Microsoft Publisher files spread backdoor to steal corporate data, Bitdefender warns

A targeted spam wave is infecting Windows computers with a backdoor capable of stealing sensitive corporate information from medium and small-sized businesses.

Bitdefender antispam researchers have identified a couple of thousand emails containing .pub attachments posing as orders and invoices for products. The email senders impersonate employees from small and medium-sized businesses from the UK and China, as well as other legitimate companies.

pubspam3Recipients are advised to open the files with Microsoft Publisher, a paid desktop publishing software application embedded in Microsoft Office 365. It’s commonly used as an editor and layout tool for creating leaflets, postcards, newsletters, e-mail newsletters or greeting cards.

.Pub is not your typical file format to host malware,” says Adrian Miron, Head of Antispam Lab at Bitdefender. “Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection.”

The .pub file contains a script (VBScript) that embeds a URL acting as a remote host. From this location, the malware downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file. The cyphered file can be decrypted using a key derived from the MD5 of a text written in the AutoIt file, antimalware researchers noticed.

vbs_initial_deobfuscat

Fig. 1 Deobfuscated VBScript

autoit_decrypt_code_snippet

Fig. 2 Decoded AutoIt script with MD5 for decryption key

Once the file is decrypted and installed, attackers have backdoor access and can control resources on the compromised computer. The malware can memorize keystrokes to record passwords and usernames, steal login information from browsers or emails, view system data and take other intrusive actions.

 “We have reason to believe that the stack originates from Saudi Arabia and the Czech Republic,” Miron adds.

Bitdefender detects and blocks the .pub file as W97M.Downloader.EGF and the backdoor paypload as Generic.Malware.SFLl.545292C0.

 MD5: 8bcaf480f97eb43d3bed8fcc7bc129a4

To stay protected from this type of threats, Bitdefender advises companies to install a robust anti-spam filter. Users should avoid opening and downloading suspicious email attachments from unsolicited sources.

Technical analysis courtesy of Alexandru RUSU, Antimalware Researcher at Bitdefender and Adrian MIRON, Head of Antispam at Bitdefender.

Leave a Reply

Your email address will not be published.