Following the Tweet from the Microsoft Security Intelligence account January 30, 2020 (https://twitter.com/MsftSecIntel/status/1222995250911703041?s=20), we at SecureSky were a little curious whether we had come across any evidence that phishing attempts against our own organization or our clients were part of this recently revived campaign. Not that we really need a reason to do this kind of research but given this announcement, we decided to put some time into this.
For starters, we picked an email we knew was a phishing attempt and decided to analyze the PDF file attachment. At the beginning, we thought we found evidence of this Dudear campaign. We approach every potential phishing payload slightly differently, depending upon who is analyzing it, whether the phishing email contains a URL or a potentially malicious attachment, etc. This blog will cover as much of the process we used to review the attachment in question as possible while not giving away all of the tools or techniques we used on this one. We’ll provide our conclusions at the end of this post and will provide you, the reader, with some additional recommendations for analyzing and defending against this type of phishing attempt.
Shortened URL within the PDF email attachment (full URL redacted)
Image containing link to shortened URL
Diving into the URL a bit, we were curious where it would take a user once clicked, so, naturally, we unshortened the URL to find out where it went. Using an online URL unshortener, we discovered the unshortened version of the URL belongs to a legitimate business overseas. So, to protect their identity, we’ve removed the full domain from the below screenshot.
The naming convention of this file made me wonder if it’s part of a WordPress theme/plugin, or if it has been named accordingly to pose as a WordPress file. Either way, there are several websites hosting this file as confirmed by using this filename as a search query on Google. Looking into the naming convention, we did confirm the website at the URL hosting the file was in fact running WordPress. Without confirming anything else, it makes me wonder if that WordPress installation is vulnerable. Again, we didn’t check.
Continuing the analysis, if the user clicks on the link within the PDF, they are taken to the above URL which redirects their browser to download an Excel spreadsheet. This spreadsheet is where this whole attack gets interesting. Let’s dive into this spreadsheet further. When launching the spreadsheet, the user is greeted by an interesting image designed to social engineer them into clicking on “enable” at the top of the main worksheet.
Image with instructions trying to social engineer users
If we look closer at the top toolbar, we notice that in our case macros are disabled and we’re being prompted to run the content. However, the image tries to handle a situation where office documents must be “enabled” to allow editing. This tries to get the victim user to work through “protected” mode functionality.
Macros disabled warning
As a user clicks on this button to enable macros, the hidden macro in this document goes to work luring the victim even more by trying to convince them that there are problems with the document and they need to recover as much as possible.
Fake error message trying to convince user to click “OK”
If the user clicks on the “OK” button, the hidden macro goes to work on the user’s filesystem. Instead of continuing to run this in our sandbox, we decided to use additional tools. From here, we ran the “strings” tool and reviewed the output to see if we could gather any additional information about the document.
Strings output for the downloaded spreadsheet
The first thing that should stand out from the above output is ‘C:\Users\Public\2.vbs’, the VB syntax of ‘2.vbs’ which creates an HTTP GET request and saves the response to a file, a variable called ‘File’ which stores the value ‘C:\Users]Public\2.vbs’, the call to ‘cscript.exe’, and finally the call to ‘wmic’ and ‘regsvr32’. The initial string at the top of the above screenshot indicates that a message trying to social engineer the user into clicking a prompt button may be a necessary step in the ‘C:\Users\Public\2.vbs’ file creation. The ‘cscript’ executable is responsible for running a Visual Basic script from the command line, so the call on the second to last line of the above screenshot executes the created ‘2.vbs’ script, provides a URL as the first command line argument to the VB script, and a filename to save the HTTP response to as the second argument to the VB script.
A careful observer might be thinking, why didn’t the attacker try to obfuscate the VB script better? That’s a great question and we really don’t know the answer. Being able to read this script with a tool like ‘strings’ highlights mistakes the original author made.
A couple of other interesting tidbits about this attack is the URL hxxps://basorkiq.host/BKDJs72d. This URL points to the IP address 220.127.116.11. A quick check of that IP address reveals that it belongs to a cloud services provider in China.
Whois output for 18.104.22.168 (basorkiq.host)
By the time I got to these files, both ‘wp-pivot.php’ and whatever is written into ‘blah.html’ were both already taken offline, so I couldn’t capture these. Thankfully, the sandbox we use was able to analyze these files before me and determined that ‘2.vbs’ and ‘blah.html’ were indeed malware. This attack’s initial delivery methods resembled those of the Dudear campaign, but our analysis concluded that the payload’s detonation in this attack was different than those seen in Dudear. Below, you’ll find a visual representation of the steps taken in this attack.
Before we conclude this blog, let’s go over some recommendations for making sure end-users don’t fall victim and inadvertently infect corporate resources.
- Security Awareness Training - Phishing attacks are as prevalent as ever, especially with Business Email Compromises, and this means frequent, and regular Security Awareness Training for users is so important.
- Disable Macros in Office Documents – Better yet, also train the end-user the differences between enabling ‘Edit’ mode and running macros using prompt buttons.
- Document Phishing/Malware Reporting Procedures – Make sure end-users can follow the steps easily and can locate the procedures easily.
- Implement Phishing/Anti-Malware Protection for SaaS – If you’re already using a SaaS solution for corporate email, check with your cloud services provider or a trusted 3rd party vendor to see what options are available for securing your organization’s SaaS solution.
- Logging and Monitoring – It is incredibly important that your organization logs traffic through its environment and monitors the environment for attacks against the organization. Detective controls can help identify incidents before they succeed or get too far.
While this attack showed similarities to the Dudear campaign in terms of its delivery, we do not believe it was a part of it due to differences in the final payload’s detonation. Still, this was a fun phishing attack to dissect and we hope you enjoyed this blog. If your organization uses a SaaS service, contact us at SecureSky to see how we can help you secure your cloud services.