This morning I received a very interesting email. It urged me to process a purchasing order and had a couple of attachments in it.
Most computer users would probably just download the attachments, double-click and proceed to open. This particular one is very interesting in that it managed to escape the anti-virus application and seemed really legitimate. This is an email which you may receive in your company and you simply open it without knowing what it may do. So I set out to look at it a little deeper.
The following is the screenshot of the email
Would you think this email may be a beginning of a cyber-attack? Well… It could be.
As anyone would do I opened the attachments and found the following. A zipped executable file with a fake jpeg extension as part of the name – I was careful not to run the executable. The rest of the attachments were useless pdf with schematics and some Iranian addresses.
I fired-up my PEBrowser and tried to inspect the contents of “Technical Data Specifications jpeg.exe”. The result was as follows.
I realised it’s a .NET application compiled with 3.5 framework. You can see that it imports the Microsoft Runtime Execution Engine library – mscoree.dll which is part of the .NET framework. It also clearly shows .NET methods section which has 274 Methods and 49 classes. It was indeed and executable file and I made effort to inspect the IL quickly.
It was obfuscated to prevent people like me from trying to understand what is happening under the hood. I tried using dotPeek to decompile it and search for anything suspicious like PInvokes. Because of obfuscation I could not tell the logic very well even through PEBrowser. The IL was confusing because the most names had been scrambled to incomprehensible strings. I then saw this.
There is PInvoke to the Kernel32.dll. The program does interact with the system copying files – which in this case I don’t know.
There is quite a lot of logic in this application and not clear what it does, it probably does something very harmful. I’m sure it is not designed to give you Christmas gifts or sing you a lullaby.
I wonder why this was allowed to propagate into my email client. Is it because its a .NET program and Antivirus applications “trust” it? Given that it runs on .NET 3.5 the surface area of attack is very wide, which is good news for the attacker.
So next time you open an email, check carefully for the kind of attachments as you could be a victim of hacking.
Looks like the days of “I love you” worm are back, but exploiting .NET rather than VBS.
I found this link to be good for non-technical people