On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.
An example of the first English language campaign is shown in figure 1. The sender is spoofed.
Figure 1 – Fake Invoice Email June 14th
The user is further redirected to a compromised SharePoint site hxxps://pwkgroup-my[.]sharepoint[.]com/personal/phillip_pwk_net_au/Documents/INV-03056[.zip?slrid=2101719e-b02b-0000-0145-e6255742f2cd where the zip file 03056.zip is downloaded. It should be noted that the redirect on hxxps://zexswalloiw[.]ml changed every hour to provide a fresh SharePoint link to the victim.
On Friday June 15th, the Phishing Defense Center observed several French emails that seem to be related to the campaign, as shown in figure 3. Again, the attacker spoofed the sender.
Figure 3 – Fake Invoice Email June 15th
However, the new campaign redirects the user to hxxps://zexswalloiw[.]cf. Unfortunately, this site was unavailable during the time of analysis and no further payloads were retrieved.
During analysis, we noticed the sophistication of the infection chain of this campaign as demonstrated in figure 5.
Figure 5 – Infection Chain
Ways to Counter These Common Attacks
Ursnif, also known as Gozi, is a banking trojan that is among the most prolific financial malware families in 2018. The malware is designed to gain access to credentials for several accounts including email accounts, cloud accounts, cryptocurrency exchange platforms, and other financial accounts. Campaigns like this are common–delivering different malware varieties that seek a victim’s sensitive credentials—because credentials are so valuable to threat actors. They can access a user’s account to support theft and further infections, and it often enables access to other accounts for which a victim may have the same password or similar ones.
To protect yourself from banking and financial crimes trojans, make sure that you do not open attachments or links from unknown senders. If a message seems suspicious, report it and encourage personnel within enterprise environments to do the same. Furthermore, ensure that your systems are up to date and fully patched. If you have identified a trojan in your environment, you can use the indicators of compromise to block the associated IP addresses at your perimeter firewall and update other security devices in your environment to identify or block this threat.
To see a detailed example of attackers getting creative with Ursnif, view this analysis: https://cofense.com/careful-life-insurance-invoice-contains-ursnif-malware/
Indicators of Compromise – Campaign 14th of June:
File name: INV-03056.zip
File size: 6,329 Bytes
File name: INV-03056.js
File size: 28,344 Bytes
Payload URL: hxxps://filerco[.]com/drive[.]php
File name: TemppJE39.eXe
File size: 242,872 Bytes
Indicators of Compromise – Campaign 15th of June:
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.