By Miguel Carlo Ang and Earle Maui Earnshaw
We recently saw a malicious spam campaign that has AutoIT-compiled payloads – the trojan spy Negasteal or Agent Tesla (detected by Trend Micro as TrojanSpy.Win32.NEGASTEAL.DOCGC), and remote access trojan (RAT) Ave Maria or Warzone (TrojanSpy.Win32.AVEMARIA.T) – in our honeypots. The upgrading of payloads from a typical trojan spy to a more insidious RAT may indicate that the cybercriminals behind this campaign are moving towards deploying more destructive (and lucrative) payloads, such as ransomware, post-reconnaissance.
This campaign uses AutoIT-obfuscated ISO image files as well as RAR- and LZH-compressed archive attachments to evade detection. ISO images, specifically, can be used to bypass spam filters, and the file format is also easier to mount on more recent Windows versions. We observed that this spam campaign was sent using a possibly compromised webmail address.
Technical analysis
The AutoIT-obfuscated malware strains are delivered via malicious spam emails. The malspam emails we saw associated with this campaign included a fake shipment advisory and a financial document.
Figure 1. A fake shipment advisory spam email that has a .RAR attachment containing Negasteal
Figure 2. A fake down payment notification email that has an .LZH attachment containing the Ave Maria RAT
The downloaded malicious attachments will then extract the AutoIT-obfuscated malware strains of Nega ..
Support the originator by clicking the read the rest link below.
