In December 2018, Group-IB specialists discovered a new family of sniffers called Fake SecurityThey were used by a criminal group that infected websites running CMS. MagentoAnalysis revealed that in a recent campaign, attackers used malware to steal passwords. The victims were owners of online stores infected with a JavaScript sniffer. Group-IB's CERT alerted the affected sites, and a Group-IB Threat Intelligence analyst Viktor Okorokov decided to talk about how it was possible to identify criminal activity.
Recall that in March 2019 Group-IB published Crime Without Punishment: An Analysis of JS Sniffer Families, which analyzed 15 different JS sniffer families used to infect more than XNUMX online shopping sites.
Single address
During the infection, the attackers inserted a link to a malicious script into the site code, this script was loaded and, at the time of payment for the goods, intercepted the payment data of the online store visitor, and then sent them to the attackers' server. In the early stages of attacks using FakeSecurity, the malicious scripts themselves and the sniffer gate were located on the same magento-security[.]org domain.
Later on some Magento-sites were found infected by the same sniffer family, but this time the attackers used new domain names to host the malicious code:
- fisweddesign[.]com
- alloaypparel[.]com
Both of these domain names were registered to the same email address greenstreethunter@india[.]com. The same address was specified during the registration of the third domain name firstofbanks[.]com.
Convincing request
An analysis of three new domains used by the FakeSecurity criminal group showed that some of them were involved in a malware distribution campaign that began in March 2019. The attackers distributed links to pages where it was said that the user needed to install the missing plugin in order to display the document correctly. If the user started downloading the application, his computer was infected with password-stealing malware.
In total, 11 unique links were identified that led to fake pages that prompted the user to install malware.
- hxxps://www.etdoors.com/uploads/Statement00534521[.]html
- hxxps://www.healthcare4all.co.uk/manuals/Statement00534521[.]html
- hxxps://www.healthcare4all.co.uk/lib/Statement001845[.]html
- hxxps://www.healthcare4all.co.uk/doc/BankStatement001489232[.]html
- hxxp://verticalinsider.com/bookmarks/Bank_Statement0052890[.]html
- hxxp://thepinetree.net/n/docs/Statement00159701[.]html
- hxxps://www.readicut.co.uk/media/pdf/Bank_Statement00334891[.]html
- hxxp://www.e-cig.com/doc/pdf/eStmt[.]html
- hxxps://www.genstattu.com/doc/PoliceStatement001854[.]html
- hxxps://www.tokyoflash.com/pdf/statment001854[.]html
- hxxps://www.readicut.co.uk/media/pdf/statment00789[.]html
A potential victim of a malicious campaign received a spam email containing a link to a first-level page. This page represents a small HTML document with an iframe whose content is loaded from a second level page. The second level page is a landing page with content that encourages the recipient to install some executable file. In the case of this malicious campaign, the attackers used a landing page with the theme of installing a missing plug-in for Adobe Reader, so the first-level page imitated a link to a PDF file opened in online viewing mode in a browser. The second-level page contains a link to a malicious file distributed as part of a malicious campaign that will be downloaded when the button is clicked. download plugin.
An analysis of the pages used in this campaign showed that the second-level pages were usually located on the domains of the attackers, while the first-level page and the malicious file itself were most often located on hacked e-commerce sites.
Example page structure for malware distribution
Through spam, a potential victim receives a link to an HTML file, for example, hxxps://www.healthcare4all[.]co[.]uk/manuals/Statement00534521[.]html. The linked HTML file contains an iframe element with a link to the main content of the page; in this example, the page content is located at hxxps://alloaypparel[.]com/view/public/Statement00534521/PDF/Statement001854[.]pdf. As we can see from this example, in this case, the attackers used the registered domain to place the content of the page, and not the hacked site. The interface displayed by this link has a button download plugin. If the victim clicks this button, the executable file will be downloaded from the link specified in the page code; in this example, the executable file is downloaded from the link hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe, that is, the malicious file itself is stored on the hacked site.
"Mephistopheles" of our time
Domain analysis alloaypparel[.]com revealed that the Mephistophilus phishing kit was used to distribute malware, which allows you to create and deploy phishing pages to distribute malware: Mephistophilus uses several types of landing pages that prompt the user to install a supposedly missing plug-in required for the application to work. In fact, the user will be installed malware, a link to which the operator adds through the Mephistophilus administrative panel.
The Mephistophilus spear-phishing system went on sale on underground forums in August 2016. This is a standard phishing set using web fakes offering to download malware under the guise of a plugin update (MS Word, MS Excel, PDF, YouTube) to view the contents of a document or page. Mephistophilus was developed and marketed by an underground forum user named Kokain. To successfully infect using a phishing kit, an attacker needs to induce the user to follow a link leading to a page generated by Mephistophilus. Regardless of the theme of the phishing page, a message will appear that you need to install the missing plugin in order to correctly display the online document or YouTube video. To do this, Mephistophilus has several types of phishing pages that imitate legitimate services:
- Microsoft Office365 Word or Excel Online Document Viewer
- Online PDF Viewer
- YouTube Clone Page
Injured
As part of the malicious campaign, the criminal group did not limit themselves to using self-registered domain names: to store samples of distributed malicious files, the attackers also used several online shopping sites that were previously infected with the FakeSecurity sniffer.
A total of 5 unique links to 5 unique malware samples were detected, 4 of which were stored on hacked websites running CMS. Magento:
- hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
- hxxps://www.genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- hxxps://firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
- hxxp://e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- hxxp://thepinetree[.]net/docs/msw070619.exe
The malware samples distributed in this campaign are samples of the Vidar stealer, designed to steal passwords from browsers and certain applications. He also knows how to collect files according to the specified parameters and transfer them to the administrative panel, which makes it easier, for example, to steal files from cryptocurrency wallets. Vidar presents malware-as-a-service: all collected data is transmitted to the gate and then sent to a centralized administrative panel, where each stealer buyer can view the logs that came from infected computers.
