Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks

Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers—always our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.

The attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.

The initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments.

Who wouldn’t open an email with the subject “Unauthorized Money Withdrawal” from a non-banking related email-address? We noticed the following attachment names for the document files:

  • Выписка.docx
  • Выписка по счету.docx
  • Выписка по карте.docx
  • Выписка по карте клиента.docx
  • 12.docx

The above can be translated as “Account Statement” or ”Card statement/Customer Card Statement”.

The document is weaponized with a payload hidden in an embedded Encapsulated Postscript (EPS) file. EPS files are mostly used to display print previews or contain other functions related to printing.

When opening the .docx file, the following is shown:

In this case, again the name of the document is shown in Microsoft Word, ‘Customer Card Statement’.

When Word is opened, the payload in the .eps file starts to hook and inject itself, and creates the process “FLTLDR.exe”, which runs from the path: \PROGRAMFILES%\Microsoft Shared\GRPHFLT\EPSIMP32.FLT

Since docx files are zip-files, we unzipped the attachment and investigated the unzipped files for interesting artifacts and compared them against our internal threats database. For example, we discovered a URL in the App.xml file:

When investigating that URL through our resources, we discovered that that same URL was used in a targeted campaign described by our industry peers from ESET.

Actually, the targeted attack described by ESET has a lot more in common with our current banking campaign. Could our attackers have borrowed the code and altered it to their needs?

When we dug deeper into the details of the ‘image1.eps’ file, we noticed two awkward strings that you normally wouldn’t see in malware:

  • %%Icantdestroywhatisntthere
  • %%Myheartisjusttoodarktocare

After searching for these strings, they seem to belong to a song called ‘Snuff’ by Slipknot.

Ha, maybe our actors are metalheads or simply using it as a distraction.

When we ran the EPS file through our tools, it was flagged as CVE 2015-2545 and CVE 2017-0262, both constructs of malicious EPS files that could exploit the system opening this crafted file.

Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80:

hxxp://137.74.224.142/z/get.php?name=3c6*****

This IP-address seems to have a reputation for ‘badness’ in multiple campaigns, including those used for spam-distribution.

To prevent this attack from being successful, we recommend that Microsoft’s security patches be immediately installed on endpoints. These patches will address the following CVE-numbers:

  • CVE 2015-2545
  • CVE 2017-0261
  • CVE 2017-0262

McAfee customers using our endpoint solutions are protected from this threat by a signature called “Exploit-CVE2015-2545.l”

Hashes of files we received:

  • ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d
  • 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952
  • 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6
  • e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f
  • 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51

Leave a Comment

14 − seven =