As we continue to investigate events related to Fidelis Threat Advisory #1017: Phishing in Plain Sight which detailed a new spearphishing campaign using CVE-2014-4114 and the subsequent targeting of pro-democracy activists in Hong Kong we have discovered some interesting files in a phishing email that had 0/57 detections on VirusTotal.
Another .pps file with MD5 1c471ef83e11d35219ccec01f328c0b1 and filename dhl-tracking-redirecting-parcel-0967789292.pps was observed in the transportation vertical in the United States, United Arab Emirates and Hong Kong. The title page of the slideshow simply says “Hello Animagus” and the second page says “Please visit our website for tracking.”
Screen Shots of Powerpoint Slides:
It loads two files, penguin.exe (MD5: 01c334e60eb8900f7c1238ad0fbcb406) and RwFLOJaBA (MD5: 6781e99435fed1ff118968d73450b7e3) and appears to load Pony Bot. It makes HTTP POST requests to the C2 with the following paths: /rital/gate.php and /rital/admin.php.
Screen Shots of the Panel website:
Additionally, the panel will return “STATUS-IMPORT-OK” on receiving a successful request. This is a well-known indication of Pony communication.
What is most interesting is the expansive list of other malware families it attempts to detect (list below). While malware looking for other malware infections isn’t new, this is one of the first times such an expansive list was observed in our recollection.
As we discover more about the novel uses of CVE-2014-4114 and the AV Bypass, we will continue to keep you informed here on ThreatGeek and to ensure our customers are protected against these advanced threats.
Malware Detection List:
Albertino Simple RAT