FlowerPippi Description

The cyber-criminal group TA505 launched a new campaign in July 2019. This campaign deployed two corrupted "downloader" tools on systems in some countries. The first one detected was dubbed FlowerPippi, and in researching the technique used to distribute it, the second malware (Gelup) was also discovered. Both malware were packaged using similar tools known to be employed by TA505. The FlowerPippi Malware is a backdoor and a malware downloader. It is more of a standalone tool and has not been observed as having the more advanced features of Gelup. The name "FlowerPippi" comes from an "unused string" in the malware that reads "pipipipip."

Why You Should Avoid Been Infected by the FlowerPippi Malware

The FlowerPippi Malware is a C++ based downloader or "backdoor" malware. It gains access to a system and is then controlled by a Command and Control (C&C) server. It does not have features to "AutoRun" anything; rather, it simply downloads the payload desired to be put on the infected system. The FlowerPippi Malware is being distributed using spam emails containing .doc and .xls attachments. These documents have corrupted Visual Basic for Applications (VBA) macros. When someone opens one of these attachments, the macro runs and attempts to infect the system with the FlowerPippi Malware.

How the FlowerPippi Malware Works

The FlowerPippi Malware compromises a system by collecting and sending some information about the current user or account, then sending it to its C&C server. This information is collected using an "FNV-1a" hash algorithm to generate a victim ID from the MAC address of the targeted system. When it connects to the C&C server for the first time, it sends the collected information using a URL-encoded string, encrypted with the "RC4" encryption algorithm.

The C&C server sends back the primary commands, which can include:

  • Download and save an executable in %temp%\.exe, then execute it and delete it.
  • Download and save a DLL in %temp%\.dll, then load it via the LoadLibrary and delete it.
  • Run an arbitrary command
  • Delete itself via a bat file.

How to Protect Yourself from the FlowerPippi Malware

The FlowerPippi Malware is being distributed using a spam campaign targeting systems in the Middle East, Japan, India, the Philippines and Argentina. These spam emails can be sent to you by an account spoofing a known contact and usually containing a short message like "PFA Invoices & DOs FOR YOUR REFERENCE." The spam email contains an MS Office document named something like "Invoice-5601.doc."

To keep your system safe and clean is never to download or run any attachment unless you are certain where it came from. Additionally, double-check sender email addresses when downloading an attachment, and make sure the attachment makes sense in the context of the email. Sometimes malware on the sender's system can attach files to their emails without them noticing.

Keep regular backups of your important files. An infected system has little chance of every being "cleaned" completely and therefore may need a system reset, formatting, or restore (from a backup) to get rid of the malware. In this case, having a periodic backup of your files is critical, as copying over an infected file to a clean system will likely end up in infecting the new system.