Capable thief
The Vidar stealer appeared in November 2018. It was developed and released for sale on underground forums by a user under the pseudonym Loadbaks. According to the developer's description, Vidar can steal passwords from browsers, files using certain paths and masks, bank card data, cold wallet files, Telegram and Skype correspondence, as well as the history of visiting sites from browsers. The cost of renting a styler is from $250 to $300 per month. The stealer's admin panel and domains used as gates are located on Vidar's authors' servers, which reduces infrastructure costs for buyers.
In case of a malicious file msw070619.exe, in addition to being distributed using the Mephistophilus landing page, a malicious DOC file was also detected BankStatement0040918404.doc (MD5: 1b8a824074b414419ac10f5ded847ef1), which dropped the given executable file to disk using macros. DOC file BankStatement0040918404.doc was attached as an attachment to malicious emails sent as part of a malicious campaign.
We dissect the attack
Discovered letter (MD5: 53554192ca888cccbb5747e71825facd) was sent to the contact address of the site running CMS Magento, from which we can conclude that one of the targets of the malicious campaign was the administrators of online stores, and the goal of the infection was access to the administrative panel Magento and other e-commerce platforms for the subsequent installation of a sniffer and the theft of customer data from infected stores.
Thus, the infection scheme as a whole consisted of the following steps:
- The attackers deployed the Mephistophilus Phishing Kit administrative panel on the host alloaypparel[.]com.
- The attackers placed malware on hacked legitimate sites and on their own sites to steal passwords.
- Using a phishing kit, the attackers deployed several landing pages to distribute malware, and also created malicious documents with macros that downloaded malware to the user's computer.
- The attackers launched a spam campaign to send emails with malicious attachments and links to landing pages for installing malware. At least part of the targets of the attackers are site administrators of online stores.
- When the online store administrator's computer was successfully compromised, the stolen credentials were used to access the store's administrative panel and install a JS sniffer to steal the bank cards of users paying on the infected site.
Relationship with other attacks
The attackers' infrastructure was deployed on a server with an IP address of 200.63.40.2, which belongs to a server rental service Panamaservers[.]com. Prior to the FakeSecurity campaign, this server was used for phishing, as well as hosting administrative panels for various password-stealing malware.
Based on the specifics of the FakeSecurity campaign, it can be assumed that the administrative panels of the Lokibot and AZORUlt stealers hosted on this server could have been used in previous attacks by the same group in January 2019. According to , On January 14, 2019, unknown attackers distributed Lokibot malware via mass mailing with a malicious DOC file as an attachment. January 18, 2019 was also distribution of malicious documents that installed AZORULt malware. The analysis of this campaign revealed the following administrative panels located on the server with the IP address 200.63.40.2:
- http[:]//chuxagama[.]com/web-obtain/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
- http[:]//umbra-diego[.]com/wp/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
- http[:]//chuxagama[.]com/web-obtain/Panel/five/index.php (AZORULt)
The domain names chuxagama[.]com and umbra-diego[.]com were registered by the same user with the email address dicksonfletcher@gmail.com. The same address was used to register the domain name worldcourrierservices[.]com in May 2016, which was then used as a website for the scam company World Courier Service.
Based on the fact that, as part of the FakeSecurity malware campaign, the attackers used malware to steal passwords and spread it via email spam, as well as using a server with an IP address of 200.63.40.2, it can be assumed that the January 2019 malware campaign was carried out the same criminal group.
Indicators
File name Adobe-Reader-PDF-Plugin-2.37.2.exe
- MD5 3ec1ac0be981ce6d3f83f4a776e37622
- SHA-1 346d580ecb4ace858d71213808f4c75341a945c1
- SHA-256 6ec8b7ce6c9858755964f94acdf618773275589024e2b66583e3634127b7e32c
- Size 615984
File name Adobe-Reader-PDF-Plugin-2.31.4.exe
- MD5 58476e1923de46cd4b8bee4cdeed0911
- SHA-1 aafa9885b8b686092b003ebbd9aaf8e604eea3a6
- SHA-256 15abc3f55703b89ff381880a10138591c6214dee7cc978b7040dd8b1e6f96297
- Size 578048
File name Adobe-Reader-PDF-Plugin-2.35.8.exe
- MD5 286096c7e3452aad4acdc9baf897fd0c
- SHA-1 26d71553098b5c92b55e49db85c719f5bb366513
- SHA-256 af04334369878408898a223e63ec50e1434c512bc21d919769c97964492fee19
- Size 1069056
File name Adobe-Reader-PDF-Plugin-2.31.4.exe
- MD5 fd0e11372a4931b262f0dd21cdc69c01
- SHA-1 54d34b6a6c4dc78e62ad03713041891b6e7eb90f
- SHA-256 4587da5dca2374fd824a15e434dae6630b24d6be6916418cee48589aa6145ef6
- Size 856576
File name msw070619.exe
- MD5 772db176ff61e9addbffbb7e08d8b613
- SHA-1 6ee62834ab3aa4294eebe4a9aebb77922429cb45
- SHA-256 0660059f3e2fb2ab0349242b4dde6bf9e37305dacc2da870935f4bede78aed34
- Size 934448
- fisweddesign[.]com
- alloaypparel[.]com
- firstofbanks[.]com
- magento security[.]org
- mage-security[.]org
- https[:]//www[.]healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
- https[:]//www[.]genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- https[:]//firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
- http[:]//e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- http[:]//thepinetree[.]net/docs/msw070619.exe
Source: habr.com
