Overview.

Attackers are always evolving in their pursuit to keep trying to bypass security vendors and get to the end-user, using many creative techniques to achieve this. Recently, Perception Point’s platform intercepted a unique, 3-stage attack that uses multiple evasion techniques, in order to infiltrate the targeted organization. In this post, we will present the complex attack and how Perception Point’s unique engines prevented it.

The Attack.

The attack is based on 3 stages with each stage using evasion techniques and target a US-based enterprise. Each stage has its own purpose and role, in order to trick the end-user and make them to step-by-step act wrongfully.

Stage One: Leveraging a Cloud Storage Platform

The attack starts with a phishing email that impersonates Dropbox, a leading cloud storage platform. The disguise is comprised of:

  • Domain spoofing
  • Usage of a logo
  • Overall design of Dropbox’s email templates

But the interesting part is actually related to where the payload is stored. The email itself doesn’t include any malicious payload on its own – but only a legitimate link that later points to a malicious piece of content (a file). This first level of evasion will successfully bypass most email security, vendors.

Screenshot of the original email

Stage Two: The Intermediate File

Once the user clicks on the link, a Dropbox link is opened – This is a real clean Dropbox domain. As with any Dropbox sharing, there is a button to download a file. This means that the email security solution needs to somehow click that link, download the file, and then scan it with their detection engines.

Screenshot of Dropbox download page

Once the end-user clicks on the download button, a PDF is downloaded. The file its self does not have a malicious payload. However, as can be seen below, once opened, the document requires the end-user to log-in to open the contents.

Screenshot of the file once opened

Stage Three: The Phishing Form

One would expect the file to be the final stage of evasion, but you’re in for a surprise. The attacker took another step to ensure the success of the attack. Instead of creating a simple Microsoft login page to steal the user’s credentials, he chose to create it as a Google Form. This means that the page is a “legitimate” form which can be created in Google freely, without any limitation and without any security solution “blacklisting” docs.google.com. Google is aware of the fact that many security solutions cannot prevent these attacks, as such, they even inserted a warning about this option (“never send passwords using google forms”). With Perception Point, we can also detect this trick, as is explained below.

Screenshot of the phishing page using Google Forms

How Perception Point Prevented the Attack.

In the screenshot below, taken from our X-Ray viewer, we see that the attack was caught by the Threat Intelligence and Anti-phishing layers. But, before that, we had our “secret sauce” in action – the “Recursive Unpacker”. We uncovered the attacks using the following technologies:

  • The Anti-evasion Layer:
    At the end of the 3-stage deep attack, there is a phishing attack but in order to find it, you need a strong anti-evasion layer that identifies the deeply concealed payload. As you can see below, our anti-evasion layer successfully tracked the entire path to find the malicious content and flagged it in the system. This unique capability is a result of advanced R&D effort and is unique to Perception Point in order to extract any hidden payload or attack technique.
  • The Threat Intelligence Layer:
    Perception Point manages a large Threat Intelligence database that identifies any known specific attacks as well as attack techniques, that are updated by the minute from worldwide sources. In this case, our Threat Intelligence layer identified many indicators that seemed suspicious to our system, and based on advanced mechanisms the mail was deemed malicious.

  • The Anti-phishing Layer:
    This layer includes several different engines and unique algorithms, including ones leveraging image-recognition. These algorithms identify any attempt to impersonate both general-abused brands, as well as niche brands. In this case, we see how the phishing identified that the Google Form was actually an attempt to look like Office365 log-in page and trying to steal credentials.

IOC’s:

  • Subject: Hu Zhengguo sent you “Audit_Review_9.pdf”
  • Sender: Dropbox <no-reply@dropbox.com>
  • IP: 54.240.60.149
  • Phishing URL: https[:]//docs.google[.]com/forms/d/e/1FAIpQLSfhYAN86rffb2mKjGZQM8lkq5_dgR1jKvSKUxTVCzvuij4fXA/viewform