06 October 2017

Stealth Data Exfiltration trough Email Client

Our signature area is an extremely dangerous bridge for a data leakage beyond any suspicion

if you are a common user of well-known e-mail programs, then you need to know how simple it is to execute a malicious procedure that will send out an unlimited amount of data without generating any alert or triggering any secuity rule: In fact, exfiltrated data are also certified via the mail server security infrastructure.

"Email signature injection starts from the assumption that any writing activity is legitimate as non-Admin User in the filesystem area were the mail signature is stored":
 This icon means that a specific area of the Malware Lab output contains one or more indicator(s) of compromise that can be re-used with high confidence to spot the analysed sample.

 The Malware Lab (x)feed (eXtended Feed) mode, outlines malware behaviors and is going to enrich, from a Threat Intelligence perspective, the tradiotional indicators of compromise.

The Malware Lab descriptors are defined by a proprietary taxonomy.
eXtended Feed mode

attack_stage={delivery}->attack_stage={exploitation}: command_or_file_execute={file_read=[target.docx]}
attack_stage={delivery}->attack_stage={exploitation}: command_or_file_execute={%APPDATA%[file_write=(Microsoft)]Signatures}
Lab Version 2.2

As you can see from the video, in the first test we reproduced a basic bytecote able to grab potentially sensitive information and push it into the mail client signature.
In the pictures we highlighted the following:
  • 1) Email looks absolutely normal and legitimate even after the signature injection
  • 2) Headers doesn't show any signs of counterfeiting
  • 3) We deliberately injected an open-xml-format encoded content in order to make it easily extractable during the second test
  • 4) The contents that the sender unknowingly shared together with the legitimate email is extracted and decoded by the recipient of the message: In this case the injected string is copied to any browser's address bar
  • 5) Once the encoded string is passed to the browser, the hidden document will be automatically reassembled and made available as a download
  • 6) The exfiltration across email signature was successful

 The Malware Lab Syntet(x)feed (Syntethic Malware Reproduction via Pseudo Code) mode, aims to production of a flowchart and a streamlined pseudo-code able to describe the analysed sample itslef, in a manner that will highlight possible areas of investigation that cannot be immediately spotted at a first glance.
Syntethic Malware Reproduction | Pseudo code mode

st=>start: attack_stage={exploitation}
e=>end: command_or_file_execute={%APPDATA%[file_write=(Microsoft)]Signatures}
op1=>operation: Target acquisition
op2=>operation: Target reading
op3=>operation: Target encoding
cond=>condition: Is there any valid email signature?
op4=>operation: Use vbs for creating a stealth one
op5=>operation: Push target into signature
Lab Version 2.2

Inspect the compromised part of the email now

Copyright © 2017 MALWARELAB.co.uk