DocuSign-themed email leads to script-based infection

    Published: 2023-05-27
    Last Updated: 2023-05-27 03:19:36 UTC
    by Brad Duncan (Version: 1)
    0 comment(s)

    Introduction

    Twitter user @0xToxin has reported seeing malicious emails impersonating DocuSign with HTML attachments this past week or so.  Samples are available here.

    Very little public information exists on this specific campaign, so today's diary reviews information on it.


    Image 1:  Flow chart for the infection chain.

    HTML Attachments

    Although, Twitter user @ffforward has stated this campaign started sometime in 2022, I can only confirm confirm one additional date based on the HTML template, file name, and post-infection traffic from @0xToxin's publicly-shared samples.

    I collected the following data from VirusTotal and confirmed it is the same campaign.

    From 2023-05-10:

    SHA256 hash: 064ee9cc4256a4e004d3c6e74e1a4cc2d686f82a7e22640aa718167b5af40a29

    • File name: May10-Invoice-DocuSign-6345036.html

    SHA256 hash: 1b1ee0937147d8867227ea72654d3aa7acb54d5bc1d31b7922586f12a30beeb4

    • File name: May10-Invoice-DocuSign-945225.html

    SHA256 hash: efbb83a531b88d0820d36410356cc4c8deef25deaa8da351a963dd51eadf8048

    • File name: May10-Invoice-DocuSign-91218.html

    Downloaded zip name: May10-Invoice-DocuSign.zip
    Extracted .js name: May10-Invoice-DocuSign.js

    From: 2023-05-25:

    SHA256 hash: 418c0706510868bf2afad98bfb66d7492fdb594ca8d477aba89f471ca00d70fd

    • File name: Invoice DocuSign May 25 2023 6841006.html

    SHA256 hash: d075b86f23ea2f16db1bbbe5d8b141fde60b1655fc48b46335bb8554235bac32
    File name: Invoice DocuSign May 25 2023 34261.html

    Downloaded zip name: Invoice-DocuSign-May25-2023.zip
    Extracted .js name: Invoice-DocuSign-May25-2023.js

    Preliminary analysis indicates all HTML file attachments for a specific day of spamming generate the same file hash for the downloaded zip archive and extracted .js file.

    Images From An Infection


    Image 2:  HTML attachment opened in a web browser presents a zip archive to download.


    Image 3:  The zip archive contains an obfuscated script file.


    Image 4:  The infection is kept persistent through a scheduled task that contains the C2 URL.


    Image 5:  The persistent VBS is merely a WScript command to run PowerShell, and it uses parameters for the C2 from the scheduled task command.

    Traffic From An Infected Windows Host

    Traffic from this infection occurs using HTTP GET and POST requests to 159.65.42[.]223 over TCP port 80.  The initial HTTP GET request returns script to gather information about the infected Windows host.  The second HTTP request is a POST that sends the collected information to the C2 server.  After that initial POST request, the infected Windows host checks in to the C2 server approximately once every minute.

    The 16-character string at the end of the C2 URL is unique for each infected host.

    I let the infection run in my lab for over an hour, but I saw no follow-up activity.  Only the check-in traffic every minute.


    Image 6:  Traffic from the infection filtered in Wireshark.


    Image 7:  Initial HTTP GET request returns script to gather info on the infected Windows host.


    Image 8:  The initial HTTP POST request sends collected data to the C2 server.


    Image 9:  The infected Windows host then checks in approximately once every minute.

    Final Words

    This campaign may have started sometime last year.  C2 traffic is based on the scheduled task as shown above in Image 4.  This script-based malware sends information about the infected host to a C2 server.  At some point, this would probably lead to further malware.

    So far, the collected malware is available on Malware Bazaar using the tag 159-65-42-223, at least until the threat actor decides to change C2 servers.

    If anyone knows further information on this campaign, feel free to share in the comments!

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    Keywords:
    0 comment(s)

      Comments

      cwqwqwq
      eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
      WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
      dwqqqwqwq mashood
      [https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
      [https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
      What's this all about ..?
      password reveal .
      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

      <a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
      https://thehomestore.com.pk/

      Diary Archives