While email used to be the major infection vector for Social Engineering attacks, hackers no longer rely on it, rendering all email-based protection useless. Instead, phishing scams now target victims in environments they trust. Today, hackers create opportunities to engage via malvertisements on LinkedIn or Facebook pages, cloud content management sites, or within messaging apps (e.g. WhatsApp, Skype).
A recent example: SlashNext intercepted a phishing attack designed to target Google Drive users. The URL of this phishing page was:
Here is how the page appeared in the users’ browser:
This page asks the user to enter their email and password. When the user enters their login credentials and clicks the “Sign In” button, their information is submitted to a php file called “jayjay.php,” hosted on the same server.
The website source code below depicts the code which POSTs the completed form data into the file or databased as defined within /lukas/jayjay.php:
As you can see, “q1_news” (above) is a variable that contains the victim’s email and “q3_reports” holds the password string.
After the email and password is transferred to the adversary, the page is redirected to an error page. To add legitimacy and avoid detection, the page displays a “Google PDF file too large” error (as opposed to a generic 404 error). See the location header field and actual error below:
This page contains a metatag with a five-second refresh so and then redirects to the URL mentioned in metatag as shown below. This makes it even harder for the user to assess if the page looks suspicious.
Our researchers found it intriguing that attacker did not secure their web server directory structure. There were two directories listed on the web server: one of them containing the GoogleDrive phishing page (explained earlier) and the other one containing a ZIP file which contains a malicious executable called “invoice.exe.”
While analyzing the executable’s behavior using conventional process monitoring tools, no suspicious activity was observed. However, advanced memory analysis revealed that this binary was actually loading the notorious “NanoCore RAT (Remote Access Trojan) on the system by employing advanced polymorphic techniques, giving the malware the ability to hide its presence from the conventional memory monitoring tools and AVs.
In today’s attacks, it’s common to find multiple types of malicious artifacts hosted on the same infrastructure. Hackers often simultaneously launch multiple attacks against their victims hoping that at least one of them will succeed. At the end of the day, the bad guys need only to successfully compromise one single machine within a business network, and that machine can be used as the starting point for the next set of attacks against the whole infrastructure (lateral movement).
Our research team will provide a detailed analysis of “invoice.exe” and its advanced evasion techniques in our next blog.