“Sometimes huge clues like this are put into samples on purpose.”
Security researchers at virtualization-based security enterprise Bromium have encountered a cheeky Super Mario reference within a malware attack targeting Italian systems.
Bromium engineer Matthew Rowen was investigating a piece of malware that was hidden inside an Excel spreadsheet. He discovered that the malware was coded to only execute if it was in a machine based in Italy.
Once an unsuspecting user opens the Excel sheet they are greeted by a common warning such as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit”. Once they press enable content the Trojan malware launches a cmd.exe and powershell operation.
The malware downloads an image of Super Mario to your device, within which is hidden a PowerShell attack containing the GrandCrab Trojan. GrandCrab first discover in January of 2018, encrypts users’ files with a unique key and then tries to extort a ransom in crypto-currency.
Matthew Rowen Member of Technical Staff, Engineering at Bromium wrote in security blog that: “Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack. It’s also pretty hard to defend against this kind of traffic at the firewall.”
The Unavoidable Blue PowerShell Attack
Fileless malware attacks often use default Windows tools to commit malicious actions or move laterally across a network to other machines. The most common Windows tools used in these types of attacks are PowerShell and WMI, which are installed on nearly every Windows machine. PowersShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core.
Fred O’Connor researcher at endpoint security company Cyberreason commented in a blog that: “PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint.” He also notes that if WinRM is not on, it can be turned on remotely through WMI using a single line of code.
Hackers and coders who are part of the cyber black market have a vested interest in integrating some form of signature within their work. Just like any market if something becomes a runaway hit, they can claim ownership and then illicit increased money for use of their products.
Matthew Rowen commented on his find that: “Malware authors actually spend quite a lot of effort on marketing, including often mentioning specific researchers by name within samples. It’s not clear whether or not this sample was actually trying to encourage me to investigate or not, but sometimes huge clues like this are put into samples on purpose.”