#1267150: ‘Oto Gonderici’ Excel formula injections target Turkish victims

Description:

A criminal relentlessly attacks Turkish targets with a novel maldoc trick, mostly staying under the radar
11 July 2019

0
Share on Twitter
Share on Facebook
Share on LinkedIn

By Gabor Szappanos

SophosLabs has been tracking the activities of a threat actor implicated in a large number of malicious spam attacks targeting large organizations based in Turkey since last fall. The attacks and their malicious components don’t seem to be well-detected by endpoint security tools.

One reason why the attacker has remained mostly successful at remaining under the radar may be that he used an uncommon method for delivering the payload: Excel formula injection. The process is described here in a blog post dating to about a year ago. That disclosure may have inspired this threat actor. Within a few months, by September, 2018, we started to see the first malware campaigns that employed this method.

Some of the early activities were documented in a blog posted by the SANS Internet Storm Center, but the attacker behind these campaigns seemingly hasn’t been affected. The attacks continue to this day.

The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey.

But the attack method may not remain within the borders of the Türkiye Cumhuriyeti indefinitely. Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.

Initially the threat actor infected the victims with the Adwind remote access trojan, but the latest campaigns are delivering a FareIt trojan payload, but in this writeup, we’ll examine the infection method used by this attacker, not the payload delivered by the attack.
Infection process

The attacks are performed using email messages that contain the malicious content as attachments. Throughout the life cycle of the attacks we have seen multiple methods, the most common of them was Excel formula injection.
Phishing messages

The messages are strikingly similar, have the same structure, but the precise text of the message body changes from campaign to campaign, illustrated by the following examples:
Older-style message example 1
Older-style message example 2
Older-style message example 3

Here’s a rough translation of a malspam body text:

HELLO

AT THE ANNEX I WILL WAIT FOR YOUR PRICE OFFER FOR 26 GRAIN MATERIAL ORDERS.

YOUR INFORMATION
YOURS TRULY ....

Each of the observed messages follow the same structure, only the number of items varies, and the expressions are replaced with similar alternatives.

Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities.

The latest email messages from April-May 2019 are a bit more cryptic that the earlier ones, probably due to the threat actor’s attempt to make it look less mechanical.
An example of the newer style messages with more detail and greater randomization in the body text

Rough translation of the message text:

7 pieces of material., Filename is the name,

I'm waiting for your answer .,
I hope everything is clear .,
BEST REGARDS .,

It is interesting to see how the threat actor doesn’t even try to make the phishing messages sophisticated; They fall more to the simplistic side of these kinds of messages.

The malspam carries a malicious attachment that downloads the final stage of the attack. Throughout the lifetime of the attacks, we observed a couple of different methods for performing the download.
Method 1: Excel formula injection with PowerShell downloader

The malicious files are delivered attached to email messages like this one:
Malspam with attachment

The email contains an comma-separated-values (CSV) file attachment, a text-based workbook format natively supported by Excel. At first look, these files contain only a lot of junk text strings.

However, scrolling down to the middle of the worksheet, the really important content reveals itself:

As it turns out, when Excel opens these files, it interprets the junk data as cell content — until it reaches the highlighted line. The leading multiple hyphens tricks Excel into considering this line to be a spreadsheet formula. In this case, the “formula” literally invokes the command shell and executes a PowerShell code snippet that downloads the payload.

It is not only the hyphen/minus sign that forces the line to be evaluated as an Excel formula. We observed a variety of versions that used a combination of the plus, minus, and equals math operators, any of which will result in Excel treating the content that follows those symbols as a formula, anywhere within the file.

The method is crudely effective but it isn’t foolproof. When a target opens such a file, Excel displays not one, but two warning dialogs. The first one asks if the user wants Excel to update a “link” (i.e. the formula) automatically.

If the user clicks the Enable button, Excel presents yet another dialog box warning the user that the document is about to execute a command using the command shell, cmd.exe

If the user clicks Yes on this dialog, Excel executes the command, which in the example shown above triggers PowerShell to download and execute the malicious payload.

