Corporate users hit with fake Microsoft email delivering sneaky malware

A well-crafted and extremely legit-looking spam email campaign is currently targeting corporate users around the world, ultimately leading the victims to difficult-to-detect malware that downloads additional malicious programs on the target’s computer.

The email is supposedly sent by Microsoft’s Volume Licensing Service Center, and the potential victims are notified that they have received an Open License with Microsoft – all they have to do is to register:

The email does look very much like the real email Microsoft’s VLSC sends out to users, and the personalized welcome line will surely fool many recipients into believing that the email is legitimate.

But hovering with the mouse over the offered download link will reveal its true destination: one of four compromised domains that have nothing to do with Microsoft.

The destination page uses Javascript to display the real Microsoft Volume License Center login page and starts a download of the fake volume license trojan as a .zip file, explained Martin Nystrom, a senior manager at Cisco’s Threat Defense.

With the real Microsoft page in the background, it’s easy to see how victims can be fooled into approving the download.

The malicious file served is a variant of the Chanitor Trojan downloader, which initially had a very low AV detection rate.

Further analysis of the Trojan was made difficult by the extensive evasion tactics implemented by the author of the malware.

For one, the malware detects four sandbox solutions and exits without doing anything, so malware analysts had to use a live machine to test it. As it turns out, the malware lays dormant for 30 minutes before going to work. And even after it’s executed and starts a process called winlogin.exe, the process goes to sleep repeatedly “to wait out automatic sandbox analysis before starting to communicate on the internet.”

Another technique used by the malware to prevent sandbox analysis is to copy itself to another file on the disk and then rename that file back to winlogin.exe.