THREAT INSIGHTS REPORT March 2020
THREAT INSIGHTS
REPORT March 2020
THREAT INSIGHTS REPORT MARCH 2020
THREAT LANDSCAPE
The Bromium Threat Insights Report is designed to help our customers become more aware of emerging threats, equip
security teams with tools and knowledge to combat today’s attacks, and manage their security posture.
Bromium Secure Platform is deployed on desktops and laptops, capturing any potential threats and allowing them to run
inside secure containers. Adding isolation to the endpoint security stack transforms your endpoints into your strongest
defence, while giving security teams a unique advantage to be able to monitor, track and trace malware that tries to enter
your networks.
NOTABLE THREATS
In February 2020, Bromium Labs observed a large malicious spam
campaign targeting Japanese organisations that distributed Nemty
ransomware. The emails delivered ZIP files containing malicious
VBS (VBScript) downloaders. When run by Windows Script Host
(WScript.exe), the VBS files downloaded and ran one of two Nemty
payloads. The ZIP files were named following the Design rule for
Camera File system (DCF) standard in an attempt to convince users
that they contained images taken with digital cameras. The subject
lines of the emails were two- or three-character long emoticons,
appealing to recipients’ curiosity to open them. The Nemty samples
were named jap.exe and jp.exe, indicating that Japanese
organisations were the target of this campaign. Figure 2 shows the
campaign’s infrastructure. Each red dot represents a unique VBS
downloader sample that was isolated by Bromium Secure Platform.
In March, Nemty’s developers started publicly dumping data stolen
from victims as an extortion tactic if their ransom demands were not paid.
Starting from January 2020, Bromium Labs identified a malicious
spam campaign delivering zipped PDF files that purported to be
invoices. The PDF files contain hyperlinks leading to webpages
that selectively serve malicious XLS CFBF (Compound File Binary
Format) files. The spreadsheets use Excel’s Power Query feature
to retrieve and execute commands from a remote command and
control (C2) server. Power Query is a feature that enables Excel to
import data from a variety of sources, including websites. The
spreadsheets rely on a social engineering image to trick users into
clicking “Enable Content”, which consequently triggers a Web
Query. The Web Query connects to the adversary’s C2
infrastructure, and if successful, the C2 server responds with a
series of Excel functions that download and run various payloads.
So far, we have observed commodity remote access tools (RATs)
and publicly available shellcode being delivered. Interestingly, the
shellcode launches calc.exe, suggesting that this activity may be
an adversary testing their capabilities externally as a precursor to a
true campaign. The senders were AOL webmail addresses and passed DKIM and SPF email checks. As of the time of
writing, the campaign is still active.
Figure 1 - Malware type classifications, January and
February 2020
Figure 2 - Nemty malicious spam campaign infrastructure, February 2020
https://malpedia.caad.fkie.fraunhofer.de/details/win.nemtyhttps://en.wikipedia.org/wiki/Design_rule_for_Camera_File_systemhttps://en.wikipedia.org/wiki/Design_rule_for_Camera_File_systemhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/https://support.office.com/en-gb/article/introduction-to-microsoft-power-query-for-excel-6e92e2f4-2079-4e1f-bad5-89f6269cd605https://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://en.wikipedia.org/wiki/DomainKeys_Identified_Mailhttps://en.wikipedia.org/wiki/Sender_Policy_Framework
THREAT INSIGHTS REPORT MARCH 2020
NOTABLE TECHNIQUES
Malicious documents often contain images of fake program prompts that are designed to convince users to perform an
action, such as disabling Microsoft Office’s read-only mode and enabling macros. In a threat research article on the
Bromium Blog, we discuss how to use perceptual hash algorithms to track and detect malware families distributed in
campaigns involving visually similar documents. As part of the research, we identified a QakBot campaign where the social
engineering images had been programmatically modified. The threat actor edited each image by inserting blue ovals in
random locations as a form of Binary Padding (T1009), meaning the images—and the documents that contained them—
generated unique checksum values. It’s probable that this was done to evade detection using cryptographic hash
algorithms, such as MD5.
Ever since the first known Word macro virus (WM/DMV) was written in 1994, Office macros have remained a popular code
execution technique used in malicious documents.[1] Their popularity among threat actors has led Microsoft to introduce
security controls over the years to reduce the effectiveness of macros as a code execution technique, including Protected
View, Trusted Locations and code signing.[2] However, in the ongoing malicious spam campaign described in this month’s
Notable Threats section, the adversary didn’t rely on macros to achieve code execution. Instead, they crafted malicious Web
Query (.IQY) files, a technique that offers several benefits over macros. As shown in figure 6, malicious documents that use
Web Queries have lower detection rates, most likely because no malicious code is stored in the documents before recipients
open them. Secondly, since commands are served by a C2 server, an adversary can control what commands to run and
perform target selection based on client information, such as public IP addresses.
