Unique Malspam Campaign Uses MS Publisher to Drop a RAT on Banks

A malspam campaign targeting a slew of banks is turning researchers’ heads with its unusual use of a Microsoft Office Publisher file to infect victims’ systems with a well-known backdoor.

Researchers with Trustwave said that they have seen a spate of emails with a Microsoft Office Publisher file (a .pub attachment) and the subject line, “Payment Advice,” targeting domains belonging to banks.

Upon further investigation, researchers found that the malspam emails contained URLs that downloaded FlawedAmmyy remote-access trojan (RAT), a tricky backdoor tool that lets attackers control victims’ machines from afar. The RAT is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.

“This campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past,” researchers said today in a post about the campaign.

A sample email asked the victim to “find attached payment advice for your claim number DHS158700155,” and featured an attached .pub file.

Upon opening the .pub file, the victim is prompted to “Enable Macros” (earlier versions of Microsoft Publisher may display instructions to also “Enable Editing” and “Enable Content,” researchers said).

The file looks innocent enough – however when manually opening the Visual Basic Editor (VBA Editor) in Microsoft Publisher and clicking “ThisDocument” under Project Explorer, researchers discovered the VBScript that ultimately executes an archive containing the RAT.

“The macro script is triggered with the function Document_Open(),” researchers said. “As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.”

The code also uses control objects in the forms to hide the URL it will access, which researchers eventually found  located in the Tag Property tab after closer examination.

“By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT,” researchers said.

The RAT then sends machine information like “id”, “os”, “names” and credentials to the attacker.

The FlawedAmmyy RAT was seen earlier in July as part of a widespread spam campaign from the well-known financial criminal group TA505. The campaign were able to spread the RAT using weaponized PDFs containing malicious SettingContent-ms files.

However, “unlike previous mass campaigns, this campaign was small and, interestingly, all of the … addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT,” researchers said.