The other day, I got this cryptic email. It read:
From: Wayne Millbrand <email@example.com>
Date: 03/27/2017 2:23 PM (GMT-05:00)
Good day to you!
I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:
First Last Name
State (with capitalization error)
Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.
Document was password-protected – 4299
Please explain to me what’s happening. I hope that all of this is a silly misunderstanding.
Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish.
I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately.
So it appears that the attack strategy was to:
- Send a threatening email
- Add some publicly available information about the recipient to make it look genuine
- Encrypt the document in order to hide the payload from an anti-virus scanner
- Provide the password in the email to allow the user to open and decrypt the file
- Activate the payload in the MS Word document and infect the user’s machine
Inside the encrypted Word document, I found the following API declarations, variable names, and this code:
Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long
API Declarations and Variables
This seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources:
h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif
The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.
The macro uses a subroutine to extract the executable binary from the downloaded GIF. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder.
The installed ransomware in action
Interestingly, the first compromised URL used by the malware was website that belongs to Adenzia.ch, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure Data storage” and:
– Accounting services
– Secure financial services
– Data entry from paper to digital
– Scanning paper data to digital
– Archiving data anonymously
The before and after the breach Adenzia.ch websites
The Kingofstreets.de website
Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provides an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.
From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack.
SPecialiST RePack is a Russian digital publisher that is used for repackaging software. According to Emsisoft malware database, they are a source of a large number of infected files and products.
SPecialiST RePack infected content
As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.
I’ve tried to contact Adenzia and give them heads up that they need to have a look at their network. As of this date, I haven’t heard back from them. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.
© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.
Several days ago, I got an email from PayPal Support with the title: “We noticed unusual activity on your account”. The body of the email contained details of a suspicious transaction that allegedly occurred in my account and it invited me to click on the hyperlink “I Didn’t Authorize This Purchase” to dispute the transaction. At first blush, the email seemed well formatted and looked possibly legit.
I took a closer look at the embedded URL and noticed that it had the following shortened alias: http://bit.ly/1ml6nhf which resolved to: http://account-service-costumer.com/us/webapps/mpp/home. Taken together with the obvious Chinglish verbiage in the body of the email, it became apparent that this was not an actual PayPal address but rather a phishing site.
I must say, I was taken back by the quality of the site. Whoever was responsible for setting it up invested a lot of time and effort into it. In a departure from typical phishing site design where most of the bogus links either don’t work or are eliminated, this one had multiple layers of linkage functionality designed to make the site appear real. For example, when I clicked on the “Send Money” link, I was prompted to enter a transfer amount and my recipient’s e-mail address. Impressive functionality.
Structure and Functionality
In terms of navigational structure and content, the phishing site was almost an identical copy of the actual PayPal website. It had identical layout, images, and link names. It even had all of the streaming media. One note of interest is that even though the link names were verbatim, most of them just reloaded the phishing site landing page with the exception of “Investor Relations” and “Feedback Links” at the bottom which loaded external pages. This is a departure from the previous phishing practice of simply eliminating such links from the site altogether.
As far as the actual phishing exploit is concerned, the “Login” and “Sign Up” links are the core components. If you click on them they redirect to a fake PayPal login page where you are prompted to enter your user ID and password after which you land on a form intended to verify your identify which collects all of your personal information including DOB, SS number, phone number, and address. Double whammy!
Site Hosting and Publication
The site was registered in the US just two weeks ago via the Name.com web register and its IP is hosted on a dedicated server in the New Jersey/New York area.
This is somewhat unusual because most of the phishers tend to host from abroad on repurposed or hacked servers serving other legitimate content.
This was probably done in an effort to survive a cursory URL Whois check that would confirm that the hosting is in the US (which would be the case for the real PayPal servers).
Heads up! It appears that we are witnessing a revolution in phishing affairs through the escalation in quality and detail of these sites. Considering this, it may behoove payment industry providers such as PayPal to start utilizing image match search capability to detect and block the appearance of such sites in near real-time instead of passively waiting to receive fraud alert messages from their customers weeks after the phishing campaign has wrought its havoc.
© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.
Tokens of Distrust
It was on a starless March night,
The spear phishers went out for bite.
Through a zero day vulnerability,
They breached RSA’s network security.
A Trojan attached to an email transmission,
Gave the attackers remote access permission.
Deep into the corporate systems they dove,
Collecting the SecureID key seeds treasure trove.
The theft effected over forty million tokens,
Transparency failed and trust was broken.
A few weeks followed and on a moonless May night,
The spear fishers returned with a renewed appetite.
Over the internet via secure VPN and a forged key,
They breached Lockheed’s defenses and Pwned ’their IP.
Ties That Bind
Identity, how do I bind thee to an object? Let me recount the days.
In the days of Spring, by a secret.
In the days of Summer, by a token.
In the days of Fall, by who you are.
In the days of Winter, by seasons’ past and where you’ve been.
A little shiftless man named Phil,
got a CISO gig through a shady deal.
Clueless about APT threats,
He managed upwards like a rat.
Pen tests and audits took a back seat,
To what the cafeteria was serving to eat.
When the company was finally breached by a hack,
He said “C’est la vie! The insurance will cover our back.”
IP traffic flood,
Malignant packets rush-in,
Snort calmly says: “Halt!”