Finding and Decoding Multi-Step Obfuscated Malware
Our investigation of an unusual DNS query by a command-line tool leads us to the discovery of a multi-step obfuscated malware.
Recently, in the process of a threat investigation, we found an interesting event:
Here, we have a process (nslookup.exe) that tried to connect to a malicious URL that was already blocked by our solutions. We could have stopped at this point, but searching for the root cause is part of managed detection and response (MDR) — we needed to learn why this event happened in the first place and prevent it from happening in the future.
The process in question is nslookup.exe, a network administration command-line tool used for querying the DNS. Therefore, this process performing a URL request is not unusual — at first glance. Neither is this action, by itself, malicious. However, why would anyone (aside from security researchers) query a malicious URL via nslookup in the first place?
We were able to trace where the execution came from, and we saw that the events coincided with execution of certutil:
Certutil is a command-line tool used for certificate management. The command certutil -decode can be abused to decode files hidden inside a certificate file (T1140), and that was done here. The file Roccia.xltm is decoded to Fu.mp4, and then the contents of Fu.mp4 was piped to cmd.exe for execution. Upon digging further, we found that the starting point was user execution of a disguised file named setup_x86_x64_install.exe that was supposedly signed (with an invalid certificate) by AO Kaspersky Lab (Trend Micro detects this as Trojan.Win32.ALIEN.A).
This file is actually an SFX CAB archive that contains the following files:
The SFX file then executes the following command:
This will decode the content of Roccia.xltm to Fu.mp4 and execute the latter file.
The contents of Fu.mp4 are obfuscated, and when the contents are deobfuscated, they will look like this:
The code checks for multiple computer names and the C:\aaa_TouchMeNot_.txt file that usually indicates the presence of Windows Defender Antivirus Emulator. If any of these files are present, it will immediately exit.
It will then create the file rundll32.com from the contents of Agolo.mid, but without the prepended string and with an added MZ header. This file is the AutoIt compiler.
It will also decode the content of Custodiva.ppt, which is the obfuscated AutoIT script.
The deobfuscated script contains junk code and a simple string decryption routine. Upon decoding the strings, this AutoIt script will be used to execute the content of Attesa.docm via process hollowing of a spawned nslookup.exe.
This is accomplished by first reading the content of Attesa.docm.
The AutoIT script will then spawn a nslookup.exe process, which is then hollowed. The contents are replaced with those of Atessa.docm:
Upon injection, nslookup.exe will then perform the malicious routine. The payload consists of an information stealer that tries to acquire information (such as cookies or credentials) from browsers and cryptocurrency wallets, as well as system information and desktop screenshots. Both this injected nslookup.exe and an executable that uses the same command-and-control (C&C) servers (and that has a similar behavior) are detected as TrojanSpy.Win32.PRETSTEAL.A.
The stolen information is saved, compressed into a ZIP file, and sent to the following C&C servers:
- eressedu03[.]top/index.php
- eressedv32[.]top/index.php
It also attempts to download and execute a file from the following URL. However, this URL is already inaccessible.
- downhhay09[.]top/download.php?file=lv.exe
Takeaways for Researchers/Analysts
What can other researchers or security analysts learn from an incident like this?
1. A single detected event should not be the conclusion. Find out the underlying root cause of the issue. In this case, it was a user who ran a malicious file and needed to be educated about it.
2. If a legitimate process (nslookup, in this case) behaves in a way that is suspicious, follow your instincts and dig deeper.
3. Good sensors are necessary to carry out a proper threat investigation. These sensors allowed us not only to gather sufficient information about this incident, but also to find the root cause.
Trend Micro Solutions
Trend Micro’s comprehensive XDR solution applies the most effective expert analytics to the deep data sets collected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud workloads, and networks — making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with guided investigation simplifies the steps needed to fully understand the attack path and impact on the organization.
Indicator of Compromise (IOC)
| Hash (SHA-256) | Description | Detection Name |
| d7fdbdc5b650cb21e898fe45be1aaba320b0d47b5283e45822ecc1270b420279 | Payload | TrojanSpy.Win32.PRETSTEAL.A |