How hackers can make variations within one campaign –
as seen in a recent customer attack we blocked.
On Wednesday 3.21.2018 one of our customers received a series of malicious emails across their organization. While it is not clear whether the attacks were coordinated, they seemed like part of a larger campaign executed by criminals interested in financial profit. Our platform blocked all of these attempts before they reached the end user – however had they reached the users, the varying methods used may have easily tricked someone.
The attackers started the campaign with a simple attempt to send an executable file to several employees in the organization. After failing the first time, they progressively enhanced their techniques, adding complexity in order to bypass traditional cyber security solutions.
Here is a brief overview of each step in the campaign:
While sending a “.exe” file as an email attachment is prohibited by most email servers, sending it inside an “iso” file is apparently allowed (specifically in Office365). This requires minimal effort from the attackers and since Windows 10 automatically mounts an ISO file as a virtual DVD drive, it is very easy for an unskilled user to run the file. Once the user runes the file it installs a malicious trojan on their computer.
In the below screenshot of the original email, you see the file name tries to look like a pdf and the email is pretending to be a DHL package notification.
Similar emails were sent to several employees in a short period of time, all attempting to deliver a variant of the same executable file. Here are hashes of such iso & exe files:
On the same day, we encountered the exact same trojan files in another customer in which we were conducting a trial, indicating a possible widespread campaign.
After a few unsuccessful attempts with the first technique, the attackers switched to using a link instead of an attachment to deliver the malicious trojan. Again, the email posed as a package tracking notification sent allegendly by DHL, and contained a link to a fake receipt doc file.
Analyzing the doc file, we found that it includes a VB script macro that is designed to be invoked automatically as soon as the victim opens the document on Microsoft Word. It was quite easy to understand that this macro script is suspicious because it was fully obfuscated.
Code obfuscation is basically a usage of some programming language utilities, such as string manipulations or mathematical operations, in order to hide the malicious code by making it scrambled, unclear and unreadable. Sometimes the goal is just to make it difficult to understand by human researchers.
More importantly, it is used to prevent static engines from detecting the malicious patterns of the code, like new process execution, file dropping, registry operations, and other exploitation techniques.
Detected by only 3 of 60 static engines in VirusTotal at the time the email was sent, this tells us that the obfuscation was pretty successful. Showing once again that code obfuscation techniques easily bypass static analysis based detection engines.
A snippet from the original obfuscated macro script:
Under all of the aforementioned obfuscations, this macro script extracts an encrypted Powershell command, which runs an executable file downloaded from a remote HTTP server. Analysing this file, reveals that this is a trojan called Emotet, designed to collect financial information from the infected computer.
The executable hash is f759bedc1953d63c131d1cbbf641ceb1.
Some of the servers that downloads the exe files are:
One day after the previous incidents, the same customer got an email from a fake source pretending to be DocuSign. A Word document file was attached to this email, and once again it had an obfuscated macro script that downloads and executes another banking trojan.
The executable hash is 4598fe6c73be9f241006dfb35a76704a and it is probably a variant of Trickbot (banking trojan).
“Integrating Perception Point’s platform into our Office365 instance was quick and seamless with absolutely no impact to our email delivery service levels, and in less than a month they’ve already blocked a potentially damaging attack that could have easily tricked our users and caused a serious disruption. It’s rare that I see immediate returns that quickly”
James Rutt, CIO/CISO Dana Foundation.
To get a full customer case study Contact Us
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.
How hackers can make variations within one campaign - as seen in a recent customer attack we blocked.
Typically phishing links are sent directly inside the email body, but now attackers are embedding their phishing links inside an email attachment instead.Show More