In his latest security posting, Andrew Brandt wrote that a trojan was sent to some of his colleagues, trying to exfiltrate data from a locked-down testbed.
“In the course of investigating the attack, I’ve assessed the social engineering aspect of the attack, and described the fundamental behavior of the initial infection and its subsequent payloads – I have to admit, I limited my description only to some of that behavior”, he said.
While analyzing the initial malware – which came as an invoice attachment – Brandt says that the installer downloaded a file from deleted-host.zapto.org, a domain which resolves to an IP address of 220.127.116.11, which pointed to a suspicious-looking domain, athleta-support.info.
That is, he said, an interesting choice of a domain name, and it reveals something about the spear phisher(s)’ tradecraft in social engineering: Athleta, a women’s fitness clothing brand owned by retailer The Gap, has its own online store.
“If you’re not a female, outdoor-fitness enthusiast, and haven’t heard of this brand (I didn’t until I did this research), a cursory Google search would validate the existence of a company by this name if you were to, for instance, receive an order confirmation email linking back to something called Athleta”, he said, adding that recipients will think the link is from a real company and click on it.
The athleta-support.info domain, he noted, was registered on September 30th, 11 days prior to the second Yesasia campaign’s arrival in Solera's inboxes and, he said, by the time he discovered it, the domain was inactive – at this time, the domain has been blackholed and no longer points to 18.104.22.168.
“All the domains hosted on that 22.214.171.124 IP address share a single reverse-lookup: technetium. The domain is privately owned, according to the domain WHOIS data, by one Markus Vogt of Landau, Germany. That is, if you believe the WHOIS data. It’s all too common for malicious domains to be registered using bogus data, or real information strip-mined at random from the internet”, he said.
Markus Vogt, he added, can be traced to Blackfiber.net, which provides DNS services for itself, HTCNET, vogt.la, and yesasia-invoices.com.
Back on the malware decoding front, however, and Brandt reported that, after a few minutes of inactivity, the malware code carries out a DNS lookup of more zapto.org subdomains, later pulling down a payload named windefender.exe.jpg.
“This was, like the original invoice.exe and the newegg.exe payload, an executable that had originally been composed in Visual Basic. Also like the first two payloads, this application used what we’ve come to describe as Proper Name Salad values in the properties sheet. The program describes itself as Kepler Clemson ChippendaleParks ScotsmanMac Lexington. It also uses the internal name of hcri.exe”, he says.
The appearance of this program, he adds, coincided with nine new files appearing in the %temp% directory, all with .bss file extensions - and which appear to be plugins designed to extract data from the caches of various applications.
And here's where it gets interesting, Infosecurity notes, as the malware pulled down a plain-text list of 71 web sites targeted for credential theft by the malware, and which included banks, cellular phone companies and a wide variety of useful sites such as social networks and hacking forums.
“Clearly, the files involved in this infection campaign were dangerous, if allowed to run at will on a victim’s computer, despite the relative lack of sophistication. In the end, the social engineering trick employed by this targeted spam message isn’t much different than fake IRS emails or shipping confirmation messages that have been floating around for years”, he said.