Cutwail Malware Returns with New TTPS – Detection & Response

0

Cutwail is malicious software (malware) designed to make infected computers operate as spambots. In this way, infected systems are used to spread spam/send emails. Research shows that cybercriminals use Cutwail to send emails that contain malicious attachments.


They use these spam campaigns to trick recipients into installing other malware called Dridex and ransomware (e.g. Hermes).

The sent emails are disguised as messages regarding invoices or payment details. Recipients are encouraged to check (open) the attachment, a Microsoft Excel (.xls) file, which is disguised as an invoice form. When this malicious file is opened, MS Excel shows a warning stating that some active content has been disabled, and then opens the file in Protected View mode.

Also Read: SocGholish Malware on The Rise – Detection & Response

The process ( wmiprvse.exe ) which is Windows Management Instrumentation (WMI) component spawned an unexpected child process ( regsvr32.exe ). This indicator shows parent process was compromised via an exploit or macro.

If macros commands are enabled, this malicious .xls file infects the system with Dridex, which is malicious software designed to steal sensitive information such as banking credentials. It does this by recording keystrokes (keys pressed). Stolen banking (and other) accounts could be used to make fraudulent transactions, purchases, etc.

Also Read: Bumblebee malware loader is now active in the wild – Detection & Response

People who have computers infected with this malware are thus likely to experience a financial loss. Furthermore, the aforementioned spam campaigns could be used to proliferate other malware, such as Hermes ransomware.

Indicator Of Compromise:

File Name Hash: a6fdd0629ed927d7b38a7309bcfcadd08e6a7368b3f18ca49a7d40c755193312

investprides[.]com

moneyinconsalt[.]com
consaltins[.]com
moneyinvestator[.]com
inmanagment[.]com
managmentoria[.]com

IP : 5[.]42.199.71

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Detection & Response:

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Image" ilike '%\OUTLOOK.EXE' or "Image" ilike '%\WINWORD.EXE' or "Image" ilike '%\excel.exe') and "Process CommandLine" ilike '%/dde%' and "Process CommandLine" ilike '%C:\Users\%' and "Process CommandLine" ilike '%\AppData\Local\Temp\%.xls%' and "ParentImage" ilike '%\wmiprvse.exe' and ("Image" ilike '%\regsvr32.exe') and "Process CommandLine" ilike '%regsvr32 /s%' and "Process CommandLine" ilike '%\AppData\Local\Temp\%' and "Process CommandLine" ilike '%C:\Users\Admin\%'

Splunk:

((Image="*\\OUTLOOK.EXE" OR Image="*\\WINWORD.EXE" OR Image="*\\excel.exe") AND CommandLine="*/dde*" AND CommandLine="*C:\\Users\\*" AND CommandLine="*\\AppData\\Local\\Temp\*.xls*" AND ParentImage="*\\wmiprvse.exe" AND (Image="*\\regsvr32.exe") AND CommandLine="*regsvr32 /s*" AND CommandLine="*\\AppData\\Local\\Temp\\*" AND CommandLine="*C:\\Users\\Admin\\*") AND source="WinEventLog:*"

Elastic Query:


(process.executable:(*\\OUTLOOK.EXE OR *\\WINWORD.EXE OR *\\excel.exe) AND process.command_line:*\/dde* AND process.command_line:*C\:\\Users\\* AND process.command_line:*\\AppData\\Local\\Temp\*.xls* AND process.parent.executable:*\\wmiprvse.exe AND process.executable:*\\regsvr32.exe AND process.command_line:*regsvr32\ \/s* AND process.command_line:*\\AppData\\Local\\Temp\\* AND process.command_line:*C\:\\Users\\Admin\\*)

Arcsight:


