Menlo Labs has been tracking a malicious email campaign targeting employees of banks and financial services companies. The campaign, which appears to have been active in the U.S. and the UK since August, compromises PCs and other endpoints by tricking victims into clicking on malicious links to archive files. In all of the instances we’ve identified so far in this particular campaign, the archive files were either .zip or .gz files.
In all of these cases, the malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products. It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection. In our most recent Annual State of the Web Report, which analyzed the top 100,000 domains as ranked by Alexa, we found 4,600 phishing sites that used legit hosting services.
These attackers may have chosen to use malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories. To prevent these kinds of blended threats, visibility and correlation across both email and web traffic is essential.
The following list of malicious files were used by the attacker as the first-stage dropper.
Technical and Campaign Analysis
The following figure depicts the different email addresses that the bad actors used to send malicious emails. Some were created to conduct nefarious activities, while others are likely compromised accounts that have been hijacked.
Emails used once:
Email used more than once:
One of the email addresses was used multiple times. All of the others were used only once.
The following are URL’s and payloads from the campaign where we could not ascertain the original email address:
The attackers used two types of payloads to compromise the endpoints: VBS scripts and JAR files. The malicious VBS scripts that we analyzed were highly obfuscated and were most likely created by one of the kits that are widely available to bad actors, which automate the creation of malicious documents.
Consider these three examples:
- Transfer invoice.vbs
- Bank slip.vbs
We believe these VBS scripts were created with the same kit because all three seem to belong to the Houdini malware family, which we have previously researched and have the following commonalities:
- The scripts are highly obfuscated with three nested levels of obfuscated VBScript.
- All the scripts are encoded using Base64 encoding.
- All three scripts talk to the same CnC domain, pm2bitcoin.com.
- The string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript.
- fud.fudcrypt.com is used as a secondary CnC address in all the scripts.
- In addition to executing the embedded VBScript, the script downloads a JAR file from http:/rccgovercomersabuja.org/jre.zip.
Of the JAR files we identified, we believe one file (Swift invoice.jar) belongs to the Houdini/jRAT malware family. We reached this conclusion because it communicated with pm2bitcoin.com. The other JAR files are still being investigated, and we believe they belong to the Qrat malware family. A detailed analysis of these other JAR files will be provided in part two of this blog post.
The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. RATs, unlike botnets, are modular in nature and give attackers the ability to access compromised machines and then remotely run commands. This enables the attackers to conduct reconnaissance of a network and change their tools, techniques, and procedures to accomplish their goals, so they don’t need to rely on a fully automated botnet built with a defined set of features. Novel ways of gaining endpoint access are always being developed, and will continue to evolve. Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks.
Appendix: Indicators of Compromise
- Target Industry
- Finance & Banking
- Locations Targeted
- U.S., UK
- Email Subject Lines Used
- Re-Confirm Details
- SWIFT COPY
- Transaction slip
- bank transfer
- bank slip
- Malicious URLs Sent via Email
- Second-Stage Downloader URLs
- CnC Domain