By Max Gannon
In the first week of March, Cofense saw distribution of an advanced phishing campaign taking advantage of current events to deliver malware. Although distribution is currently limited, this kind of lure could become more prevalent given the current tax season and interest in the American Rescue Plan.
The campaign in question, shown in Figure 1, impersonates the IRS using both the relevant logo and what appears to be the spoofed sender domain of IRS[.]gov.
Email Breakdown
A close examination of the email shows a few suspicious characteristics. The first is that the sender domain is in fact lrs[.]gov, using a lower-case L rather than an upper-case i. The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication. Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.
Figure 1: Original Email
Delivery Chain
When victims attempt to get an application form, they are directed to download an Excel spreadsheet from Dropbox. Much like the email, the spreadsheet is appropriately themed and convincing enough for some users to download it, open it and then enable macros.
Figure 2: Dropbox Hosted File
While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .xlsm files drop an .xsl file to disk and then use a Windows Management Instrumentation (WMI) query to gather system information. A typical WMI query used to gather such information would employ a command line expression such as “/format:list” (see Figure 3) to display the information in a readable format.
Figure 3: List Formatted Query Response
The WMI query employed in this case, however, demands that the dropped .xsl file be used to format the response to the query. This formatting directive allows JavaScript contained in the .xsl file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell. The query “formatted” from the .xsl file shown in Figure 4 demonstrates that the .xsl file used for formatting certainly isn’t intended to make things more readable.
Figure 4: Malicious .xsl Formatted Query Response
In the case of this campaign, the resulting malware was Dridex. It primarily acts as a banking Trojan but has many other capabilities as well.
Mitigation
The first step in mitigation for this and other similarly advanced attacks is to train employees to watch for common signs of phishing. For example, employees can condition themselves to scan for slight differences between legitimate and spoof domains, such as irs[.]gov versus lrs[.]gov. Similar campaigns, which spoofed a prominent car company, appeared legitimate other than the sender domain replaced the letter “l” with the number “1”. In this specific case, stopping to think before clicking the link would provide time for recipients to realize the IRS is not going to send something like this via email. The unusual usage of .xsl files for script processing has been written up by MITRE here, including mitigation and detection advice. As a general rule, WMI and PowerShell should be carefully monitored on most workstations.
Managed Defense and Response
Campaigns like this can be headed off with tools built for threats and tactics designed to evade secure email gateways (SEGs). This campaign illustrates how automated systems – such as those identified at the top of this article – fail to outperform humans, and the network effect of people as sensors, spotting and reporting suspicious email.
Cofense is uniquely positioned to catch phish that have turned up in environments protected by SEGs. With the Cofense Managed Phishing Detection and Response platform, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phishing threats. In five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.
We’re ready to help you better secure your business. Contact us today to discuss your objectives and best solutions.
Indicators of Compromise
| Office Macro Payload URLs |
| hxxps://drlamyas[.]net/wp-content/plugins/LayerSlider/classes/Yn3TfEMzAJ[.]php |
| hxxps://hopefamilytrusts[.]org/wp-includes/SimplePie/Content/Type/AVa3B5ouSUX[.]php |
| hxxps://wemersonbernardo[.]com[.]br/PHPMailer/examples/images/FL9FXA49zfr65g[.]php |
| hxxps://century21[.]empov[.]ct5kh[.]com/img/back-img/jVc6HWYRU1kkzNT[.]php |
| hxxps://new[.]bombill[.]com/B2B/js/public_html/new[.]bombill[.]com/QeFqXRXal[.]php |
| hxxps://nawelchile[.]cl/wp-includes/js/mediaelement/renderers/MCrl62OeS0ZQfmI[.]php |
| hxxps://vertcompany[.]com[.]br/wp-content/cache/wpo-minify/1613141973/QwlvahpVhQ[.]php |
| hxxps://wishall[.]org/wp-admin/css/colors/blue/zOabrgmojb0B8[.]php |
| hxxps://crm[.]sgdatapos[.]com/modules/goals/language/bulgarian/xo4dOLHR2TYyME[.]php |
| hxxps://pmh[.]hr/wp-content/uploads/2017/10/rmoqZDe9qLLnu[.]php |
| Dridex Command and Control Hosts |
| hxxps://37[.]247[.]35[.]137:6601 |
| hxxps://216[.]10[.]242[.]142:6601 |
| hxxps://116[.]251[.]211[.]158:443 |