Given the widespread continued use of spear phishing campaigns, it generally wise to approach any emails containing attachments or links to archives with a heavy dose of caution—especially when the email comes from an unknown sender.

Over the last two days I received several emails from a sender that I didn’t recognize, and proceeded to analyze the attachment with our own Vinsula Execution Engine, allowing me quickly build a behavioral profile the potential malware. Not surprisingly, the report generated by Vinsula showed clear indications that the attachment is malicious. We have titled this malware Trojan.Malaria.13002.

This is what the email I received looks like:

01 - Email in Outlook


After unzipping the attachment we found an executable titled “invoice copy.exe”. This malware contains some obvious similarities with the approach described in “Trojan.Malaria.13001– New Adobe PDF Trojan Malware Found”, namely,the malicious file is delivered as a zipped attachment containing the actual malware as an executable, but is disguised with a familiar looking icon, in this case for Microsoft Excel.

01 - Invoice Copy Executable


A quick look at the properties of the the executable doesn’t make it look any less suspicious.

02 - Invoice Copy Executable - Props


As usual with this attack vector, once a user is tricked into clicking on “invoice copy.exe” to open it, the attack is launched.

A review of the structure of related events reveals many similarities between the programming approach of “invoice copy.exe” and malware Citadel.

First, “invoice copy.exe” creates a folder with a random name under \Users\[user name]\AppData\Roaming\.  It also copies itself to\Users\[user name]\AppData\Roaming\[random folder name] under a random file name.

03 - Random Child Process


Note that the properties of the copied file are the same as the source “invoice copy.exe” file. It is not clear why the authors chose to keep it this simple.

04 - Random Child Process - Props


Next, the running instance of “invoice copy.exe” launches two processes. First, it starts the a process using the image file of the newly dropped and randomly named executable file, and then it launches an instance of the command prompt \WINDOWS\system32\cmd.exe. After launching the command prompt, “invoice copy.exe” injects code into cmd.exe. 

After injecting code into cmd.exe, Windows\system32\cmd.exe will then execute malicious code on the behalf of “invoice copy.exe”. The  malicious code that has been injected into cmd.exe then checks if the registry key MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers exists. This registry key is used by the Software Restriction Policies. Software Restriction Policies is a feature of Windows that allows administrators to “whitelist” specific software that is permitted to be launched on a computer, preventing all other software from running. (For more details visit Using Software Restriction Policies to Protect Against Unauthorized Software.)

The copy of “invoice copy.exe” executes with a random file name [random name.exe], enumerates all processes running within the same user session, and injects code. Infected processes include explorer.exe and conhost.exe, taskhost.exe, among others. Only processes running in the current user session are affected. The remote code is not injected into any of the running Windows services.

The process with random file name [random name.exe] also registers itself as a “run at startup” application as shown below:

05 - Random Child Process - Registry Settings


Some interesting code in the “invoice copy.exe” indicates that this malware is not only enumerating the modules using the PSAPI, but it’s also retrieving a list with all currently loaded drivers using the EnumDeviceDrivers function from the PSAPI DLL. It is likely that this list with drivers is intended to be delivered back to the CnC server for further analysis. A list with loaded drivers would also help the attacker identify the presence of Anti-Malware and Anti-Virus software on the victim’s machine.

08 - Invoice Copy - Assembly 01

The malware also retrieves the currency symbol for the current locale and stores its value in the application-defined value associated with a menu item it creates within malware’s hidden GUI.

09 - Invoice Copy - Assembly 02


At this point it has been well established that signature-based scanners are ineffective in catching newly created and zero day malware. Malware as described above is now highly prevalent and becoming more ubiquitous, indicating that it is time to move toward Behavioral Signature solutions, or solutions that capture and analyze the behavior of an artifact (attachment or a link) and then build a cascade structure that provides for complete tracking of events collected during the execution of the artifact. Our own Vinsula Execution Engine provides precisely this functionality, allowing me quickly build a behavioral profile of the Trojan.Malaria.13002 malware.



These are the details of invoice and invoice copy.exe files:

Filename : invoice
MD5 : afea3ff38e497a3bdd4c6c1eec4af849
SHA1 : 0b4d31df3bedb6f51417830fbc78a6534bef5caa
CRC32 : ff356d9b
SHA-256 : 3c3f7d2100593a14fdd4b5136cfde37987651a7e0e94ff0b03dffe7a915b959d
Modified Time : 23/05/2013 6:13:00 AM
Created Time : 25/05/2013 6:06:15 PM
File Size : 283,728

Filename : invoice copy.exe
MD5 : 3fc97be8cf8e7ee60d03eac11ceb3948
SHA1 : 18e3eae92638a6f90e2764f12f4d8af7efdd907d
CRC32 : 10b352c7
SHA-256 : 9fe6dbd46ec472e628fecbbd46a84ac685991bd6cd60b5a81f29b272a6537201
Modified Time : 22/05/2013 3:39:28 PM
Created Time : 25/05/2013 3:19:12 PM
File Size : 332,800
File Version : 5, 3, 10
Product Version : 5, 3