Certego Threat Intelligence platform is observing some SPAM campaigns which are using
.url
files as first-stage downloader to spread malware and avoid anti-SPAM filters.
What are .url
files? This file type is usually used by Windows OS to save a web link, that it can be accessed easily by a simple click. These are normally licit files and harmless files, however they can be abused to create malicious links.
The particularity of these campaigns lies not only in the use of this particular type of file, but also in how these have been configured. In fact, all analyzed samples so far used particular URLs, in which the schema is not the well known and popular http
(or https
). Instead, file
is used.
What does file
schema do? Normally this schema is used to access local filesystem. It can also be used to explore remote ones: on Windows these are accessed via SMB protocol.
It seems just a new way to deliver malware using SMB.
How does this attack work? As in every SPAM campaign, the victim receives a mail which tells him that an important document is inside the attached ZIP archive.
Once ZIP content is extracted, the user faces what he belives a simple Windows' link (because it is really a link!).
After double-click it, the host tries to connect with remote server via SMB. Then a JScript is served which, once received, asks to be launched or saved.
JScript file is the second-stage downloader: it will contact an other remote server from which it will download a malicious executable file.
Till now, payload was a variant of Quant Loader malware, which aims getting persistence on the infected host and downloading others malware (third-stage downloader).
As for every mail based attacks first defence line is made of anti-SPAM filters. However the main component remains users, cause without their intervention this kind of attacks wont succeed. Therefore, the main goal should be training the userbase on this phenomenon.
IOC
SPAM subjects
Emailing: <random> Unpaid invoice [ID:<random>] Bill No <random> Receipt No <random> Invoice No <random>
JScript serving servers
buyviagraoverthecounterusabb[.]net 185.176.221[.]45 rightoted[.]com
anomalous rules on Windows firewall
rule name="Quant" program="%TEMP%\\<random>.exe" dir=Out action=allow rule name="Quant" program="%APPDATA%\\<random>\\dwm.exe" dir=Out action=allow
IDS signature
alert tcp $EXTERNAL_NET [139, 445] -> $HOME_NET any (msg:"CERTEGO CURRENT_EVENTS Possible JScript coming over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; content:"="; distance: 0; isdataat:2,relative; classtype:trojan-activity;)