3rd November, 2019 – Current
The NaijaSecForce team have detected a new wave of malware spreading across Africa and the Middle East. This malware comes in form of a spam campaign targeting corporate mailboxes within Africa and the Middle east. We started receiving reports of this malware campaign on the 3rd of November. The pyrogenic malware started initial propagation in August 2019 – but then, it went quiet till November 2019 when we noticed a massive spike
At first glance, it looks to be a simple, harmless email with a supposed attachment. However, on closer look, what looks like an attachment, is an image with a hyperlink.
The hyperlink is https[:]//bandirmaad[.]com/RA.html and it redirects to cevrimiciciftci[.]com/Remittance_pdf.jar where a file gets downloaded to the victim’s PC.
This malware relies on the victim to open the .jar file. The malicious .jar file is portrayed as a “Supplier Remittance” pdf file, which is a fairly typical lure used in malware campaigns. Upon launching the malicious file “Remittance_pdf.jar”, we noticed an outbound connection to the CnC server 18.104.22.168 on port 80.
Shortly after, two DLL files get dropped and loaded,it created a file – ImageLoaded: C:\Users\Naijasecforce\AppData\Local\Temp\sqlite-22.214.171.124-2dd62d12-e663-4673-99f4-086ae2f51227-sqlitejdbc.dll
CMD.exe Launches for Command execution.
We also noticed that cmd.exe automatically launches spawning off a powershell command.
CommandLine: cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command –
The Trojan then connects a remote location (api1.whatismyipaddress.com)to gather the external IP address of the compromised computer:
We ran this malware against Virustotal and had only 1/59 detections.Only fortinet detected the malware.
|1||Malware Hosting sites (links in email)||hxxps://cevrimiciciftci.com/Remittance_pdf.jar, hxxp://bandirmaad.com/RA.html|
|2||Malicious Filenames Observed||Remittance_pdf.jar, BankPaymAdviceVend_LLCRep.jar, Remittance_Advice(E-Mail)_pdf.jar, E-mail_Remittance_Layout.jar, Remittance_Advice_IN33092319_pdf.jar, Remittance_Advice_HEAD0000I00231_pdf.jar|
|3||File Hashes for Malicious File (.jar)||sha256: 36da271e39083cacdbade996fdc388bd4beef4d00e7d0780de4eb53fd31794db|
|4||Dropped executable file and Hashes||%temp%/sqlite-126.96.36.199-2dd62d12-e663-4673-99f4-086ae2f51227-sqlitejdbc.dll|
In order to avoid and mitigate the impact of the threat, we highly recommend the following:
- Ensure that all IOCs are blocked.
- Avoid and restrict execution of unknown files / programs / powershell scripts.
- Ensure that attachments and links in emails are sandboxed analysed before delivery to users.
- Monitor emails for any phishing activity and malicious links/attachments.
- Monitor the network for any suspicious/anomalous activity
- Implement more cybersecurity awareness workshops
- Communication to the malicious Command-and-Control server should be blocked.
- Malicious domains should be blocked using URL filterring for web security.security
Credits to AppAnyRun for the name “Pyrogenic”.
About the Author:
NaijaSecForce Threat Advisory Team – Rotimi Akinyele
NaijaSecForce Threat Advisory Team includes security experts and researchers responsible for analyzing and eliminating threats within Africa and also, investigating the global threat landscape. The team shares its research and insights with the industry at large to help promote a safer internet.
The NaijaSecForce Threat Advisory Team is under the body of the NaijaSecForce team which is the brain behind NaijaSecCon – a conference dubbed as Nigeria’s foremost technical cybersecurity conference which holds annually.