The downloader scripts only specify the server name, not the full URL. Consequently, the download servers return a default file, which in most cases we’ve observed is named Favori.ico. But this file is a Java JAR package, and not the icon file its suffix suggests it should be.
Method 2: Word document with embedded Excel PowerShell downloader

This other distribution method involves the use of a Word document attached to the malspam that contains an embedded Excel XLS spreadsheet file.

The embedded object uses the same formula injection technique as described in the previous section.
Method 3: Word document with embedded Excel bitsadmin downloader

We found a malicious Word document in the course of investigating these attacks that implements a similar method to the previous example. One difference is that the malicious Word document contains an embedded CSV file with an XLS extension.

Another difference was that it did not used a PowerShell downloader script. Instead, the command spawned the Windows bitsadmin tool to download the payload.

Method 4: Word document with DDE command

We have found a single file related to one of the download servers that used a more traditional method: DDE command.

The document body contains an embedded command field that executes a command shell, and uses the certutil tool to download the payload. Field codes are usually hidden, but if you change the right setting you can see these codes in the body of the document.

Read the re4st in this link

Targets

The targets of the infection attempts are mostly (but not exclusively) Turkish enterprises. The threat actor is not selective, the targets cover all industrial sectors from industrial electronics through sanitary product to investment banks.

Conclusion

Not all malware attacks are sophisticated and carried out with a highly skilled professional. In many cases very rough methods are being used by less talented but dedicated criminals.

This holds true for this series of ongoing attacks that target enterprises in Turkey. The threat actor shows no sign of giving up; new samples pop up every day. He even developed the tools to automate the building and mailing of the malicious files.

It is surprising that, despite the simplistic malspam messages, and the series of Microsoft Office warning dialogs that accompany the infection process, that this threat actor is still in business. It would be trivial to avoid falling for this trick by heeding the warning messages in the dialog boxes, but perhaps the language barrier, and the complexity of the messages the warning dialogs attempt to convey, obfuscate the warnings’ severity.
First Aid: IOCs:

Download server:
142.11.194.25
2073.mobi
25665.club
25665.me
33016.club
60431.club
75735.club
77444.club
80001.me
82813.club
atessan.online
avrupagoz.online
banage.live
basaso.mobi
cinarterlik.online
cnfh.mobi
fazilet.club
gelovosaja.club
ghtc.mobi
hfik.mobi
hocoso.mobi
inssanayi.mobi
jekarebege.online
jodaje.mobi
johaca.mobi
jurugq.host
kartalescort.mobi
kayaya.mobi
kojero.mobi
lca.mobi
localhost
localhost.com
mgw.mobi
nafaro.mobi
nefal.mobi
nehabe.mobi
nejoja.mobi
peindikescort.mobi
rlg.mobi
selcukecza.online
specforce.space
supkh.mobi
tamor.mobi
taneketevo.online
tzlss.mobi
vazawoweso.online
vecoha.mobi
wpf.mobi
walatecaqa.club
www.aghkf.ml
www.aetye.ml
www.ayanw.ml
www.cpaneh.tk
www.ekqff.ml
www.ewouif.gq
www.gyqey.ml
www.hcsscj.ga
www.hvaycz.cf
www.iquqy.ml
www.jahlq.ml
www.Jdokdo.ml
www.jjsiu.ml
www.nvmdv.ml
www.pqoyruw.ga
www.pvrdn.ml
www.qoloa.ml
www.qyhhy.ml
www.rimaw.ml
www.qzitt.ml
www.rtrzd.ml
www.swtaegs.ml
www.tgmml.ml
www.urdnz.cf
www.vgplb.ml
www.vpewqz.tk
www.wdplf.ml
www.whyog.ml
www.wqplw.ml
www.yklud.ml
www.ynngon.ml
www.yomka.ml
www.yuktu.ml
yepeyowora.online
yerago.mobi
yolecafeha.club
zavayo.mobi
zayero.mobi
zororo.mobi


C&C server:
burcutekstil.online
yolecafeha.club
professional.mobi
turkcall.mobi
walatecaqa.club
www.yomka.ml
selcukecza.online

