THREAT INSIGHTS

REPORT March 2020

THREAT INSIGHTS REPORT MARCH 2020

THREAT LANDSCAPE

The Bromium Threat Insights Report is designed to help our customers become more aware of emerging threats, equip

security teams with tools and knowledge to combat today’s attacks, and manage their security posture.

Bromium Secure Platform is deployed on desktops and laptops, capturing any potential threats and allowing them to run

inside secure containers. Adding isolation to the endpoint security stack transforms your endpoints into your strongest

defence, while giving security teams a unique advantage to be able to monitor, track and trace malware that tries to enter

your networks.

NOTABLE THREATS

In February 2020, Bromium Labs observed a large malicious spam

campaign targeting Japanese organisations that distributed Nemty

ransomware. The emails delivered ZIP files containing malicious

VBS (VBScript) downloaders. When run by Windows Script Host

(WScript.exe), the VBS files downloaded and ran one of two Nemty

payloads. The ZIP files were named following the Design rule for

Camera File system (DCF) standard in an attempt to convince users

that they contained images taken with digital cameras. The subject

lines of the emails were two- or three-character long emoticons,

appealing to recipients’ curiosity to open them. The Nemty samples

were named jap.exe and jp.exe, indicating that Japanese

organisations were the target of this campaign. Figure 2 shows the

campaign’s infrastructure. Each red dot represents a unique VBS

downloader sample that was isolated by Bromium Secure Platform.

In March, Nemty’s developers started publicly dumping data stolen

from victims as an extortion tactic if their ransom demands were not paid.

Starting from January 2020, Bromium Labs identified a malicious

spam campaign delivering zipped PDF files that purported to be

invoices. The PDF files contain hyperlinks leading to webpages

that selectively serve malicious XLS CFBF (Compound File Binary

Format) files. The spreadsheets use Excel’s Power Query feature

to retrieve and execute commands from a remote command and

control (C2) server. Power Query is a feature that enables Excel to

import data from a variety of sources, including websites. The

spreadsheets rely on a social engineering image to trick users into

clicking “Enable Content”, which consequently triggers a Web

Query. The Web Query connects to the adversary’s C2

infrastructure, and if successful, the C2 server responds with a

series of Excel functions that download and run various payloads.

So far, we have observed commodity remote access tools (RATs)

and publicly available shellcode being delivered. Interestingly, the

shellcode launches calc.exe, suggesting that this activity may be

an adversary testing their capabilities externally as a precursor to a

true campaign. The senders were AOL webmail addresses and passed DKIM and SPF email checks. As of the time of

writing, the campaign is still active.

Figure 1 - Malware type classifications, January and

February 2020

Figure 2 - Nemty malicious spam campaign infrastructure, February 2020

https://malpedia.caad.fkie.fraunhofer.de/details/win.nemtyhttps://en.wikipedia.org/wiki/Design_rule_for_Camera_File_systemhttps://en.wikipedia.org/wiki/Design_rule_for_Camera_File_systemhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/https://support.office.com/en-gb/article/introduction-to-microsoft-power-query-for-excel-6e92e2f4-2079-4e1f-bad5-89f6269cd605https://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://en.wikipedia.org/wiki/DomainKeys_Identified_Mailhttps://en.wikipedia.org/wiki/Sender_Policy_Framework

THREAT INSIGHTS REPORT MARCH 2020

NOTABLE TECHNIQUES

Malicious documents often contain images of fake program prompts that are designed to convince users to perform an

action, such as disabling Microsoft Office’s read-only mode and enabling macros. In a threat research article on the

Bromium Blog, we discuss how to use perceptual hash algorithms to track and detect malware families distributed in

campaigns involving visually similar documents. As part of the research, we identified a QakBot campaign where the social

engineering images had been programmatically modified. The threat actor edited each image by inserting blue ovals in

random locations as a form of Binary Padding (T1009), meaning the images—and the documents that contained them—

generated unique checksum values. It’s probable that this was done to evade detection using cryptographic hash

algorithms, such as MD5.

Ever since the first known Word macro virus (WM/DMV) was written in 1994, Office macros have remained a popular code

execution technique used in malicious documents.[1] Their popularity among threat actors has led Microsoft to introduce

security controls over the years to reduce the effectiveness of macros as a code execution technique, including Protected

View, Trusted Locations and code signing.[2] However, in the ongoing malicious spam campaign described in this month’s

Notable Threats section, the adversary didn’t rely on macros to achieve code execution. Instead, they crafted malicious Web

Query (.IQY) files, a technique that offers several benefits over macros. As shown in figure 6, malicious documents that use

Web Queries have lower detection rates, most likely because no malicious code is stored in the documents before recipients

open them. Secondly, since commands are served by a C2 server, an adversary can control what commands to run and

perform target selection based on client information, such as public IP addresses.

