Researchers this month discovered a new spear phishing campaign targeting government agencies with an evolved version of Sanny malware, a five-year-old information-stealer that now features a multi-stage infection process, whereby each stage is downloaded from the attacker’s server.
Other new additions to Sanny, which is believed to originate from the Korean Peninsula, include command line evasion techniques, the ability to infect Windows 10-based system, User Account Control (UAC) bypass techniques, according to a Mar. 23 blog post from FireEye, whose researchers detected the operation.
The attackers have chosen spear phishing as their attack vector, sending targets emails with attached Microsoft Word documents with geopolitical themes. One observed sample document, written in Russian, addressed Eurasian geopolitics as they relate to China, as well as Russia’s security. Another, composed in English, addresses sanctions on humanitarian operations in North Korea.
Both documents contain embedded a malicious macro that abuses the legitimate Microsoft Windows utility certutil.exe — a command-line program installed as part of Certificate Services — in order to download and decode an encoded Windows Batch (BAT) file that’s stored on an URL in the form of a fake PEM-encoded SSL certificate. “FireEye has not previously observed the malware authors use this technique in past campaigns,” note blog post authors Sudeep Singh and Yijie Sui.
Interestingly, Sanny actually uses a copy of the certutil.exe utility, saved under a different name, ct.exe, as a measure to avoid detection by security products that are programmed to watch out for certutil.exe abuse.
At this point the BAT file downloads an encoded CAB (Windows Cabinet) file, using a particular file name and installation technique depending on the infected machine’s specs. Additionally, if the BAT sniffs out the presence of Kaspersky Lab antivirus software, the malware uses bypass techniques to avoid detection.
In the next stage, the CAB file installs the remaining components, including another BAT file, install.bat, that hijacks the Windows system service COMSysApp (COM+ System Application) to deliver the final Sanny payload, which is designed to exfiltrate information to a command-and-control server using the FTP protocol. The install.bat file also executives a config file and two DLL files that perform UAC bypass on Windows 7 and Windows 10, respectively.
“This activity shows us that the threat actors using Sanny malware are evolving their malware delivery methods, notably by incorporating UAC bypasses and endpoint evasion techniques,” the blog post concludes. “By using a multi-stage attack with a modular architecture, the malware authors increase the difficulty of reverse engineering and potentially evade security solutions.”
FireEye profiled Sanny in late 2012 after discovering an attack that appeared to target primarily Russian targets with the malware in a spear phishing campaign.