Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans
By Aaron Riley and Marcel Feller
Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult.
After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training (see Cofense PhishMeTM), organizations should condition users to identify and report .cpl files to avoid network infection.
The Cofense Phishing Defense Center (PDC) has captured multiple phishing campaigns using a .cpl file extension attachment to bypass email security measures and download a second stage payload, which typically is a banking trojan. Cofense Intelligence has analyzed these campaigns and found that the majority of them are targeting South American citizens. Furthermore, to successfully communicate with the Command and Control (C2) infrastructure, the endpoint needs to mirror a South American computer’s settings like IP address, time zone, language pack, and keyboard settings.
The .cpl file extension is used for Control Panel tools with executable byte code. The .cpl byte code is the same across all PE32 binaries (such as .exe, .dll, .scr) within the DOS stub and is executed by control.exe. These file extensions have been used with campaigns that deliver banking trojans, most notably Banload. Cofense IntelligenceTM customers can view an analysis of Banload by logging in here. Figure 1 shows an email campaign that is used to deliver a .cpl attachment. The email is in Spanish and claims to come from ‘Servicio de Impuestos Internos,’ the Internal Revenue Service of Chile.
Figure 1 shows the email campaign used to deliver .cpl attachments.
The .cpl file attached to this campaign acted as a first-stage downloader, facilitating the retrieval and execution of a secondary payload. Figure 2 shows the HTTP POST to the C2 infrastructure during the preliminary communication. This HTTP POST contains the machine and username of the infected endpoint and is appended with a number sequence known to the C2. Figure 3 shows the fingerprinting data within the form values posted to the C2.
Figure 2 shows the HTTP POST and GET traffic originating from the .cpl file.
Figure 3 shows the information gathered by the .cpl file to fingerprint the infected machine.
After the initial connection is successful, the binary then connects to a hardcoded payload location for the second stage. Notice in Figure 2 that there was a GET request for another payload. By effectively expanding the detection surface, this two-stage download and execution actually increases the likelihood of C2 interruption.
While analyzing the .cpl binaries’ network traffic, Cofense Intelligence identified a custom User-Agent string that can be turned into network alerts within a Security Event Information Management (SEIM) system. Figures 4 and 5 shows the two different user agents connecting to the same host. Based on packet analysis, these custom User-Agents would suggest the threat operators are limiting access to their C2 infrastructure.
Figure 4 shows the User-Agent for the HTTP POST.
Figure 5 shows that the User-Agent value is ‘LA CONCHA DE TU MADRE,’ a Spanish expletive whose cleaned-up meaning is ‘the shell of your mother.’ This User-Agent string lends further credence to the idea that the User-Agent string is used to mitigate access to the C2 infrastructure and help determine the stage of infection. However, leaving such an obvious indicator for the security infrastructure to identify gives the impression this was an amateur operator.
Figure 5 shows the User-Agent string for the GET request made by the .cpl file.
After execution, this .cpl attachment followed trends and called for the second-stage payload to execute a sample of OverByte ICS Logger. This keylogger was configured with multiple modules to target and gather banking information from the endpoint. Figure 6 shows the malware family name within the memory strings. Figure 7 shows the multiple modules configured within this binary.
Figure 6 shows the malware family name within the memory strings.
Figure 7 shows the multiple modules that were used to configure this binary.
After gathering the information, this sample then sends it to the C2, which in this case was the same as the second-stage download. This OverByte ICS Logger persisted on the machine and gathered banking information at predetermined times to be sent to the C2. Figure 8 shows a list of banks (redacted) in the memory strings of the running sample.
Redactions in Figure 8 show where the references to banks would be within the memory strings.
The use of .cpl file extensions are a necessary item for most Control Panel tools to function properly. The operating system’s need for this extension makes the mitigation and remediation extremely difficult within the security stack. The trend to deliver banking trojans to the endpoint is a looming threat of these extensions. Educating end users on how to properly identify and report these types of files when they are encountered is the best way to avoid this type of infection on a network.
To stay abreast of the latest phishing and malware trends, sign up for free Cofense Threat Alerts.
Indicators of Compromise
Observed URLs: hxxps://gentsilen[.]com[.]mx/cl/factura[.]php?folio=1&Importancia=Urgente&descarga=true&impuestos=servidor_alerce&site=www[.]sii[.]cl
File Name: Sii_Documento_TVLN11.zip
File size: 718,191 Bytes
File Name: Sii_Documento_TVLN11.zip
File size: 717,935 Bytes
File Name: Sii_Documento_K3YLT2WJNU.cpl
File size: 761,902
File Name: mTjdyis.exe
File size: 400.872 Bytes
File Name: shfolder.dll
File size: 42.466.735 Bytes
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.