Researchers have uncovered an unusual malicious macro-based malware campaign that effectively modifies infected users’ shortcut files so that they secretly download a backdoor program.
In a July 3 blog post, Trend Micro researcher Loseway Lu writes that the malware even attempts to cover its tracks by restoring the original shortcut file and opening the correct application after the evil deed is done. Meanwhile, it uses commonly available Windows tools, the file archiver utility WinRAR and the remote desktop software Ammyy Admin to continue the infection chain, gather user information and communicate data to the attackers via SMTP.
“This malware, from the use of its macro to its installation, exhibits very unusual behavior and is likely still under development,” Lu states in the blog post. “We believe that the malware is not widely spread and have had only a few victims so far. However, it is important to be aware of this malware and method of attack, as newer and improved versions may be in the works.”
The sample Trend Micro discovered originated in a document featuring Russian language along with the image of a house. Recipients are instructed to open the full document by enabling the use of macros — an act that immediately exposes the user to compromise.
Once the macro is enabled, the malicious document seeks out and replaces links in certain shortcut files found on both the user’s desktop and his/her Quick Launch feature. Specifically, the malware targets shortcuts for Skype, Google Chrome, Mozilla Firefox, Opera and Internet Explorer. “These steps tweak the target so that the user executes the malware (instead of the program) when the user clicks on the shortcut from the desktop or the Quick Launch bar,” the blog post explains.
Once the shortcut is officially clicked, the malware drops the downloader “WpmPrvSE.exe” (aka TROJ_DLOADER.COGBA), initiates a malicious service called WPM Provider Host, drops several more assets (including WinRAR), and then reinserts the original desktop and Quick Launch shortcut files, as if nothing had ever happened.
According to Trend Micro, the WPM Provider Host service drops the final payloads by repeatedly downloading an RAR archive from Google Drive and GitHub, then using WinRAR to open the archive and extract an installer file, along with various config files and tools that when assembled together allow for greater functionality. The installer also decodes a dropped registration key for Ammyy Admin, which the attackers use to access infected systems.
The post further reports that the installer also commences another service, WSVCHost, which actually runs Ammyy Admin and uses the crash dump utility program procdump to dump WSVCHost-related processes from memory. Ultimately, these dump files are compressed and sorted into two files, which are “sent back to the malware actor as attachments with some system information and execution logs via SMTP.”
Content that researchers observed in the dump files included router IP addresses and an Ammyy Admin ID. Outside of the Ammyy Admin ID, “the dump file’s other contents seem to have no immediate use,” Lu writes. “It is possible that the attacker is simply gathering additional information. During our analysis, we also noticed how some downloaded files were changed and updated, which indicates that the author is still developing the malware. The malware might still be in the PoC stage and will have further versions.”