Call it fresh phish: a new phishing attack is using clever targeting and filter avoidance to reap a higher success rate than most campaigns. Further, it’s using multiple emails sent during a small time window (around 90 minutes), making it a more complex threat to detect.
Cisco TRAC and VRT have uncovered the attack, which appears to be a combined spearphishing and exploit attempt, and those responsible for it are using different pieces of malware. In addition, instead of sending an email to 100,000 people in hopes that a small percent who open it have something worth stealing for profit, this threat actor specifically goes after a few key people in a very small time window inside an organization. This allows the attackers to maximize the potential gain while minimizing any chance of detection.
The attackers are targeting a feature within Microsoft Word, Visual Basic Scripting for Applications. When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. The threat actor used the cloud-based file-sharing service offered by Dropbox to host four separate pieces of the payload for the exploit.
In terms of targets, “This threat actor has particularly lavish tastes,” the researchers said in an analysis. “This threat actor seem to target high-profile, money-rich industries such as banking…television and jewelry.” That suggests a financial motivation behind the attack rather than an espionage campaign – but the perpetrator(s) also attacks the industrial manufacturing and oil verticals.
Cisco said that the attacks are an extremely targeted spearphish in the form of an invoice, purchase order or receipt, written specifically for the recipient. The mail includes a fake name and an attached Microsoft Word document that looks entirely convincing. The attachment also passes muster with security software.
“For the duration of this campaign there is one thing that remained consistent: at best, a few antivirus engines may have generically detected the attached malware, but more often than not coverage was provided by a single vendor, or no coverage was provided at all,” the researchers said.
Cisco was able to track down the command and control (C&C) domains, selombiznet.in and londonpaerl.co.uk. The “londonpaerl.co.uk” domain is actually a typo-squat of the domain londonpearl.co.uk, a company that is an international supplier of cultured pearls and cultured pearl jewelry. However, the website on this domain claims to be an employment agency. In May, Cisco blocked five backdoor components coming from that domain; and found that all of them were directed at a single customer, on the same day, within a 90-minute period.
“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware,” Cisco said. “Many of the domains appear to be suspended presumably due to past malicious activity. In fact, during the investigation the threat actor changed the information on some of the domains several times.”
It added, “It is important to keep in mind that some of these machines may not be voluntary participants, public services may be being abused or they may be compromised themselves.”
Due to its nebulous nature and the savvy targeting employed, the phish is obviously a dangerous one. As ever, email users should employ common sense and avoid opening unsolicited attachments.