Pay the debt! – Malware Campaign Hits the Czech Republic

June 27, 2014

In the last few days, the Czech Republic and other European countries are once again targeted by a malware campaign that received a lot of attention in the Czech Republic,

Malware analyst and яeverse engineer

In the last few days, the Czech Republic and other European countries are once again targeted by a malware campaign that received a lot of attention in the Czech Republic, e.g. 1, 2, 3. This malware infection is delivered via an attachment of a randomly generated email. The email informs the recipient of a (fake) overdraft and threatened to repay it. The documents related to the debt are claimed to be attached within a zip archive.

From the victim’s point of view, this sample may look similar to ransomware such as CryptoLocker. In both cases, the attacker threatens a victim to pay money. However, in the case of ransomware, the attacker usually has control over the victim’s machine and files when the user is threatened. This is different to today’s case as the threat itself serves as the infection method. Indeed, the victim may violate security principles (see the conclusion at the end of this article) while being scared and execute the malware by mistake.

An example of such an email is illustrated below (in Czech). It contains a randomly generated name of the sender, email address, amount of debt (several thousands of CZK), contract ID, etc. Its content can be summarized as: “Dear user, pay the debt!”. At first sight, it may seem credible, but if we check it more thoroughly, we may notice missing words, multiple typos, usage of an incorrect decimal mark for the Czech standards, etc. It would be very possible though for the recipient of such an email may be scared and those inconsistencies may be overlooked in this situation.


The attached file is an archive with a random name containing an executable file, which represents a dropper that downloads another malicious file from the Internet.


The recipient may unwillingly execute this dropper while trying to display the contract in order to find out what’s going on with his money. A brief technical analysis of this file is described in the following text. We will focus on the Czech version of this malware (its MD5 checksum is 9126fef6fc226adef2e4a7a289d877e7), but it is very similar to the mutations in other languages such as a German one (its MD5 checksum is 3cd4da3c922279a963a639e284494270).

The file itself is obfuscated and packed to make its analysis harder. Nevertheless, it is possible to obtain an unprotected version of this malware quite easily and we were able to decompile it by using our Retargetable Decompiler.

The overview of the sample’s behavior is illustrated on the following call graph. As we can see, the sample is not very complex and we can describe most of its functionality in a deeper detail on decompiled code snippets.


At first, this sample uses a well-known technique to call standard Windows API functions indirectly by using the LoadLibraryA() and GetProcAddress() functions. In this way, the sample is able to call functions for online communication, such as WinHttpConnect(), WinHttpOpen(), or WinHttpReadData().

Afterwards, this malware extracts a chunk of binary data from its resource called DATA.


Then, it saves the data as a file with a random name of the following format:

The resulting file is another archive (in the Microsoft Cabinet format) and contains an RTF file representing a loan agreement between Vysocina Region and Jihlava Hospital Czech Republic.


We are still missing a reason why this particular document is attached, but we found out that this document is real and it can be found here. However, the original document was stored in the Microsoft doc format (doc); therefore, the malware author converted this document from the doc format to RTF. There are two reasons for such a conversion: (1) this particular RTF file is five-times smaller, which is important for easier distribution of the dropper. (2) RTF file can be displayed without Microsoft Office installed via the Microsoft WordPad application that is included with almost all versions of Microsoft Windows from Windows 95 onwards.


Note: the other language mutations contain different documents that also lack any connection to the victim. For example, the German version of this malware displays the following document:


Let’s get back to the Czech sample. It extracts the RTF file ZK-42123.rtf from this archive into a file with a name similar to %Temp%smlouva25.04.2013-signed_AC916514375936667.rtf. Afterwards, it displays this document by using the system viewer of RTF files, such as WordPad or Microsoft Office. At this point, the victim is confused about the text of this contract because it is not related to him. The usual reaction is closing of this document and deletion of the email. However, the malware sample remains active.

Afterwards, the malware checks if there is its another instance (by using a mutex called 77782916). It also tries to detect an active Internet connection by contacting the Windows Update site. In the next step, it becomes inactive for seven minutes, probably to lose the victim’s attention.

Function HttpRead() basically establishes a connection to a specified HTTP server and downloads the content via a GET request, e.g.

This function uses a custom UserAgent string acting as an Opera browser. Another interesting fact is that it uses a cn language tag, probably to mask itself as a Chinese request. However, this is not a valid language tag.

The final phase of this malware is the download and execution of the second malware’s part (password stealer) from a remote HTTP server. This particular file contains seven such locations; however, they are hard-coded in an XOR-encrypted form. Although this dropper is quite simple, the XOR key is not hard-coded in the sample as done in more sophisticated samples. Instead, this XOR key is assembled from multiple system-specific information: the first three bytes of the Windows calculator application and from the registry key containing text Winlogon. The resulting key is MZÉolonWngi.

After a decryption by using this XOR key, we are able to reconstruct all the remote locations, where the second phase of the malware is located. At the time of writing this article, most of these locations are still active.

Afterwards, the dropper downloads the file saver.tar.gz from one of this servers by using the aforementioned HttpRead() function. Disregarding the file’s extension, it is another executable file – a password stealing trojan (its analysis is not the focus of this article). As soon as this file is downloaded from one of these locations, it is renamed to %Temp%update_%RandomNumber.exe% and executed. After another five seconds, this downloaded file is deleted and the first part closes. The deletion of this file is only a question of covering its tracks. The dropped file is already installed on the infected machine and it is executed during every Windows startup.


In comparison with the other currently active threats, this malware sample does not contain any advanced techniques or zero-day exploits. Nevertheless, it is still quite successful in infecting victim machines by simple (but still very powerful) social engineering. In order to prevent such attacks, we can conclude the present article by the following rules:

  1. None of the legitimate banks will contact you via such an email. Important messages are delivered through the Internet banking, which is much more secure than email communication.
  2. Never open an executable file received from an unknown sender. Even better, do not open it even if it comes from a known person; he or she may be infected and spreading malware, too.
  3. Use an up-to-date AntiVirus (AV) solution such as AVG Internet Security. It is critical to keep automatic updates enabled to stay protected against the recent threats. Moreover, it’s not only about AV, but the other parts of such a solution will further increase the level of your protection. In this case, a properly configured firewall will not allow communication of the dropper with a remote server, the user will not be infected by the second part of the malware, and the dropper will simply end.

Jakub Kroustek
June 27, 2014