Figure 3 - Malicious spam email sent on 2 February 2020
Figure 4 - Excel document containing malicious IQY query
Figure 5 - Modified social engineering image, highlighted in red
https://www.bromium.com/spot-the-difference-tracking-malware-campaigns-using-visually-similar-images/https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbothttps://attack.mitre.org/techniques/T1009/https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/WM~DMV/detailed-analysis.aspxhttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5a
THREAT INSIGHTS REPORT MARCH 2020
ACTIONABLE INTELLIGENCE
Bromium Secure Platform Recommendations
Bromium customers are always protected because malware is isolated from the host computer and cannot spread onto the
corporate network. We recommend updating to the latest Bromium Secure Platform software release and to use the
Operational and Threat Dashboards in your Bromium Controller to ensure isolation is running correctly on your endpoint
devices.
In your Bromium Secure Platform policy, we
recommend that untrusted file support for
email clients and Microsoft Office protection
options are enabled (these are enabled by
default in our recommended policies).
Switching on these settings is an easy way to
reduce the risk of infection posed by phishing
campaigns. Please contact Bromium Support
if you need help applying suggested
configurations.
Figure 9 - MITRE ATT&CK heatmap showing the range of techniques used by threats isolated in January and February 2020
Figure 8 - Top 10 MITRE ATT&CK techniques used by threats isolated in January and February 2020
Figure 7 - IQY file showing an adversary’s C2 server Figure 6 - VirusTotal results for malicious spreadsheets that use IQY files to achieve code execution
https://support.bromium.com/s/documentationhttps://support.bromium.com/
THREAT INSIGHTS REPORT MARCH 2020
General Security Recommendations
The recent decision of Nemty’s developers to publish stolen victim data is the latest continuation of a trend among
ransomware families. Starting with Maze in November 2019, ransomware families including DoppelPaymer and Sodinokibi
have adopted the same tactic to pressure organisations into paying ransom demands.[3][4] Ransomware now poses a risk
to the confidentiality as well as the availability of organisations’ data. Victims may face additional losses due to fines
imposed by national authorities for breaches of data protection laws, such as GDPR. Following enterprise security best
practice on patch management, access control and backing up data can limit the impact of ransomware attacks.
Signatures
Bromium Labs have published a YARA rule that security teams can use to hunt for suspicious spreadsheets containing IQY
files.
rule hunt_doc_cfbf_iqy {
meta:
author = "Bromium Labs"
date = "2020-03-06"
strings:
$magic = {D0 CF 11 E0 A1 B1 1A E1} // Compound File Binary Format header
$png = {89 50 4E 47 0D 0A 1A 0A} // PNG header of social engineering image
$jpg = {4A 46 49 46} // JPEG header of social engineering image
$http = {00 00 68 74 74 70}
$ref = {00 00 53 68 65 65 74 ?? 21} // Sheet reference to Web Query
condition:
$magic at 0 and
any of ($png, $jpg) and
$http and
$ref in (@http..@http + 100) and // Look for $ref within 100 bytes of $http
filesize < 2000KB
}
The email attachments in the February 2020 Nemty campaign were named according to the following regular expressions:
PIC_\d{6}_2020\.zip
IMG\d{6}2020_jpg\.zip
STAY CURRENT
The Bromium Threat Insights Report is made possible by customers who opt-in to share their threats on the Bromium Threat
Cloud. Alerts, that are forwarded to us, are analysed by our security experts to reduce false positives and generate higher
fidelity alerts. You can also use the threat data collected from isolated malware to protect other critical assets that are not
secured by Bromium.
https://malpedia.caad.fkie.fraunhofer.de/details/win.mazehttps://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymerhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revilhttps://gdpr-info.eu/https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomwarehttps://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware
THREAT INSIGHTS REPORT MARCH 2020
To learn more, review the Knowledge Base article on Threat Sharing. We recommend that customers take the following
actions to ensure that they get the most out of their Bromium deployments:
• Enable Bromium Cloud Services and Threat Forwarding. This will keep
your endpoints updated with the latest Bromium Rules File (BRF) and make
sure we report the latest security incursions to you. Plan to update the
Controller with every new release to receive the latest operational and
threat intelligence report templates. See the latest release notes and
software downloads available on the Customer Portal.
• Update Bromium endpoint software at least twice a year to stay current with
emerging attack technique detections added by Bromium Labs.
For the latest threat research, head over to the Bromium Blog, where our
researchers regularly dissect new threats and share their findings.
ABOUT THE BROMIUM THREAT INSIGHTS REPORT
Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails or chats and
downloading files from the web. Bromium Secure Platform protects the enterprise by isolating risky activity into micro-VMs,
ensuring that malware cannot infect the host computer or spread onto the corporate network. Since the malware is
contained, Bromium Secure Platform can collect rich forensic data, that normally would be unavailable, to help our
customers harden their entire infrastructure. The Bromium Threat Insights Report addresses key takeaways from the latest
reported and analysed threats to ensure that our customers are thoroughly protected.
REFERENCES
[1] Szor, Peter (2005). The Art of Computer Virus Research and Defense. Addison-Wesley Professional.
[2] https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-
infection/
[3] https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/
[4] https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/
https://support.bromium.com/s/article/What-information-is-sent-to-Bromium-from-my-organizationhttps://support.bromium.com/s/topic/0TOU0000000Hz18OAC/latest-news?tabset-3dbaf=2https://my.bromium.com/software-downloads/currenthttps://www.bromium.com/blog/https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/