Server IP address:
54.36.212.133
94.23.170.118
51.15.225.63
51.158.125.92



Builder/mailer:
7c3b700f298a2a5f9805dfa40d05c1933a19c512
4e28f36e1bfd607c70c891f6a828b0d8e7128d32
17b37b127675328fc0e10275147e70cc3a466d4f
dea73d5d476817c92a9382cf164aa91dbe42a556
f35c4dbd1701bb20acd0929dacef7d218983f8e3
a1df33de26d0c85e13bb3baec4fa12389e546c7b
4b9f8a0043a2c6f9862996666e16d9e6d28a528c


Adwind:
1663ec54a9e113544f5c6f5708e5b1b6802602f6
25971f7fa8dfd3ff18f4ceab438e53a7f5e1364d
3aab9ebc8158c3be6898153e670b90f3d3112cae
49afa1dd0d0c6903468e6475c7befb9c7a2058bd
767b8920674824e81160d95f11acea2dbf5e6e58
b3208f490d79b7692dfd6d0f21a778fe11d4f281
c17b4f46d99c6f49f1827dad63db0ac976412a2f
d7289fb2861e25700a1b5d485aa0beba0dcbe832
d7a12a6a3eed5201850896ea344dc0d949523df9
d984f3792bdb4fb2b95cdb779b0876cfbc77a94a
e2c2340c336649ed34ac653cd77e5393fdd15f46
e8dbf2b926d11ea8dbebca7677e93710cffe1db8


FareIt:
ed0a6932f3cf08f123b618f53f1102987149c13e
4b18a3185060a53addf5a8e403475e75a54a3e39

Excel CSV downloader:
0000a22de835bbda27e3e6ab020f86c747b3c903
000230b87dcb90a62e40ffac22e9f52c717b91ae
004aba00e4bd635539c459797ada01d163225b1e
0180fa3517f780ab00da16d4e98be2bad7ba4497
020ac619ee9fc9cc8e2ab2808c3e55b5bf7eddd2
052330d7fc191c04d759e6a64ab1086edafc3145
0527ba5b36f4d072d284c2ddc114639ffdd27d07
05b5bdb0bb4b2f4fec8356319bbec15b8d5a60e7
05c1651d264141eb26cc5a6dfa685e3f001ca92f
070b29dd5bc7852692889c129e9fa4d6d21d3b19
070f3f780283d0ad6d3cde42a96c15e4c383fba2
0985fcab81798c8aec06cf04e723a44a442738f9
09e013e1ca8c84c741b9ef5953433435a89d7953
09fef10edd3154ba29547ab8f86866d06a0054e6
0a8e68b2f6ac0676d8ed7481883b9babe681eeb1
0bf15a8a01af578ca01124bf6b5cda705eb3c664
0ca85072950474864e3ef2239c1617cd87896a30
0ca85b96cf04e0ba83d2f27fe7a54617e1688328
0db2d9d7a0577ba12391c3a37550c608a51a7a8b
0dba0f6c52317e2bd4a1ea5f0ae80bc1c009b1d7
0e66f7cfa7444c71fa78951b66405982f27a3f84
0f04bef12abdc48682042b36623ac2e6ace23edd
0fa9d9f6f555d34987b197bb2c510c88a31461e4
0ffc9c36cfabfd61f59d53dfc2e77b19119f46d3
11ec8cc2d3183c5d12a5507a70722a1d9a9070ff
1247be65bd6cf57a10002f7672c2a669f6c43cd8
1251b1820878355d2dbdca08dde4b0d7f85e54cd
125a7b6edca2e5c78047884c9f5da7d131af3a4f
12f5e578c4942a66f9668e239212c939498584bd
13f30d067b24879ba799dfaa1f0d63cd730a2bfb
145373e14944109e843052b20de96acf03531914
1465d5dbb3b6fd60ffed89ad0cbfc8d4572630b8
151a37cf88cf4dfbbcb3b29ab1c0209f2601e9c1
17f31d13462a6e64a0d555b66e3e27cd9f3a3c0b
191a10c4470e7303e11cb1034fb12b25931c080a
196be88c5148230d74431c46a180dbef63e515aa
1a095e2f88a644581d79552c2a26c48098b075bd
More info: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/

Date added July 11, 2019, 9:14 p.m.
Source Sophos
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • Microsoft Excel
  • News Turkey