Pierluigi Paganini
May 29, 2020
During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.
Figure1: Email vector example
Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.
The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:
Figure 2: Infection Chain
The malicious email wave contained a .doc attachment. Following, the static information of this file:
| Name | Covid-19-PESANTATION.doc |
| Hash | 97FA1F66BD2B2F8A34AAFE5A374996F8 |
| Threat | Himera Loader dropper |
| Size | 95,4 KB (97.745 byte) |
| Filetype | Microsoft Word document |
| Ssdeep | 1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU |
Table 1: Static information about the Malicious document
The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable.
Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.
| Name | HimeraLoader.exe |
| Hash | 4620C79333CE19E62EFD2ADC5173B99A |
| Threat | Second stage dropper |
| Size | 143 KB (146.944 byte) |
| Filetype | Executable |
| File Info | Microsoft Visual C++ 8 |
| Ssdeep | 3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd |
Table 2: Static information about the HimeraLoader executable
Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.
Figure 3: Himera Loader Mutex
Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.
Figure 4: Relevant strings of the Loader
When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”.
The file downloaded from the dropurl has the following static information:
| Name | smss[1].exe |
| Hash | 4D2207059FE853399C8F2140E63C58E3 |
| Threat | Dropper/Injector |
| Size | 0,99 MB (1.047.040 byte) |
| Filetype | Executable |
| File Info | Microsoft Visual C++ 8 |
| Ssdeep | 24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd |
Table 3: Static information about the AbsentLoader Payload
When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.
Figure 5: Evidence of the Scheduled Task
Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount API call results and this second one is executed.
Figure 6: GetTickCount anti-debug Technique
Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.
Figure 7: Evidence of some relevant strings inside the payload
This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants.
The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.
In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.
Indicators of Compromise (IoCs) and Yara rules are available here:
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – COVID19, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
