The cycle of continuous adaption and innovation by cybercriminals that we described in The Human Factor 2015 reveals itself every day in new techniques attackers devise to evade detection and succeed in infecting new systems. Attackers are also continuously evolving their business processes in order to better track the success of their techniques and optimize for highest return on investment (ROI), as the Dridex campaigns that we have analyzed in previous posts recently demonstrated.
A picture is worth a thousand words… or downloads
In order to understand the recent changes, it is necessary first to describe a tracking technique that we have observed certain malicious macro writers using. When a user clicks the Enable Content button for the developer’s macro, it creates a VBScript, a batch file, and one or two other files depending on which version of Windows the client is running. These files execute in series and download the malware payload (in this case, a version of Dridex) and a “statistics image.”
Introduced in February 2015, the macro’s statistics features operates by downloading a specific picture from a public picture-hosting service savepic[.](su|ru|net|org| etc.) and makes it possible to view statistics on how many times the image was downloaded. This simple technique gives the macro developer and threat actor a cost-effective way to view how frequently the macro was executed and thus measure the effectiveness of the campaigns. For improved visibility, there are in fact two image URLs embedded in each macro: STAA and STAB. STAA is used for older operating systems such as Windows XP, while STAB is used for modern Windows operating systems such as Windows 7. (Fig. 1)
Figure 1: Statistics URLs STAA, and STAB and the payload URL URLLSK
Forensic analysis of the macro payloads enables one to extract the “savepic[.]ru” tracking URL. Each campaign usually appends its own unique image filename to this domain; for example, [hxxp://savepic[.]ru/7030568.png] was observed in a recent campaign.
Adding the letter ‘m’ to the image ID number (that is, the filename) and replacing “png” with “htm” yields the statistics page for that particular image:
The resulting page shows a number statistics, one of which is the number of views that image has had, which in this case represents the number of payload downloads. (Fig. 2)
Figure 2: Image-hosting service showing that a Google logo image was downloaded 1,828 times by the macro.
Web marketers will immediate recognize the approach, which calls to mind “web bugs” such as 1x1 pixel tracking images and other attribution tools. The use by malware developers highlights the extent to which technical choices are driven by business metrics that go beyond simply testing whether or not a piece of malware can avoid AV detection.
Doubling down on tracking images
As noted above, Proofpoint researchers have observed this success tracking feature in use since at least February 2015. Very recently, a notable change was observed in the statistics feature: the macro loads two images, one when the payload is downloaded, and a second, different image once it has been able to verify that the infection process is complete. For example in the case of a campaign from May 19, the macro downloaded a picture of a well-known political figure upon download of the malware payload. (Fig. 3)
Figure 3: Image-tracking page for payload downloads
The malware monitors the victim computer’s process listing until it confirms that the payload is successfully installed and running, then downloads a second image. (Fig. 4)
Figure 4: Image-tracking page for payloads running
In this example, the image-tracking statistics show that the malware payload was downloaded to victim computers 661 times, and that the payload was then successfully detected running (and thus causing the download of the second tracking image) 501 times. The value of the image download figure is always greater than the second one, and the delta provides an insightful metric on the effectiveness of the malware payload against host-based protection systems and other obstacles to execution. (In recent campaigns, we have seen a higher-than-usual proportion of developer-side bugs that have rendered the malware payloads effectively inert.)
Although the second tracking image download increases risk for the malware developer and threat actor by creating another opportunity to detect the presence of the infection on the targeted organization’s network, it also enables the malware developer to demonstrate a success rate of 75% for this campaign, a valuable benefit for both the developer and their customer (that is, the threat actor launching the campaign).
Recent image-tracking statistics confirm that the attackers have delivered a ten-fold increase in effectiveness at evading standard email defenses, and that they are greater than 70% successful at actually installing the malware payload and infecting the target client. Not only is this vital threat intelligence for security researchers and practitioners; it is also essential business intelligence for threat actors who are evaluating the success of their campaigns, and for malicious macro developers who are eager to demonstrate the ROI of their campaigns and drive future business.
Subscribe to the Proofpoint Blog