BadEpilogue: The Perfect Evasion

Starting from May 2016, Certego Threat Intelligence platform has been detecting multiple viral spam campaigns using a new evasion technique. These attacks are able to hide malicious attachments inside a specific area of the MIME/Multipart structure and to avoid Content Filtering controls.

Certego has also verified that few of the most common email clients and Web Mail services, using a different way of rendering the MIME/Multipart structure, are able to identify and extract the attachment, resulting in a Malware Evasion technique that we called BadEpilogue.

Analysis of the evasion technique

The picture at the top of the page shows a snippet of the source of a malicious email message.

Rows from 53 to 57 contain the end of the HTML message, while the attachment is located within an area that RFC2046 defines as Epilogue of a MIME/Multipart message, right after the final boundary of the Multipart message located at line 59 ending with the double “-” character.

According to RFC 2046, the message’s epilogue should not contain any useful text and, in particular, it should be ignored by MIME-compliant software:

NOTE: These "preamble" and "epilogue" areas are generally not used because of the lack of proper typing of these parts and the lack of clear semantics for handling these areas at gateways, particularly X.400 gateways. However, rather than leaving the preamble area blank, many MIME implementations have found this to be a convenient place to insert an explanatory note for recipients who read the message with pre-MIME software, since such notes will be ignored by MIME-compliant software.

In the attack, right after the closing boundary of the MIME/Multipart message and at the beginning of the Epilogue area, there is a new boundary (see line 61) that starts another Multipart section containing the malicious attachment.

Certego verified that many libraries used in Antispam and Antivirus systems to extract and analyze email attachments are unable to detect files hidden in the Epilogue area. On the other hand, popular email clients such as Outlook, Thunderbird and Evolution and also Web Mail services are able to detect the attachment and to show it to the user resulting in a new malware evasion technique.

Responsible Disclosure Policy

Certego decided to report this evasion technique to the developers of the email clients impacted by BadEpilogue. At the same time, we informed the vendors of major Antispam systems so that some of their Content Filters are ignoring attachments hidden in the Epilogue area.

So, we reported the technique to Microsoft and Mozilla. Microsoft has just released a patch for their email client in their last Security Bulletin (CVE-2016-3366 in the security bulletin MS16-107) fixing the vulnerability.

Talking about Antispam systems, Certego contacted Google and TrendMicro: both vendors confirmed the existence of the problem and promptly released a fix for it.

Detecting BadEpilogue using a SNORT signature

Certego also created the following Snort signature, that should detect all incoming SMTP messages exploiting the BadEpilogue evasion technique.

alert tcp any any -> $HOME_NET [25,587] (msg:"CERTEGO CURRENT_EVENTS Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; pcre:"/\x0d\x0a--(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{1,70})--(?:\x0d\x0a(?!--|\x2e|RSET).*)*\x0d\x0a--(?P=boundary)\x0d\x0a/"; reference:url,www.certego.net/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:9000501; rev:3;)

The campaigns

As mentioned, this evasion technique has been detected in the wild since May 2016, in at least eleven different campaigns exclusively targeting Italian users. These campaigns use messages written in a fluent Italian asking the user to open an attachment labeled as invoice or payment receipt. The attachment is in ZIP format and it contains a malware in PE EXE format. This attack pattern is typical of the so-called Viral Spam that has been prevalent until a few months ago, but it has now been deemed ineffective by antispam filters blocking ZIP files containing PE EXE. In this case, the BadEpilogue evasion technique allows the attacker to generate extremely effective campaigns that can reach a very high number of targets.

While the first campaigns were spreading a malicious attachment containing a Trojan Downloader of the Fareit family which downloaded a variant of the Andromeda Infostealer, the latest campaigns have started working mainly with ransomware and in the last few days we have observed a massive amount of emails containing Zlader.

The following picture shows the various campaigns using the BadEpilogue evasion technique as reported by our systems.

The following picture shows the geolocation of IP addresses used to spread the malicious emails. Spreading patterns seem to be related to a single botnet that is expanding and contracting over time. This seems to be confirmed also by the fact that so far only Italian users have been targeted by these attacks.