Perception Point uncovered a phishing campaign that leverages a sophisticated impersonation technique to trick users. The main aspect of the technique is hijacking a legitimate user’s email account in order to deliver malware as a part of the response to an existing email thread.

Technique Analysis.

One of our customers received an email with a malicious document attached to an existing thread in order to seem like a legitimate email. At this customer, Perception Point is configured to scan only items that are cleared by Proofpoint and in this case, Proofpoint missed the hijacking attempt and the malicious file. Our platform is uniquely able to x-ray this technique at a level that sandboxes or CDR’s cannot – below are the key findings.

  • An attempt to hijack email accounts as a part of a response to an existing thread.
  • An attempt to evade AVs and sandboxes by using several advanced techniques.
  • An attempt to run malware in the form of an executable file.

Email Analysis.

  1. The malicious email seems to be a regular reply to an existing thread between an employee in an organization protected by Perception Point and an external person.

  2. The attacker attaches to the email a malicious document that leverages social engineering to manipulate the user into opening it.

  3. Upon closer inspection, it is clear that the attacker reached the *.eml file from one of the SMTP servers that was used to send the email and sent a new reply with the malicious document from a local SMTP server.

  4. Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing.

  5. Unlike other solutions, Perception Point does not make any assumptions regarding a “trusted sender”, even if a conversation over email between two people is ongoing. Our solution scans every email with all layers of protection, even if it is in response to an existing thread.

    The malware score at Proofpoint is 0

Attachment Analysis.

  1. The first stage is a doc file with a Macro that promotes a cmd and PowerShell to download the payload. The second stage is creating persistence on the end user’s system and executing the payload.

    The docx file as viewed by Perception Point’s platform
  2. The obfuscated Macro script from the file:

    The PowerShell script that promoted by the Macro
  3. The script continues and creates persistence by using a registry the attacker configured to use a predefined key called ”HKCU\Software\Microsoft\Windows\CurrentVersion\Run” to eventually load by default after the machine is rebooted.

    The persistence has been setted

Executable File Analysis.

  • As part of the analysis, we scanned the file in VirusTotal to see if this is known malware in the industry. We found out that the file is already known and identified as “malicious​​” in the VirusTotal engines

    File hash: 4ed5541128d2d36d7a256422a8a987da61f2e5a75ff86468bc8bb36e6354e51a

No such thing as a “Trusted Sender”.

This attack evades mainstream email security solutions by leveraging the “trusted sender” designation. Solutions like Proofpoint filter out “trusted sender” emails as these solutions aren’t able to scan all incoming mail due to speed and scale issues, and therefore don’t scan emails that are highly likely to be clean. However, in a world where attackers can impersonate legitimate users, there is no such thing as a “trusted sender”. Perception Point’s platform is able to scan every single email thanks to our cloud deployment and ultra-fast scanning times, so no sender, even if they are known, is considered “trusted”.