Matryoshka

As a security researcher who always follows the spider senses, my instincts have been warning me for a long time to pay attention to my Gmail account’s Spam folder. Being an active Gmail user since 2006, I had no doubt that over the course of 13 years, my email address ended up on the email lists of malicious individuals (spammers) sending unwanted emails from Nigeria to Papua New Guinea and many other geographies.

One day, as I once again took a look at the Spam folder, I noticed a significant number of unwanted emails that made me feel like a handsome movie star. :) Based on these emails, I started contemplating what I could do to gather information about the number of emails that ended up in my Gmail account’s Spam folder over time, along with the types of malicious files they contained (such as spyware). Shortly after, I decided to develop a program using Python that would track the emails in the spam folder and upload the files attached to them to a sandbox system.

Matruska

I decided to use Hybrid Analysis, which incorporates the Falcon sandbox system in the background, as my choice for a sandbox service that I frequently use for malicious software analysis and have always been satisfied with. However, in order to automatically upload detected files to Hybrid Analysis’ API, an unrestricted API key was required. Fortunately, thanks to them providing this for free to security researchers, I was able to obtain an API key in a short period of time.

Matruska

After developing and implementing a tool called Spam Analyzer using Python, it didn’t take long before the tool discovered a suspicious file named “PO.docx” in the Spam folder.

Matruska
Matruska
Matruska

The Spam Analyzer tool connects to your Gmail account via the Gmail API using the connection information found in the “client_secret.json” file (which you can download from the Google API Console). It reads all the emails in the Spam folder, copies the attached files to the “attachments” folder, and then uploads these files to the Hybrid Analysis system. It stores the information of all uploaded files in the “hashes.txt” file. After uploading the files to Hybrid Analysis, it writes the corresponding Hybrid Analysis report and whether the file is malicious or not into the “hashes.txt” file after 1 hour.

Matruska
Matruska

When I started analyzing the “PO.docx” file using the Pestudio tool, I found that, except for ZoneAlarm, no other security software detected it as suspicious. Opening the file with an outdated patch of Microsoft Office 2010 and monitoring it with the Fiddler tool, I observed that it first downloaded and executed the “svch.doc” file from the shortened URL “http://urlz[.]fr/6uQM” (expanded URL: “http://23[.]249[.]161[.]109/ace/“). Then, it attempted to download the “svchost32.vbs” file from the address “http://jopittex[.]zapto[.]org/windows/” through “svch.exe“.

Matruska
Matruska
Matruska

As I continued analyzing the “PO.docx” file using tools like Notepad++ and rtfdump.py, I discovered that the file exploited the CVE-2017-8570 vulnerability by abusing Microsoft Word’s frameset feature (commonly used in penetration testing).

Matruska
Matruska
Matruska
Matruska
Matruska

The “svch.exe” file, which has its code hidden (obfuscated) using the Confuser tool, downloaded and executed the “svchost32.vbs” file. The “svchost32.vbs” file, in turn, downloaded the “profile.exe” file protected with ASProtect from the address “http://www[.]bluesw[.]net/wp-admin//user/” and saved it in the “%Public%” folder as “svchost.exe“, where it was then executed.

Matruska
Matruska
Matruska
Matruska

When I analyzed the “svchost.exe” (profile.exe) program using the x64dbg debugger tool, the main malicious software, which was the Remcos RAT malware, finally revealed itself like a matryoshka doll.

Matruska
Matruska

Matryoshka dolls, also known as stacking dolls, nesting dolls, Russian tea dolls, or Russian dolls, are a set of wooden dolls of decreasing size placed one inside another. The name matryoshka, mainly known as “little matron”, is a diminutive form of Matryosha, in turn a diminutive of the Russian female first name Matryona.

Hope to see you in the following articles.

Note:

  • This article also contains the solution for the Pi Hediyem Var #13 cybersecurity game.
  • image_pdfShow this post in PDF formatimage_printPrint this page
    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like
    Read More

    Antimeter Tool

    Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
    Read More
    Read More

    WhatsApp Scammers

    Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
    Read More
    Read More

    New Job, New Me

    It’s been quite a journey, after 10 long years filled with career successes and six promotions, I started my role as a Mid-Level Security Specialist at IBTech in June 2007. Just last week, I bid farewell to my position as Technical Leader. It turns out that leaving behind colleagues you’ve…
    Read More