USA Retailers Hit by Spear-Phishing Campaign

For retailers, brand image and brand trust are critical for success. The financial implication of a successful attack can also be a costly event, with an average phishing attack of a mid-size company costing $1.6 million. Phishing attacks have increased by 65% over the last year as scammers have developed sophisticated spear-phishing campaigns with lucrative success. The result is startling: 76% of businesses have reported being victims of phishing attacks in the last year. One spear-phishing campaign was found to be targeting large retail businesses in the United States. Cyberint detected this campaign and the details of its compromise.

Summary of the Attack

In mid-December of 2018, CyberInt detected a spear-phishing campaign against large USA retailers and other businesses in the food and beverage industry. The email campaign contained several malware types such as Gussdoor, Xrat, and Vimditator.

The attached document in the phishing email appeared to have come from a Ricoh printer and included the targeted company’s logo. The document was macro enabled, and once opened, the macro executed and downloaded 2^nd stage to the victim’s machine. This also triggered a connection to local365office.com, instructing the targeted machine to run msiexec.exe in the background. Msiexec.exe downloaded a further MSI binary file.

The file was then extracted and placed three documents in the appdatalocaltempdirectory. One of the documents, Exit.exe, executed an embedded VBScript. The script pinged cloudflare.com to check for Internet connectivity. If the ping was successful, another one of the documents, Syst.dll, was renamed to 7zinstall.exe and executed. This execution then extracted four additional files.

One of the files launched commands to set a registry entry called “Microtik” under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. This kicked off an executable that tried to connect to a server located in Germany. Pivoting on the domain local365office.com also revealed that it is hosted in Germany. The ISP that owns the IP for local365office.com shares that information with only 139 other domains.

One of those 139 domains has a similar name, office365onlinehome.com, which shows a malicious document was communicating with that domain using a common lure similar to local365office.com. A deeper analysis showed similar TTP’s executing msiexec.exe. This file was used in another campaign discovered by Proofpoint that delivered a backdoor called ServHelper.

When executed, it creates three files in the AppDataLocalTempdirectory. A script is then launched that executes helpobj.dat, a PECompact packed DLL file commonly known as Win32.Trojan.Delf. This is a generic trojan which is typically used to steal victims’ information. The file is signed with a legitimate code signing certificate of a computer repair service that was most likely compromised and had their certificate stolen.

Conclusion

Details of this attack show just how sophisticated attackers are becoming at concealing their attacks with multilayered steps to evade detection. The use of commodity malware provides attackers with an efficient method to create refined and complex attacks.

According to Webroot, approximately 1.5 million new phishing sites are created each month. This rise in phishing sites indicates the success these attacks have. SANs Institute notes the success of these attacks when reporting that 95% of all successful attacks on enterprise infrastructures originate from spear-phishing attacks.