Gartner Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.