Yesterday afternoon, selected architectural firms in Denmark were exposed to a spear phishing campaign. This time, the payload was DarkComet, which is an advanced remote control tool.
In this new campaign, which comes from the same criminal group as last week’s attack against Danish chiropractors, the goal has changed to the architectural profession. The content of the email is tailored to attract this particular target group, but the binary code is different and this time features a RAT (Remote Administration Tool).
The unwanted e-mail is written in perfect Danish and contains a link to Dropbox. A screenshot of the unwanted e-mail can be found below:
If the receiver is lured into clicking on the link, the following file (camouflaged with an AutoCad icon) is offered: “AutoCad-export.exe” (778752 bytes). 
If this file is opened, it will systematically collect a large amount of data and send them to the criminals. It thus acts as a data stealer. Among other features, the following ones can be mentioned: keylogging, harvesting of data from the clipboard, screen capturing, microphone and webcam activation, setting up an RDP session. etc. Our preliminary analysis reveals that most probably DarkComet is involved. The main component is copied to the folder: C:Users[brugerkonto]AppDataRoamingMicrosoftSecuritywinsec.exe.
When executed it shows a dialog box which potentially would make the victim think that the code did not run/work correcly. Unfortunately it does.
Meanwhile, the following files are copied to the machine:
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.INI
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe.config
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe
C:nzlvnwssfdllyuESBS.dll
Together with the following changes to the registry:
HKEY_CLASSES_ROOTAppIDwinsec.exe
HKEY_CLASSES_ROOTAppIDAutoCad-export.exe
As in the previous campaign, the code is wrapped into a Cryptor and binded. The primary payload is called “WebMatcher3.exe”. This contains a series of commands that can be used to update the machine, establish remote administration, move traffic to a web address and issue a DDoS attack. Below, a complete overview of all the commands that are found in this RAT is provided:
BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0000E18C 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!
BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0002A4AC 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!
In order to complicate the code analysis, a number of anti-debugging and VM checks were added that, among others, target VirtualBox: VBoxHook.dll, VBoxMiniRdrDN. The whole thing is spiced up with a ‘sleep’ functionality that postpones the unfolding of the code by ca 3 min.
The central C&C server is hosted in Canada on the IP address (sanitized by CSIS) 107[.]191.46.220.
CSIS recommends that you block access to that server and use it as an IoC.
The malicious code reaches only limited antivirus detection (8/57):
https://www.virustotal.com/en/file/37dcd2979c46707ec0f1f5acb6d86d51f3f977e678c947ee8b174ab2fecbf2be/analysis/1427214682/