Researchers at Palo Alto Networks have spent the past five months examining a malware campaign that uses the Nemucod downloader to ultimately deliver a trojan that siphons out credentials, according to a post on the company blog.
While the malspam phishing scourge has most heavily hit Europe, the United States and Japan are the two next heavily impacted regions.
The data-stealing trojan is targeting various industry sectors and arrives as spam using SMTP, POP3 and IMAP applications, arriving mainly from Poland (or from domains with Polish names), the researchers detected.
"Apart from a brief period of time in January 2017, when the actors delivered the encoded JScript content via Delphi-compiled dropper executable files, we have primarily observed only weaponized documents using Microsoft Office Macros using Visual Basic for Applications (VBA) code to install Nemucod," the post stated.
Between late October and March, Unit 42 has so far detected more than 50 iterations of these weaponized documents. Central to all of the weaponized document droppers is password-protected VBA code, put in place by the attackers to make detection difficult for security researchers.
Then, in mid-December they shifted their tactics to employ Microsoft Script Encoding to replace their custom ASCII cipher, perhaps, the researchers speculated, for simplicity or bugs the coders were finding too complex to debug.
While the obfuscation of document meta-data is effective in making the researchers' task more difficult, the Palo Alto team was able to arrive at some conclusions that they deemed "quite plausible."
From studying patterns in the various versions – including references to TV series Breaking Bad – the team unearthed patterns that imply how the miscreants behind the coding have been evolving their techniques, much like a software development team.
Eventually, the coding in newer examples contained more than three times the wording of the original version. But, while obfuscation attempts stayed nearly constant, "the amount of code was increasing as more capabilities were added over time," the researchers found.
The coding continued to evolve over the past few months, with varying social engineering steps taken to dupe recipients. One strategy enlisted the launch of the infection routine after a target closed the Word document.
"Nemucod malware is mostly deployed using weaponized documents where the malicious VBA macro code is responsible for constructing and executing a malicious encoded JScript file that carries out further activities including registering victims with the actors before downloading payloads, which in this case included a credential stealing Trojan executable component," the report stated.
"Our analysis of Nemucod is particularly interesting because we're able to use the versioning information in the malicious documents to forensically reconstruct a timeline of the development of these documents," Christopher Budd, senior threat communications manager at Palo Alto Networks, told SC Media on Thursday. "And our reconstruction shows how the attackers are systematically working to improve their attacks over time through iterative improvements."
The Unit 42 team has been focusing research on the iterative development of attack documents recently, Budd said. Their analysis shows how attack documents are developed over time in ways that are similar to how legitimate software and applications are developed: using iterative development techniques in conjunction with testing and the introduction and testing of new “features” and capabilities. These can sometimes be team development programs as the document revisions indicate multiple authors over time, Budd told SC.
When asked how the bad actors continue to alter their coding of Nemucod, Budd admitted that his team was not certain how this was achieved. However, he said that from what they've seen, including from reconstructing from the document meta-data, is that certain versions took much longer to develop than others. These included significant code churn, which was apparent in new features and changes in the payloads delivered.
"The number of changes made to the weaponized Word documents to deliver the malware indicates the coders were clearly thinking about how best to lead their victims into running their malware," Budd explained. These evolutions, he added, were done either to improve social engineering techniques, such as using certain domain names to trick victims into trusting them, or as a way of protecting their code and attempting to evade detection.
Unit 42 research detected that it is "highly likely" that the malware, the attack campaigns and the threat actors originate from Eastern European countries.