Following the instructions in the phishing email results in Chanitor being downloaded, which is used to download other malware.
Following the instructions in the phishing email results in Chanitor being downloaded, which is used to download other malware.

Corporate users are being targeted with malware that evades sandboxes in a campaign involving phishing emails that purport to come from the Microsoft Volume Licensing Service Center (VLSC), according to researchers with Cisco.

A screenshot of the phishing email – which asks recipients to click on a link to download VLSC registration details – was included in a Monday post by Martin Nystrom, senior manager for Cisco Managed Threat Defense. He wrote that the message is very similar to the real email sent by Microsoft.

The link in the email appears to be for a Microsoft website, but Nystrom points out that hovering over it with the mouse reveals the true URL. Clicking on it will result in the authentic VLSC login page opening, but will also trigger a ZIP file to download that recipients may not notice is being delivered from a different website.

The ZIP file contains a Windows executable with a SCR extension – a screensaver file – and opening it results in the system being infected with Chanitor, which is used to download other malware, Nystrom wrote in the post.

“After successful installation, [Chanitor] finds a way to connect to its command-and-control server for remote control,” Nystrom told SCMagazine.com in a Thursday email correspondence. “Chanitor then installs an information stealing trojan to [likely] steal passwords and transmit them over the [command-and-control server].”

The attackers – who seem to be going after access to corporate IT systems – included some tricks to avoid detection and analysis, notably by making it so Chanitor checks to see if it is running in a sandbox, Nystrom said. He explained that it is not very challenging to include the evasion technique.

“It does a task list and looks for certain process names, which allows it to know it's running in a sandbox,” Nystrom said. “[It] copies itself to a file to look like another file to evade sandbox analysis. Once it knows it's in a sandbox, it just sleeps for a very long time to wait for [the] sandbox to time out.”

The attackers are also using the Tor network to obfuscate the command-and-control routing, thus preventing Cisco researchers from identifying their location, Nystrom said.

“An author has growing choices for evasion when building their code: polymorphism, sandbox evasion, or encryption,” Nystrom said. “When analyzing malware, that's what you're going to see."