Figure 3 - Malicious spam email sent on 2 February 2020

Figure 4 - Excel document containing malicious IQY query

Figure 5 - Modified social engineering image, highlighted in red

https://www.bromium.com/spot-the-difference-tracking-malware-campaigns-using-visually-similar-images/https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbothttps://attack.mitre.org/techniques/T1009/https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/WM~DMV/detailed-analysis.aspxhttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5ahttps://support.office.com/en-gb/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5a

THREAT INSIGHTS REPORT MARCH 2020

ACTIONABLE INTELLIGENCE

Bromium Secure Platform Recommendations

Bromium customers are always protected because malware is isolated from the host computer and cannot spread onto the

corporate network. We recommend updating to the latest Bromium Secure Platform software release and to use the

Operational and Threat Dashboards in your Bromium Controller to ensure isolation is running correctly on your endpoint

devices.

In your Bromium Secure Platform policy, we

recommend that untrusted file support for

email clients and Microsoft Office protection

options are enabled (these are enabled by

default in our recommended policies).

Switching on these settings is an easy way to

reduce the risk of infection posed by phishing

campaigns. Please contact Bromium Support

if you need help applying suggested

configurations.

Figure 9 - MITRE ATT&CK heatmap showing the range of techniques used by threats isolated in January and February 2020

Figure 8 - Top 10 MITRE ATT&CK techniques used by threats isolated in January and February 2020

Figure 7 - IQY file showing an adversary’s C2 server Figure 6 - VirusTotal results for malicious spreadsheets that use IQY files to achieve code execution

https://support.bromium.com/s/documentationhttps://support.bromium.com/

THREAT INSIGHTS REPORT MARCH 2020

General Security Recommendations

The recent decision of Nemty’s developers to publish stolen victim data is the latest continuation of a trend among

ransomware families. Starting with Maze in November 2019, ransomware families including DoppelPaymer and Sodinokibi

have adopted the same tactic to pressure organisations into paying ransom demands.[3][4] Ransomware now poses a risk

to the confidentiality as well as the availability of organisations’ data. Victims may face additional losses due to fines

imposed by national authorities for breaches of data protection laws, such as GDPR. Following enterprise security best

practice on patch management, access control and backing up data can limit the impact of ransomware attacks.

Signatures

Bromium Labs have published a YARA rule that security teams can use to hunt for suspicious spreadsheets containing IQY

files.

rule hunt_doc_cfbf_iqy {

meta:

author = "Bromium Labs"

date = "2020-03-06"

strings:

$magic = {D0 CF 11 E0 A1 B1 1A E1} // Compound File Binary Format header

$png = {89 50 4E 47 0D 0A 1A 0A} // PNG header of social engineering image

$jpg = {4A 46 49 46} // JPEG header of social engineering image

$http = {00 00 68 74 74 70}

$ref = {00 00 53 68 65 65 74 ?? 21} // Sheet reference to Web Query

condition:

$magic at 0 and

any of ($png, $jpg) and

$http and

$ref in (@http..@http + 100) and // Look for $ref within 100 bytes of $http

filesize < 2000KB

}

The email attachments in the February 2020 Nemty campaign were named according to the following regular expressions:

PIC_\d{6}_2020\.zip

IMG\d{6}2020_jpg\.zip

STAY CURRENT

The Bromium Threat Insights Report is made possible by customers who opt-in to share their threats on the Bromium Threat

Cloud. Alerts, that are forwarded to us, are analysed by our security experts to reduce false positives and generate higher

fidelity alerts. You can also use the threat data collected from isolated malware to protect other critical assets that are not

secured by Bromium.

https://malpedia.caad.fkie.fraunhofer.de/details/win.mazehttps://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymerhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revilhttps://gdpr-info.eu/https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomwarehttps://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

THREAT INSIGHTS REPORT MARCH 2020

To learn more, review the Knowledge Base article on Threat Sharing. We recommend that customers take the following

actions to ensure that they get the most out of their Bromium deployments:

• Enable Bromium Cloud Services and Threat Forwarding. This will keep

your endpoints updated with the latest Bromium Rules File (BRF) and make

sure we report the latest security incursions to you. Plan to update the

Controller with every new release to receive the latest operational and

threat intelligence report templates. See the latest release notes and

software downloads available on the Customer Portal.

• Update Bromium endpoint software at least twice a year to stay current with

emerging attack technique detections added by Bromium Labs.

For the latest threat research, head over to the Bromium Blog, where our

researchers regularly dissect new threats and share their findings.

ABOUT THE BROMIUM THREAT INSIGHTS REPORT

Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails or chats and

downloading files from the web. Bromium Secure Platform protects the enterprise by isolating risky activity into micro-VMs,

ensuring that malware cannot infect the host computer or spread onto the corporate network. Since the malware is

contained, Bromium Secure Platform can collect rich forensic data, that normally would be unavailable, to help our

customers harden their entire infrastructure. The Bromium Threat Insights Report addresses key takeaways from the latest

reported and analysed threats to ensure that our customers are thoroughly protected.

REFERENCES

[1] Szor, Peter (2005). The Art of Computer Virus Research and Defense. Addison-Wesley Professional.

[2] https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-

infection/

[3] https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/

[4] https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/

https://support.bromium.com/s/article/What-information-is-sent-to-Bromium-from-my-organizationhttps://support.bromium.com/s/topic/0TOU0000000Hz18OAC/latest-news?tabset-3dbaf=2https://my.bromium.com/software-downloads/currenthttps://www.bromium.com/blog/https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/