Amphitryon : The Spam Blog (Splog) Supportive Malware
Amphitryon gains entry through a macro and redirects affected users to spam blog sites that are solely created to increase advertisement revenues and website rankings.
Amphitryon infects a system through a seemingly harmless MS Office document. When you open this malicious document, it can access your information on the computer and send this data to specific websites. This is one part of its two-fold agenda. The other agenda is to redirect affected users to specific splog sites. By doing so it boosts the advertisement revenue of such splog sites and increases the splog site’s ranking in search results.
About the Threat
Malware attacks are evolving and adapting new revenue generating schemes and Amphitryon is a classic example of this.
Amphitryon uses the typical trojan mode of entry through an infected MS Office document. This mode of entry is preferred due to the simple reason that it can slip through conventional anti-virus softwares because it is identified as a macro and not malicious code.
The attack uses social engineering tactics to make the document appear legitimate by disguising it as a sales invoice or a tax-refund or something that is equally genuine sounding. This tricks users into downloading the file and enabling the macro.
When an unsuspecting user, opens an infected file, and if the macros are enabled, it downloads the actual payload through complex manoeuvres and obfuscation. This payload contains script that executes certain functions like –
Make the malware persistent in the infected machine.
Gather information and track processes running on the machine and exfiltrate it to a specific URL.
Redirect users to Splogs.
The last functionality of Amphitryon is what makes it interesting. Splogs or Spam Blogs are specifically created to generate revenue by displaying advertisements. Another purpose can be to increase the number of visitors and artificially raise the website’s ranking in search results for certain keywords.
Splogs usually contain little or no information about its author. Most of the time, the author's information is fake and the content is plagiarised from other blogs and websites. Splogs contain excessive links to one or multiple affiliate sites with affiliate code in the links. Some may also contain links to unethical or illegal websites.
Blogs are also now becoming a means of spreading malicious code and key-logging software, offering an obvious backdoor opportunity for unknown exploits to invade legitimate sites.
One of the basic precautions that can ensure protection against Amphitryon is to disable macros on all MS Office products as a default.
SecneurX's Analysis of the Modus Operandi
Security Analysts at SecneurX studied the artifact with the following SHA256,
This sample of the Amphitryon Malware is a docx file obtained from a spam mail attachment. When the user opens it and enables macros, the following actions take place:
On enabling macros, an obfuscated VBA script runs. This script downloads and executes an obfuscated payload from C2. The decoded string (aHR0cDovL240MDI4Y2h1Lm15d2ViY29tbXVuaXR5Lm9yZy9kLnBocA) contains the C2 =>hxxp://n4028chu[.]mywebcommunity[.]org/d[.]php
Figure 1: Decoded string with the C2 URL
An obfuscated payload is then downloaded from C2. This payload contains script to make the malware persistent in the infected machine. It executes malicious functionalities like gathering information and tracking processes running on the machine and sending it to a specially crafted POST URL hxxp://tom0342[.]getenjoyment[.]net/info.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files
Figure 2: Communication with the specially crafted Post URL
Figure 3: Communication with the specially crafted Post URL
An obfuscated Splog link is also embedded In the same payload.
Figure 4: The string with the splog link
aHR0cHM6Ly9SVk0wNUVhM2hQVkZGNFRVUm5QUS5ibG9nc3BvdC5jb20vMjAyMS8wOS8xLmh0bWw decodes to => hxxps://rvm05ea3hpvff4turnpq[.]blogspot[.]com/2021/09/1.html, which is a splog.
Indicators of Compromise
1fa666df000dda08a490[.]blogspot[.]com 80b1d58755587a0e3287aa11ce472bc657ddc4b5a11ab7347ad058644db9973f 37e0d8519389f35a04c667fa79ab170df86b887557fecfc81dde7ff0b77da729