A spam distribution campaign spotted just after the holiday season has ended is distributing the Neutrino Bot via a linked malicious Office document, Malwarebytes Labs security researchers warn.
Usually, cybercriminals attach the malicious documents directly to the spam emails, but they took a different approach this time, by including only a link to that document. This approach is unexpected mainly because the servers on which these malicious files are hosted usually have a short time to live window.
The emails included in this campaign were supposedly from Microsoft Security Office, while the linked document, named “Microsoft.report.doc,” would allegedly include a full security report. Once the user attempts to open the document, however, they are prompted to enable macros to view the content.
As soon as the malicious macro is executed, however, the final payload is downloaded and executed, and the victim’s computer is infected with the Neutrino bot. This piece of malware can perform a variety of malicious activities, such as the launch of distributed denial of service (DDoS) attacks, keystroke capturing, form grabbing, and screenshot taking, the spoofing of DNS requests, and malware download.
The malware installs itself in %APPDATA% in a folder called “UmJn,” a folder typical for this version of the malware. Next, Neutrino attempt to connect to the C&C to start receiving commands and perform malicious actions, by querying a script called “tasks.php.”
The list of URLs is hardcoded in the malicious app, and security researchers say that a cookie with a hardcoded value is used for authentication. Moreover, they reveal that this value has been modified between versions, and that the malware’s code appears to have been partially rewritten as well, although the purpose and major features didn’t change much.
The features in the new variant, which researchers say is 5.2, have been reorganized, although they are about the same. The screenshot-taking functionality, for example, is still there, albeit the implementation details have changed.
The malware takes screenshots of the victim’s desktop when it receive a command from the C&C, and immediately sends the shot to the server. Previously, the feature was associated with a keylogger, but the new implementation provides the malware author with increased control over execution.
“Just like in the previous case we are dealing with a fully-fledged multipurpose bot – with various features allowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other malware,” Malwarebytes Labs researchers explain.
As always, users are advised to be extremely careful with Office documents masquerading as invoice reports, especially those that leverage the macro feature to execute code. Users should not enable macros unless they completely trust source of the file, or if they open it in a virtualized environment. Network admins should set policies to permanently disable macros, the researchers say.