Share:

By Aaron Riley and Marcel Feller

CISO Summary

Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult.

After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training (see Cofense PhishMeTM), organizations should condition users to identify and report .cpl files to avoid network infection.

Full Details

The Cofense Phishing Defense Center (PDC) has captured multiple phishing campaigns using a .cpl file extension attachment to bypass email security measures and download a second stage payload, which typically is a banking trojan. Cofense Intelligence has analyzed these campaigns and found that the majority of them are targeting South American citizens. Furthermore, to successfully communicate with the Command and Control (C2) infrastructure, the endpoint needs to mirror a South American computer’s settings like IP address, time zone, language pack, and keyboard settings.

The .cpl file extension is used for Control Panel tools with executable byte code. The .cpl byte code is the same across all PE32 binaries (such as .exe, .dll, .scr) within the DOS stub and is executed by control.exe. These file extensions have been used with campaigns that deliver banking trojans, most notably Banload. Cofense IntelligenceTM customers can view an analysis of Banload by logging in here. Figure 1 shows an email campaign that is used to deliver a .cpl attachment. The email is in Spanish and claims to come from ‘Servicio de Impuestos Internos,’ the Internal Revenue Service of Chile.

Figure 1 shows the email campaign used to deliver .cpl attachments.

The .cpl file attached to this campaign acted as a first-stage downloader, facilitating the retrieval and execution of a secondary payload. Figure 2 shows the HTTP POST to the C2 infrastructure during the preliminary communication. This HTTP POST contains the machine and username of the infected endpoint and is appended with a number sequence known to the C2. Figure 3 shows the fingerprinting data within the form values posted to the C2.

Figure 2 shows the HTTP POST and GET traffic originating from the .cpl file.

Figure 3 shows the information gathered by the .cpl file to fingerprint the infected machine.

After the initial connection is successful, the binary then connects to a hardcoded payload location for the second stage. Notice in Figure 2 that there was a GET request for another payload. By effectively expanding the detection surface, this two-stage download and execution actually increases the likelihood of C2 interruption.

While analyzing the .cpl binaries’ network traffic, Cofense Intelligence identified a custom User-Agent string that can be turned into network alerts within a Security Event Information Management (SEIM) system. Figures 4 and 5 shows the two different user agents connecting to the same host. Based on packet analysis, these custom User-Agents would suggest the threat operators are limiting access to their C2 infrastructure.

Figure 4 shows the User-Agent for the HTTP POST.

Figure 5 shows that the User-Agent value is ‘LA CONCHA DE TU MADRE,’ a Spanish expletive whose cleaned-up meaning is ‘the shell of your mother.’ This User-Agent string lends further credence to the idea that the User-Agent string is used to mitigate access to the C2 infrastructure and help determine the stage of infection. However, leaving such an obvious indicator for the security infrastructure to identify gives the impression this was an amateur operator.

Figure 5 shows the User-Agent string for the GET request made by the .cpl file.

After execution, this .cpl attachment followed trends and called for the second-stage payload to execute a sample of OverByte ICS Logger. This keylogger was configured with multiple modules to target and gather banking information from the endpoint. Figure 6 shows the malware family name within the memory strings. Figure 7 shows the multiple modules configured within this binary.

Figure 6 shows the malware family name within the memory strings.

Figure 7 shows the multiple modules that were used to configure this binary.

This sample of OverByte ICS Logger went after banking information, specifically South American banks. The banking information gathered includes usernames, passwords, Personal Identification Numbers (PINs), and any element ID that was selected during the login process. Element IDs are unique identifiers that facilitate accurate targeting for JavaScript and CSS. Use of element IDs means modifications to the page can be made accurately, provided the author adheres to the standards.

After gathering the information, this sample then sends it to the C2, which in this case was the same as the second-stage download. This OverByte ICS Logger persisted on the machine and gathered banking information at predetermined times to be sent to the C2. Figure 8 shows a list of banks (redacted) in the memory strings of the running sample.

Redactions in Figure 8 show where the references to banks would be within the memory strings.

The use of .cpl file extensions are a necessary item for most Control Panel tools to function properly. The operating system’s need for this extension makes the mitigation and remediation extremely difficult within the security stack. The trend to deliver banking trojans to the endpoint is a looming threat of these extensions. Educating end users on how to properly identify and report these types of files when they are encountered is the best way to avoid this type of infection on a network.

To stay abreast of the latest phishing and malware trends, sign up for free Cofense Threat Alerts.

Indicators of Compromise

Observed URLs: hxxps://gentsilen[.]com[.]mx/cl/factura[.]php?folio=1&Importancia=Urgente&descarga=true&impuestos=servidor_alerce&site=www[.]sii[.]cl

185-35-139-197[.]v4[.]as62454[.]net

185-35-139-190[.]v4[.]as62454[.]net


Observed IPs:

185[.]35[.]137[.]85

185[.]35[.]137[.]80
185[.]35[.]139[.]190

 

Observed Files:
File Name: Sii_Documento_TVLN11.zip
MD5: 9ace92029ad8f1516b141de7022d3c42
SHA256: 15f107a75f166b519ce7ca8da094c9b915aa7a6b44fade360535e5112bfd2f5f
File size: 718,191 Bytes

File Name: Sii_Documento_TVLN11.zip
MD5: 7e8edf93d3565c4eacbbea19615d21d3
SHA256: 5c908e77c0e2f14f757d9b0b2d63f661bc277eb70e8caa46d85f038cb87f2c2b
File size: 717,935 Bytes

File Name: Sii_Documento_K3YLT2WJNU.cpl
MD5: 541a3aaf1f70c473f0018c9aa951fb9a
SHA256: d9e3913e5e6d151dd487d9e174c9e3e73d1883ea0c78cf97909caaf76dd4e618
File size: 761,902

File Name: mTjdyis.exe
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
File size: 400.872 Bytes

File Name: shfolder.dll
MD5: 037bb84e2aab7ab4df2e0c752c61233a
SHA256: b8af00e8e89583a529284496949cc2c10684b035
File size: 42.466.735 Bytes

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.