{"id":15850,"date":"2019-07-19T11:45:58","date_gmt":"2019-07-19T19:45:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9595\/"},"modified":"2019-07-19T11:45:58","modified_gmt":"2019-07-19T19:45:58","slug":"news-9595","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9595\/","title":{"rendered":"Undocumented Excel Variable Used in Malicious Spam Run Targeting Japanese Users"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Over the course of the past few months, the FortiGuard SE group has been utilizing and enhancing the Fortinet machine learning systems to detect emerging threats. Recently, one of those machines detected an anomalous spike that led us to discover a malware campaign that had been using social engineering techniques to target Japanese citizens over the course of several weeks.<\/p>\n<p>Like most phishing campaigns, this attack begins with an email that tries to trick a recipient into opening an attachment \u2013 which in this case is a weaponized Excel document that contains malicious macros. However, during this investigation we uncovered anti-analysis techniques used by these attackers, as well as an Excel variable that is currently undocumented.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_2129175839.img.png\" alt=\"Anomalous spikes in FortiGuard Machine Learning Systems\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Anomalous Spikes in FortiGuard Machine Learning Systems<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1296386535.img.png\" alt=\"Figure 2. Observed traffic primarily focuses on Japan\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Observed traffic primarily focuses on Japan<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Campaign Details<\/h2>\n<p>The campaign consists of spam email sent to a recipient where the context of the email (loosely translated from Japanese) contains multiple variations of the same message subject that reads \u2013 <i>[!!] Matter of May invoice<\/i> \u2013 although various other subjects and contexts were also observed.<\/p>\n<p>Some messages include a statement from an individual that claims they are \u201cvery indebted\u201d to the recipient, and that a reply is requested by the sender for the attached document:\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_134344662.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1727596442.img.png\" alt=\"Figure 3. Spam email sent to recipient (original Japanese and translation)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Spam email sent to recipient (original Japanese and translation)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another variation included four messages from a person named \u201cMOTH.\u201d Those messages are included below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1858116800.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_552474054.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_427403455.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1692421576.img.png\" alt=\"Figures 4 \u2013 7: Message variations from \u201cMOTH\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figures 4 \u2013 7: Message variations from \u201cMOTH\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Other variations included slightly different messages, such as being forever indebted to the recipient, as well as offering to provide the invoice as a .pdf file if needed.<b><\/b><\/p>\n<h2>A Collection of Techniques<\/h2>\n<h3><b>Analysis of the Macro<\/b><\/h3>\n<p>The message attachments are Microsoft Excel files that contain malicious macros. An example of such an attachment is shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1967067908.img.png\" alt=\"Figure 8. Excel document containing a malicious macro\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Excel document containing a malicious macro<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Aside from targeting a specific country, what caught our attention with this attack was the collection of techniques used in the Excel macro itself. While they may not all be considered new, the authors clearly took great care in developing this attack.<\/p>\n<p>The first trick used is the typical fake picture, seen in the previous screenshot. Underneath, however, is something more sinister. The cell A1 of the spreadsheet actually contains a lengthy malicious string. When an attempt is made to copy this string, older versions of Excel will not be able to handle it.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_708872768.img.png\" alt=\"Figure 9. Excel document containing malicious macro and error message\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Excel document containing malicious macro and error message<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Diving into the macro itself, we attempted the usual analysis methods. For a quick view at what we were dealing with, we looked for the final payload and tried to simply create a regular MsgBox to see the final output. However, this failed, as shown in the example below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 10. Excel document containing malicious macro and run time error message\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Excel document containing malicious macro and run time error message<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Not to be deterred, we then tried the method of writing the output to one of the other cells in the spreadsheet for easier analysis. Again, and surprisingly, we got a similar \u201cOut of memory\u201d error.