Cofense Email Security

New Phishing Campaign Bypasses Microsoft 365 ATP to Deliver Adwind to Utilities Industry

[vc_row][vc_column animation_iteration=”1″][mvc_infobox info_style=”mega_info_box_2″ info_opt=”show_icon” icon_size=”35″ icon_height=”75″ icon_radius=”15px” border_width=”2″ title_color=”#cd202c” font_icon=”fa fa-exclamation-triangle” icon_color=”#cd202c” border_clr=”#dd3333″ info_title=”Gateways Bypassed” title_size=”25″ css=”.vc_custom_1585945150237{margin-top: 20px !important;margin-bottom: 30px !important;}” hoverclr=”#cd202c” icon_bg=”#ffffff” hoverbg=”#ffffff”]

Microsoft 365 ATP

[/mvc_infobox][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1597854140643″]The Cofense Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee.

The malware boasts the following features:

  • Takes screen shots
  • Harvests credentials from Chrome, IE and Edge
  • Accesses the webcam, record video and take photos
  • Records audio from the microphone
  • Transfers files
  • Collects general system and user information
  • Steals VPN certificates
  • Serves as a Key Logger

Email Body

Cofense Triage threat intelligence and incident response tool screenshot

Fig1. Email Body

This email comes from a hijacked account at Friary Shoes. Also note the web address for Fletcher Specs, whose domain threat actors are abusing to host the malware.

The email body is simple and to the point: “Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.

Phishing simulation and awareness training dashboard

Fig 2. Payload 

The initial payload is in the form of a .JAR file named: “Scan050819.pdf_obf.jar.” Note that the attacker has attempted to make the file appear as if it were a PDF by attempting to obfuscate the file true extension.

Phishing susceptibility report statistics

Fig 3. Running processes

Once executed, we can see that two java.exe processes are created which load two separate .class files. JRAT then beacons out to its command and control server: hxxp://ns1648[.]ztomy[.]com

Incident response orchestration and automation platform dashboard

Fig 4. C2 Traffic

Adwind installs its dependencies and harvested information in: C:UsersByteAppDataLocalTemp. Here we can see the two class files the jave.exe process has loaded along with a registry key entries and several .dlls:

Email phishing attack lifecycle infographic

Fig5. Additional dependencies and artifacts 

The malware also attempts to circumvent analysis and avoid detection by using taskkill.exe to disable popular analysis tools and antivirus software. If we take a closer look at the registry entries file we see that the malware looks for popular antivirus and malware analysis tools.

Phishing email reporting and response workflow diagram

Fig 6. Anti-Analysis

Indicators of Compromise (IOCs):

Malicious File(s):

File Name: Scan050819.pdf_obf.jar

MD5: 6b94046ac3ade886488881521bfce90f

SHA256: b9cb86ae6a0691859a921e093b4d3349a3d8f452f5776b250b6ee938f4a8cba2

File size: 634,529 bytes (619K)

File Name: _0.116187311888071087770622558430261020.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)    

File Name: _0.40308597817769314486921725080498503.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)

File Name: gCMmWntWwp7328181049172078943.reg

MD5: 7f97f5f336944d427c03cc730c636b8f

SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

File size: 27,926 bytes (27K)

File Name: Windows3382130663692717257.dll

MD5: 0b7b52302c8c5df59d960dd97e3abdaf

SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0

File size: 46,592 bytes (45K)

File Name: sqlite-3.8.11.2-fd78b49b-d887-492e-8419-acb9dd4e311c-sqlitejdbc.dll

MD5: a4e510d903f05892d77741c5f4d95b5d

SHA256: a3fbdf4fbdf56ac6a2ebeb4c131c5682f2e2eadabc758cfe645989c311648506

File size: 695,808 bytes (679K)

File Name: Windows8838144181261500314.dll

MD5: c17b03d5a1f0dc6581344fd3d67d7be1

SHA256: 1afb6ab4b5be19d0197bcb76c3b150153955ae569cfe18b8e40b74b97ccd9c3d

File size: 39,424 bytes (38K)

 

Malicious URL(s):

hxxps://fletcherspecs[.]co[.]uk/

hxxp://ns1648[.]ztomy[.]com

Associated IP(s):

109[.]203[.]124[.]231

194[.]5[.]97[.]28

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM.It offers a phishing simulation, “Remittance Advice – Adwind,” to educate users on the attack described in today’s blog.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations.  Subsequent updates or different configurations may be effective at stopping these or similar threats.[/vc_column_text][/vc_column][/vc_row]

Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.