Donoff

Posted on April 6, 2017

Name on Threat: Donoff

Threat Vector: Email

IOC Hash: MD5: d152c2b8d9b8e4ace0baf79013d4112a

URL: http://walden[.]co[.]jp/wp/divorce/divorce[.]php?id=ZWxlZTNAdHJpYnVuZW1lZGlhLmNvbQ==

Description

Donoff is a type of malicious office document that contains macro. This type malware usually arrives as an attachment or a direct link in spam mails.

For instance, we have seen this malware being distributed in the following spam mail.

The url “http://www.entwistle-law.com/papers/divorce_michael.menousek.doc” is actually a hyperlink leading to the following download url:

  • http://walden[.]co[.]jp/wp/divorce/divorce[.]php?id=ZWxlZTNAdHJpYnVuZW1lZGlhLmNvbQ==

The malicious doc when opened looked as follows trying to trick the target to enable macro.

When enabled, the macro spawns a new process of msiexec.exe and injects a malicious code into it, a form of memory only execution. This injected code further downloads additional information stealing malware. It connects to the following urls.

  • http://wihotitbu[.]com/ls5/forum.php
  • http://buattitof[.]ru/ls5/forum.php
  • http://dleftronanow[.]ru/ls5/forum.php

In which, the malware receives the following download urls to install additional malwares

  • http://turismarviagens.com[.]br/wp-content/plugins/cyclone-slider/inc/1
  • http://www.oberlincarbonmanagement[.]org/wp-content/plugins/quick-setup/modules/1
  • http://amandaeaster[.]com/wp-content/plugins/launcher/includes/1
  • http://www.cedaraseedinc[.]com/wp-content/plugins/html-on-pages/1
  • http://www[.]atthedinnertable[.]com/wp-content/plugins/quick-setup/modules/1
  • http://www.joanfernandez[.]com/wp-content/themes/twentyfourteen/1
  • http://turismarviagens.com[.]br/wp-content/plugins/cyclone-slider/inc/2
  • http://www.oberlincarbonmanagement[.]org/wp-content/plugins/quick-setup/modules/2
  • http://amandaeaster[.]com/wp-content/plugins/launcher/includes/2
  • http://www[.]cedaraseedinc[.]com/wp-content/plugins/html-on-pages/2
  • http://www[.]atthedinnertable[.]com/wp-content/plugins/quick-setup/modules/2
  • http://www[.]joanfernandez[.]com/wp-content/themes/twentyfourteen/2

Communication to the C2 servers are encrypted. The following pony stealing malwares will be downloaded from the urls above:

  • 28bd39c1f8392c869b458cbf38725c1c0724ef942e6981459c84f40b23047e9f
  • 5838579040e8522fe7fda11064d182ab95e19b9812393eca516e9cf318990b0b

Reference: https://techhelplist.com/spam-list/1119-2017-03-16-re-divorce-papers-malware