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_461532848.img.png\" alt=\"Figure 11. Excel document containing malicious macro and error message performing different type of analysis\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Excel document containing malicious macro and error message performing different type of analysis<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Interestingly enough, the same problem occurred when we tried to write the output to an external file.<\/p>\n<p>As it turns out, the authors have actually found a way to incorporate anti-analysis techniques into the file to prevent analysts from using their usual quick-and-easy methods of deobfuscating macros. To figure out what was actually happening, we needed to perform a closer inspection of the macro.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_493569036.img.png\" alt=\"Figure 12. Example of xlXmlExportValidationFailed check by macro\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Example of xlXmlExportValidationFailed check by macro<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As with almost all malicious macros, once the spreadsheet has been opened this macro is launched automatically via the call to Workbook_Open(). However, not too many macros actually check for Excel-specific variables, such as xlXmlExportValidationFailed. By doing this, the authors have ensured that the macro can only be executed within an Office Excel environment, which means that macro emulators may fail if they do not properly emulate specific Excel variables.<\/p>\n<p>This same trick is used in various locations throughout the execution of the macro.<\/p>\n<p>Moreover, this macro also uses the Application.International Excel property, which contains information about the current country\/region, as well as international settings in its call to the Beta1() function. <b><u>This eventually references the xlDate variable in Excel, which, oddly enough, is currently undocumented.<\/u><\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1022259534.img.png\" alt=\"Figure 13. Example of xlDate missing from Application.International documentation in Excel\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Example of xlDate missing from Application.International documentation in Excel<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The reason this variable is important will be made clearer in the next section.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_224804905.img.png\" alt=\"Figure 14. Example of an anti-emulation trick\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Example of an anti-emulation trick<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">As seen above in oceran(), additional Excel variables are used as anti-emulator tricks. In addition, the Shell() command expects two parameters: first, the actual command, and second, the window style. The window style here is defined as Sgn(123.67) \u2013 1, which is a fancy way of saying zero. Thus, whatever command is executed, the window will be hidden. The actual command is defined by the combined call to the Welcome() and WestAndS() functions. The WestAndS() function is used to deobfuscate the aforementioned lengthy string in Cell A1, while the Welcome() function decrypts it using the Beta1 key. As a reminder, the Beta1 key was determined by accessing international settings via the Application.International property with the undocumented xlDate variable. By default, the USA value for xlDate is 2. However, this value led to gibberish as this key could not properly decrypt the A1 string.<\/p>\n<p>As we had a small window for analysis, we decided that a quick brute force attack might prove more efficient rather than endlessly trying to figure out what xlDate actually is. A quick FOR loop with a stepsize of \u201c3\u201d (since the script called for a key of \u201cBeta1 * 3\u201d) was added to the macro in an attempt to brute force the correct payload. Finally, our strategy was successful:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_455649094.img.png\" alt=\"Figure 15. Example of decrypted PowerShell process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Example of decrypted PowerShell process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Analysis of PowerShell<\/h3>\n<p>This decrypted line coincides with a Beta1 value of 81, which is apparently true for a standard Japanese system. The decrypted payload is as follows:<\/p>\n<p style=\"margin-left: 40.0px;\">Wmic ProcEss\u00a0\u00a0 &quot;caLL&quot;\u00a0 CrEATe\u00a0\u00a0 &quot;pOwERsHeLL -NONiNteRaCTI -W 1 -ExecutiOnpoL\u00a0 BypAsS -NoProF\u00a0 &amp;( $pSHOmE[21]+$PShOME[30]+&#8217;x&#8217;)( &quot;&quot;sal b sal;b c Iex;b v nEw-oBject;(v Io.coMPReSSIoN.dEFlAtEStrEAM([sYsteM.Io.mEmORystrEAm] [conVErT]::fRoMBasE64StRiNg(&#8216;REDACTED BASE64STRING&#8217;)&quot;&quot;+\u00a0 ([CHAR]44).TOStRInG()\u00a0 + &quot;&quot;[io.cOMpReSsIOn.COmPreSSiONmOdE]::DEComPrESs )|%{v iO.StREAmReADEr( `$_&quot;&quot;+\u00a0 ([CHAR]44).TOStRInG()\u00a0 + &quot;&quot;[tExT.encODinG]::ASciI)}|%{ `$_.READtOeND( )})|c&quot;&quot; ) &quot;<\/p>\n<p>Notice PowerShell\u2019s freeform use of arguments. One does not have to specify an entire argument, such as \u201c-ExecutionPolicy\u201d or \u201c-NonInteractive.