(((destinationProcessName CONTAINS "*\\OUTLOOK.EXE" OR destinationProcessName CONTAINS "*\\WINWORD.EXE" OR destinationProcessName CONTAINS "*\\excel.exe" OR deviceProcessName CONTAINS "*\\OUTLOOK.EXE" OR deviceProcessName CONTAINS "*\\WINWORD.EXE" OR deviceProcessName CONTAINS "*\\excel.exe" OR sourceProcessName CONTAINS "*\\OUTLOOK.EXE" OR sourceProcessName CONTAINS "*\\WINWORD.EXE" OR sourceProcessName CONTAINS "*\\excel.exe")) AND (((destinationServiceName CONTAINS "*/dde*" OR deviceCustomString1 CONTAINS "*/dde*")) AND ((destinationServiceName CONTAINS "*C:\\Users\\\\*" OR deviceCustomString1 CONTAINS "*C:\\Users\\\\*")) AND ((destinationServiceName CONTAINS "*\\AppData\\Local\\Temp\\*.xls*" OR deviceCustomString1 CONTAINS "*\\AppData\\Local\\Temp\\*.xls*"))) AND sourceProcessName ENDSWITH "*\\wmiprvse.exe" AND ((destinationProcessName CONTAINS "*\\regsvr32.exe" OR deviceProcessName CONTAINS "*\\regsvr32.exe" OR sourceProcessName CONTAINS "*\\regsvr32.exe")) AND (((destinationServiceName CONTAINS "*regsvr32 /s*" OR deviceCustomString1 CONTAINS "*regsvr32 /s*")) AND ((destinationServiceName CONTAINS "*\\AppData\\Local\\Temp\\\\*" OR deviceCustomString1 CONTAINS "*\\AppData\\Local\\Temp\\\\*")) AND ((destinationServiceName CONTAINS "*C:\\Users\\Admin\\\\*" OR deviceCustomString1 CONTAINS "*C:\\Users\\Admin\\\\*"))))

CarbonBlack:

(process_name:(*\\OUTLOOK.EXE OR *\\WINWORD.EXE OR *\\excel.exe) AND process_cmdline:*\/dde* AND process_cmdline:*C\:\\Users\\* AND process_cmdline:*\\AppData\\Local\\Temp\*.xls* AND parent_name:*\\wmiprvse.exe AND process_name:*\\regsvr32.exe AND process_cmdline:*regsvr32\ \/s* AND process_cmdline:*\\AppData\\Local\\Temp\\* AND process_cmdline:*C\:\\Users\\Admin\\*)

Crowdstike:


((ImageFileName="*\\OUTLOOK.EXE" OR ImageFileName="*\\WINWORD.EXE" OR ImageFileName="*\\excel.exe") AND (CommandHistory="*/dde*" OR CommandLine="*/dde*") AND (CommandHistory="*C:\\Users\\*" OR CommandLine="*C:\\Users\\*") AND (CommandHistory="*\\AppData\\Local\\Temp\*.xls*" OR CommandLine="*\\AppData\\Local\\Temp\*.xls*") AND ParentBaseFileName="*\\wmiprvse.exe" AND (ImageFileName="*\\regsvr32.exe") AND (CommandHistory="*regsvr32 /s*" OR CommandLine="*regsvr32 /s*") AND (CommandHistory="*\\AppData\\Local\\Temp\\*" OR CommandLine="*\\AppData\\Local\\Temp\\*") AND (CommandHistory="*C:\\Users\\Admin\\*" OR CommandLine="*C:\\Users\\Admin\\*"))

GrayLog:


(Image.keyword:(*\\OUTLOOK.EXE *\\WINWORD.EXE *\\excel.exe) AND CommandLine.keyword:*\/dde* AND CommandLine.keyword:*C\:\\Users\\* AND CommandLine.keyword:*\\AppData\\Local\\Temp\*.xls* AND ParentImage.keyword:*\\wmiprvse.exe AND Image.keyword:*\\regsvr32.exe AND CommandLine.keyword:*regsvr32\ \/s* AND CommandLine.keyword:*\\AppData\\Local\\Temp\\* AND CommandLine.keyword:*C\:\\Users\\Admin\\*)

Logpoint:


(Image IN ["*\\OUTLOOK.EXE", "*\\WINWORD.EXE", "*\\excel.exe"] CommandLine="*/dde*" CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\*.xls*" ParentImage="*\\wmiprvse.exe" Image IN "*\\regsvr32.exe" CommandLine="*regsvr32 /s*" CommandLine="*\\AppData\\Local\\Temp\\*" CommandLine="*C:\\Users\\Admin\\*")

Microsoft Defender:


