The Australian Securities and Investment Commission (ASIC) is an independent government agency that is Australia's corporate, market and financial services regulator. ASIC provides several services including registration services for Australian companies. Opportunist Scammers taking advantage of the new year, leveraged the authority and trust of the ASIC brand and targeted Australian companies by sending them fake company registration renewal spam messages purporting to be from ASIC on 30th January 2018 as shown in Figure 1.
For this spam campaign scammers leveraged the infrastructure provided by email service providers, specifically an online email marketing company. The evidence suggests that the scammers probably created a mailing list using one such service and added their target emails to it. Once the mailing list was set, it was then used to send out spam, in which case, the actual spam messages were sent via the third-party email infrastructure supporting the mailing list, thus abusing the service. The victims were then tricked to download and execute the malware that infected their systems with the Ursnif trojan.
Header Analysis
Analyzing the spam message headers, it seems that it was sent from "ASIC Messaging Service", however looking at the From field closely, the email appears to be coming from "<asic.transaction.no-reply@fastbusinesscards.net.au>", notice the non-ASIC domain "fastbusinesscards[.]net.au" in the header From field. The message is sent with the Subject "Renewal". Analyzing the headers further, it appears that the message was received from Mailjet, an e-mail marketing company and service provider, as illustrated here in the Received field: "Received: from o149.p9.mailjet.com ([87.253.234.149])". The Message-ID field also validates this by suggesting that the message was generated by a host within mailjet.com as shown here: <9c096f17.AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_A@mailjet.com>. Finally, the List-Id fields in the header suggests that the message was sent to a mailing list as illustrated here:
- List-Id: <asic.transaction.no-reply.fastbusinesscards.net.au.vlzt-00v3t.mj>
- List-Unsubscribe: <mailto:unsub-9c096f17.vlzt.xlpm8zwgsm16@bnc3.mailjet.com>
- X-MJ-Mid: AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg
Body Analysis
The message body has the official ASIC logo and uses official language thus imitating a legit appearance to the victim. This message is purportedly sent by executives from the ASIC "Registry" department instructing Australian companies to renew their company registration. The message instructs the user to renew their registration by using the renewal letter provided as a link. On clicking this link, it automatically downloads a zip archive containing a malicious JavaScript downloader in it. The unaware victim is enticed to open the zip archive named as "Notification_1-QEM7S3P.zip" and double click on the JavaScript file in it that he assumes is the renewal letter. This malicious JavaScript on execution fetches the Ursnif malware sample from an external host and executes the malware on the victim's computer.
Figure 1: The actual ASIC spam message with official look and feel to lure the victim to click on the renewal letter and open it
The embedded malicious links in the HTML of the email message are shown in Figure 2 and 3. They point to this custom Mailjet URL that redirects to the actual malware hosting site:
hxxp://vlzt[.]mjt[.]lu/lnk/AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg/1/tJEXVGn5th8G7avaGP2Q9Q/aHR0cDovL2Zhc3RidXNpbmVzc2NhcmRzLm5ldC5hdS9yZW5ld2FsL05vdGlmaWNhdGlvbl8xLVFFTTdTM1Auemlw
Figure 2: Link to an embedded 1x1 gif image pointing to the scammer controlled infrastructure Often used for keeping stats on which users clicked on the scam link
Figure 3: Mailjet links embedded in the HTML of the email message leading to the malware site
Malware Analysis
This Mailjet URL is setup in this campaign as an intermediary node and performs a 302 redirect to redirect the victim's browser to the actual URL hosting the malware (as shown in the Fiddler flow below, Figure 4). This URL forces the web browser to download the ZIP archive "Notification_1-QEM7S3P.zip" automatically, as shown in figure 4 and 5.
URL hosting the malware downloader: hxxp://fastbusinesscards[.]net.au/renewal/Notification_1-QEM7S3P.zip
Figure 4: Fiddler flow showing redirection to malware link
Unzipping the zip archive reveals a JavaScript file named "Notification_1-QEM7S3P.js" as shown in figure 5. This JavaScript file is a highly obfuscated sample as shown in Figure 6. Double-clicking on the JavaScript sample would execute it under windows using WScript.
Figure 5: ZIP archive downloaded containing the JavaScript downloader
Figure 6: The obfuscated JavaScript sample that is a malware downloader and executor
The JavaScript downloader then fetches and executes the actual malware from this URL hosted on a server in France. Malware is downloaded by the JavaScript downloader from this URL: hxxp://91.121[.]68[.]80/images/contact[.]png
In case of a network failure the scammers have set this backup URL to download the malware: hxxp://94.23[.]15[.]45/images/contact[.]png
The malware is hosted with the .PNG extension to disguise it as an image. The Wireshark flow below clearly shows the "MZ" header in the HTTP response, indicating that this is a Windows executable or PE binary hidden as a PNG image file.
Figure 7: PE binary MZ header visible in this HTTP flow of the downloaded PNG image. Scammers use such tactics to evade detection by web gateways and hide their malware in plain sight
The malware that got downloaded and executed by the victim had the MD5 hash of "7610794b808281e2cc1dae26895fe102". Once downloaded the malware is stored in the temp folder as: "%TEMP%\MjOg9iW.exe". A closer look at the malware sample reveals similar behavior to the data stealing NSIS compressed URSNIF trojan that we have seen and reported in the past. This malware is executed by the JavaScript by creating a hidden PowerShell process as shown in the process tree diagram below and launches the process. This sample appears to be a variant of the URSNIF malware.
Figure 8: Process tree showing hierarchy of processes launched.
IOC
- Malware MD5 hash: "7610794b808281e2cc1dae26895fe102"
- Malware saved to disk as: "%TEMP%\MjOg9iW.exe"
- URL hosting malware:
- hxxp://94.23[.]15[.]45/images/contact[.]png
- hxxp://91.121[.]68[.]80/images/contact[.]png
- URLs hosting JS Downloader zip file:
- hxxp://fastbusinesscards[.]net.au/renewal/Notification_1-QEM7S3P.zip
- hxxp://vlzt[.]mjt[.]lu/lnk/AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg/1/tJEXVGn5th8G7avaGP2Q9Q/aHR0cDovL2Zhc3RidXNpbmVzc2NhcmRzLm5ldC5hdS9yZW5ld2FsL05vdGlmaWNhdGlvbl8xLVFFTTdTM1Auemlw
Conclusion
Scammers are using sophisticated means to attack their targets. In this campaign they concealed their attack under the guise of a benign looking email reminder, instructing Australian companies to renew their registration by downloading the letter provided via a link, while posing as an Australian government agency (ASIC). The attack is concealed further by launching it through the infrastructure of third party mailing list service provider, thus acting as a proxy for the scammers. Finally, the malware itself is concealed as a PNG image extension, thus adding deception at each step. This campaign is a multi-stage attack and requires user interaction with intentional layers of sophistications to evade detection. We detect and block such attacks at the email gateway level, we also advise customers to avoid opening any unsolicited email especially any email containing dodgy links and extensions. We shared our findings with Mailjet and coordinated with them to timely block the user account and thus inhibit further spread using this campaign.
Acknowledgements
We would like to acknowledge Phil Hay and Rodel Mendrez for their valuable feedback and advice.