\u201d Even a partial match will be accepted as long as it is understood what argument is being specified. For example, specifying \u201c-e\u201d by itself is ambiguous since it can refer to both \u201c-ExecutionPolicy\u201d as well as \u201c-EncodedCommand\u201d, and will consequently produce an error. This technique is likely an evasion tactic to avoid detection engines that rely solely on finding specific patterns in the command line string.<\/p>\n<p>As for PowerShell deobfuscation, there are actually five layers of various obfuscation techniques embedded within one command. Getting to the bottom layer will be left as an exercise for the reader. Once there, however, it should look like the following:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_213957296.img.png\" alt=\"Figure 16. Example of decrypted PowerShell process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Example of decrypted PowerShell process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another Japanese system check is performed here. It checks to see if the OS architecture is \u30d3 before allowing the script to continue. \u30d3 is the character for Katakana, and is a component of the Japanese language that allows for the transcription of words that are loaned or foreign to the Japanese language.<\/p>\n<p>The script makes heavy use of PowerShell aliases and string concatenation tricks. More interestingly, it also uses unconventional variable names, specifically names that start with a number, which surprisingly, is allowed in PowerShell.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1537362632.img.png\" alt=\"Figure 17. Example of unconventional variable names\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. Example of unconventional variable names<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>What this final layer eventually does is use the DownloadFile command to contact hxxps:\/\/berdiset.top\/uploads\/QuotaManager (located in Russia), and then save the corresponding PE file to $ENv:apPdAtaOutlook.srss.exe. Due to time constraints, we have not had time to complete our analysis on the downloaded file (Outlook.srss.exe), which appears to possibly be a BEBLOH\/URSNIF variant (banking Trojan). This would not be surprise as we have frequently noted seeing the banking Trojan targeting Japanese systems in previous FortiGuard Weekly Threat briefs, including:<\/p>\n<ol>\n<li><a href=\"https:\/\/fortiguard.com\/resources\/threat-brief\/2018\/01\/04\/fortiguard-threat-intelligence-brief-january-05-2018\">January 5, 2018<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/resources\/threat-brief\/2018\/04\/13\/fortiguard-threat-intelligence-brief-april-13-2018\">April 13, 2018<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/resources\/threat-brief\/2018\/06\/22\/fortiguard-threat-intelligence-brief-june-22-2018\">June 22, 2018<\/a><\/li>\n<li><a href=\"https:\/\/fortiguard.com\/resources\/threat-brief\/2019\/03\/15\/fortiguard-threat-intelligence-brief-march-15-2019\">March 15, 2019<\/a><\/li>\n<\/ol>\n<h2>Distribution, and Interesting Activity in The Netherlands<\/h2>\n<p>Investigation into the mail headers showed that the following IP addresses were used in this campaign:<\/p>\n<p>93.147.115.90<br \/> 93.58.112.48<br \/> 79.11.236.101<br \/> 79.11.173.200<br \/> 165.51.245.201<br \/> 130.0.161.134<br \/> 39.45.30.114<br \/> 79.7.176.43<br \/> 31.197.238.214<br \/> 79.3.19.107<\/p>\n<p>Much to our surprise, a whopping 80 percent of the IP addresses were located in just one country, Italy.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_2107290097.img.png\" alt=\"Figure 18. IP address geolocation of spam servers\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18. IP address geolocation of spam servers<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The other two IP addresses originated from Pakistan (39.45.30.114) and Tunisia (165.51.245.201), respectively. Digging deeper, we were able to determine that these IP addresses had also been seen in other campaigns \u2013 specifically in botnet cases, which makes sense given the scope and variation of the distribution and the messages seen in the examples earlier. During our investigation, we discovered that these IP addresses have previously been associated with the Avalanche, Conficker, Cutwail, and Quant botnets, and the Smokeloader and Nivdort malware variants.<\/p>\n<p>It is likely that these machines are machines that belong to residential users or small businesses that are unaware they have been compromised. It is also an interesting part of a larger trend, detailed in our quarterly Threat Landscape Report for Q1 2019, that describes the common practice of different threat actors using the same infrastructures in their exploits.