DeviceProcessEvents | where ((FolderPath endswith @"\OUTLOOK.EXE" or FolderPath endswith @"\WINWORD.EXE" or FolderPath endswith @"\excel.exe") and ProcessCommandLine contains "/dde" and ProcessCommandLine contains @"C:\Users\" and ProcessCommandLine matches regex @".*\\AppData\\Local\\Temp\.*\.xls.*" and InitiatingProcessFolderPath endswith @"\wmiprvse.exe" and (FolderPath endswith @"\regsvr32.exe") and ProcessCommandLine contains "regsvr32 /s" and ProcessCommandLine contains @"\AppData\Local\Temp\" and ProcessCommandLine contains @"C:\Users\Admin\")

Microsoft Sentinel:


SecurityEvent |  where EventID == 4688 | where ((NewProcessName endswith @'\OUTLOOK.EXE' or NewProcessName endswith @'\WINWORD.EXE' or NewProcessName endswith @'\excel.exe') and CommandLine contains '/dde' and CommandLine contains @'C:\Users\' and CommandLine matches regex '(?i).*\AppData\Local\Temp\.*.xls.*' and ParentProcessName endswith @'\wmiprvse.exe' and (NewProcessName endswith @'\regsvr32.exe') and CommandLine contains 'regsvr32 /s' and CommandLine contains @'\AppData\Local\Temp\' and CommandLine contains @'C:\Users\Admin\')

SumoLogic:


(_sourceCategory=*windows* AND (Image = "*\OUTLOOK.EXE" OR Image = "*\WINWORD.EXE" OR Image = "*\excel.exe") AND CommandLine="*/dde*" AND CommandLine="*C:\Users\\*" AND CommandLine="*\AppData\Local\Temp\*.xls*" AND ParentImage="*\wmiprvse.exe" AND (Image = "*\regsvr32.exe") AND CommandLine="*regsvr32 /s*" AND CommandLine="*\AppData\Local\Temp\\*" AND CommandLine="*C:\Users\Admin\\*")

RSA Netwitness:


((Image contains '\OUTLOOK\.EXE', '\WINWORD\.EXE', '\excel\.exe') && (CommandLine contains '/dde') && (CommandLine contains 'C:\Users\\') && (CommandLine regex '.*\\AppData\\Local\\Temp\.*\.xls.*') && (ParentImage contains 'wmiprvse.exe') && (Image contains '\regsvr32\.exe') && (CommandLine contains 'regsvr32 /s') && (CommandLine contains 'AppData\Local\Temp\\') && (CommandLine contains 'C:\Users\Admin\\'))

Google Chronicle:


(target.process.file.full_path = /.*\\OUTLOOK\.EXE$/ or target.process.file.full_path = /.*\\WINWORD\.EXE$/ or target.process.file.full_path = /.*\\excel\.exe$/) and target.process.command_line = /.*\/dde.*/ and target.process.command_line = /.*C:\\Users.*/ and target.process.command_line = /.*\\AppData\\Local\\Temp\\.*\.xls.*/ and principal.process.file.full_path = /.*\\wmiprvse\.exe$/ and target.process.file.full_path = /.*\\regsvr32\.exe$/ and target.process.command_line = /.*regsvr32 \/s.*/ and target.process.command_line = /.*\\AppData\\Local\\Temp.*/ and target.process.command_line = /.*C:\\Users\\Admin.*/


Aws Opensearch:


(process.executable:(*\\OUTLOOK.EXE OR *\\WINWORD.EXE OR *\\excel.exe) AND process.command_line:*\/dde* AND process.command_line:*C\:\\Users\\* AND process.command_line:*\\AppData\\Local\\Temp\*.xls* AND process.parent.executable:*\\wmiprvse.exe AND process.executable:*\\regsvr32.exe AND process.command_line:*regsvr32\ \/s* AND process.command_line:*\\AppData\\Local\\Temp\\* AND process.command_line:*C\:\\Users\\Admin\\*)

References: pcrisk.com
                  twitter/stoerchl
                  twitter/58_158_177_102






















Previous articleAgent Tesla Spyware new TTPS – Detection & Response
Next articleQBot Spreads via LNK Files – Detection & Response
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here