|MalHide Sample as it looks like on opening. Stage 1|
|Stage 2. A running instance of PowerShell invoked by VBA|
|Stage 3. Decoding Powershell Drop-and-Execute|
|Stage 3. Decoded Powershell Drop-and-Execute|
|Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe|
|Command and Control IP Address (click to make it bigger)|
|Command and Control DNS resolution (click to make it bigger)|
|Command and Control Communication through HTTP|
From C2 comes actions, victims addresses, SMTP servers, and passwords. The sample connects to a given SMTP relays, it authenticates itself and sends email to the victims. The following images prove that the attackers have plenty of credentials to SMTP relays around the globe.
|MalHide Connection to real SMTP relays|
Following few examples of the sent emails coming from C2 and delivering through the analyzed MalHide sample.
Here we are, another email has been sent, another Malware has been thought and developed, another analysis I’ve been made but this time it looks like the “Malware economy” is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy? Is this attack a small and silent change of paradigm, where previously the attacker was interested in your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you? I do not have such answer here.
Ok, now it’s time to explain why I called this Malware MalHide. Well, it’s a complex Malware, it hides several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name 😀
Further details on the MalHide malware, including the IoCs are reported in the original analysis published by Marco Ramilli