<\/p>\n<h3><b>Anomalous Activity in The Netherlands and Italy<\/b><\/h3>\n<p>Based on our telemetry we observed that the majority of these attacks were concentrated in Japan, with a few anomalies in Asia and Europe,. However, we also observed one notable exception \u2013 a campaign emanating from the Italian IP address of 130.0.161.134, where high amounts of activity was targeting The Netherlands. \u00a0<\/p>\n<p>While Japan is a well known target for BEBLOH\/URSNIF, we were somewhat unsure as to why The Netherlands would appear so high on the list for this specific campaign, but data observed also shows that the sample: [cb0b8a2c1ca33d89a2181e58a0948bd88f478a39af45d0b54c53913cd89a5aba] has been trending\u00a0 in The Netherlands.<\/p>\n<p>And for what its worth, noted security researcher Peter Kruse <a href=\"https:\/\/twitter.com\/peterkruse\/status\/1135856292097069057\">tweeted<\/a> the following information a week ago (at the time of writing), posting a similar observation of a possible Bebloh\/URSNIF run affecting The Netherlands as well:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1675629002.img.png\" alt=\"Figure 19. Tweet by Peter Kruse about BEBLOH\/URSNIF activity in Italy and The Netherlands\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19. Tweet by Peter Kruse about BEBLOH\/URSNIF activity in Italy and The Netherlands<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Command and Control<\/h2>\n<p>As mentioned earlier, the sample 07c7ec61d9e4fe3af22a80fa206a019ed490aa37a1c1f6c46c3563701adc0510 was observed making calls to:<\/p>\n<p style=\"margin-left: 40.0px;\"><i>hxxps:\/\/berdiset.top\/uploads\/QuotaManager<\/i><\/p>\n<p>which resolves to the following IP addresses observed for our datasets \u2013 [5.188.60.133] and [5.8.88.24] \u2013 both of which are hosted in Russia, and use DNSPOD.com, a Chinese Dynamic DNS provider. Interestingly enough, it has been observed in various reports that the URSNIF Trojan avoids all machines running operating systems with Russian or Chinese languages enabled. However, we are not entirely sure why the actors behind this recent campaign are using DNSPOD, other than for dynamic DNS hosting. Likewise, the China\/Russia connection may be purely coincidental.<\/p>\n<p>Interestingly, however, this domain was only registered about a month ago \u2013 on May 12, 2019 \u2013 and our telemetry shows that samples referring to berdiset.top are active in Japan.<b><\/b><\/p>\n<h3>5.8.88.24 Has a History<\/h3>\n<p>Interestingly enough, we\u2019ve also observed activity for 5.8.88.24 before, with the bulk of attacks focusing on Peru. We can see in the chart below that there is no activity at all, and then a sudden surge in the beginning of 2019. We don\u2019t know the specifics of this campaign or have any further details, but it is interesting to note the trend for the associated IP address.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1246551605.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_669249136.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1769151932.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_735300651.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Known Defenses and Mitigations<\/h2>\n<h3>Initial Access:<\/h3>\n<p>FortiMail or other mail solutions can be used to block specific file types. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on premise or in the cloud, to determine if a file displays malicious behavior. FortiGate Firewalls with Anti-Virus enabled alongside a valid subscription will detect and block this threat if configured to do so.<\/p>\n<p>FortiMail can also be configured with Content Disarm and Reconstruction to remove all macros for inbound Excel files, Office Documents and scripts within PDF files to neuter such threads before entering the network.<\/p>\n<h3>Execution:<\/h3>\n<p>FortiClient running the latest virus signatures will detect and block this file and associated files. The file(s) in this attack are currently being detected as:<\/p>\n<p style=\"margin-left: 40.0px;\">VBA\/Agent.MUV!tr.dldr<br \/> W32\/Inject.ALRRV!tr<\/p>\n<h3>Indicator of Compromise (IOCs)<\/h3>\n<p>All network IOC\u2019s in this report are blacklisted by the FortiGuard Web Filtering Service.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_1790680117.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_657667803.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/DTstg39OxjM\/excel-variable-targeting-japanese-users.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/excel-variable-targeting-japanese-users\/_jcr_content\/root\/responsivegrid\/image_2129175839.img.png\"\/><br \/>The FortiGuard SE group discovered a malware campaign that had been using social engineering techniques to target Japanese citizens. Learn more.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/DTstg39OxjM&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15850","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15850"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15850\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15850"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}