Authors: Dr. Fahim Abbasi, Nicholas Ramos, Rodel Mendrez and Gerald Carsula
In our previous blog we highlighted how a group of scammers were targeting financial software customers by spamming out Microsoft Sharepoint URLs that lead the target to fake invoices infected with malware. This time we observed the same group involved in another widespread campaign, spamming out similar Microsoft Sharepoint URLs that link to fake Australian power and telco bills infected with malware.
Fake Energy Australia scam
EnergyAustralia formerly known as TRUenergy is an electricity generation and retail private company in Australia. On 18th September, 2017, we witnessed a rise in phishing messages distributing spoofed EnergyAustralia Electricity bills.
The spam/phishing message appears as a fake EnergyAustralia power bill as shown in Figure 1 and 2. Scammers have copied legit email bill templates to lure victims into believing the authenticity of their phished messages. Here it's important to note that these messages are sent from a domain "energybrandlab.com" that is different from the official EnergyAustralia domain "energyaustralia.com.au". Further analysis of the domain "energybrandlab.com" revealed that it was created on 17th September, 2017 and registered by the same group of scammers we pointed out in our previous blog. The registrant information for this domain is shown here:
Figure 1: Fake power bill
Figure 2: Fake power bill with different amount
The legit-looking message is designed to lure the user to click on the link to view his power bill. Clicking on this link points the web browser to the URL:
This domain performs an HTTP 302 temporary redirect to a Microsoft SharePoint URL as shown in Figure 4:
Browsing to this URL downloads a zip file ("EnergyAustralia Electricity bill.zip") to the system as shown in Figure 3. The 302 redirect seems to be a new evasive tactic used by the scammers. In previous campaigns they directly pointed to the SharePoint URL hosting the malicious script.
Figure 3: Clicking on the URL downloads the fake EnergyAustralia Electricity bill.zip file
Figure 4: HTTP traffic illustrating the HTTP temporary 302 redirect to a Sharepoint URL
The JScript contains obfuscated strings which can be easily de-obfuscated with a one-liner Python code (see Figure 7):
Sample Obfuscated Strings:
Figure 7: Code for De-obfuscation
This JScript is basically a Trojan downloader and a launcher. It downloads two files, the first file is an EXE and the second is a PDF. The PDF is a fake Bill Invoice of Energy Australia which is displayed to trick the user while the binary (EXE) gets executed in the background.
Here's a screenshot of the fake Energy Australia Bill invoice that is presented to the unaware victim (see Figure 8)
Figure 8: Fake Energy Australia invoice shown to users
The executable was found to be a variant of a notorious banking Trojan known as ISFB A.K.A Ursnif/Gozi whose code was leaked in 2010. Upon execution, it creates a new process of svchost.exe and injects its code to that process.
The malware avoids process injection if its filename is "sample.exe", "mlwr_smpl.exe", or "artifact.exe". It also avoids running if any of the following Windows username are found:
- John Doe
It collects system information and send it to its command and control at 18.104.22.168:443
This malware is designed to hook browser process and monitor browser activity. In addition, it can download additional plugins such as keylogger, email and FTP grabber, screen grabber and a downloader to install new malware.
Figure 9 Malware checks for browser process
Indicators of Compromise:
Command and Control:
- %TEMP%/ZgUiIDs5.exe (SHA1: e44e92474796762c63d336c363ff7a0c43868ace)
- %TEMP%/j9eEWNq.pdf – non-malicious fake invoice
Fake Telstra scam
In addition to the fake Energy Australia Spam email, we also encountered a fake Telstra bill notification scam on 27th September,2017 (See Figure 10). Telstra is an Australian telco company. Scammers spammed out legit-looking email messages containing counterfeit Telstra bill invoices having an embedded button to view the bill.
Figure 10: Fake Telstra Scam message
These spam messages were sent from the domain "businessdirs.com" that could be attributed to the same malicious actors as shown here:
Figure 11: The malicious obfuscated JS sample that is downloaded
The JS downloader downloads a binary file of the EMOTET malware instead of the URSNIF as seen in Energy Australia scam (see Figure 12).
Figure 12: Downloading of Ursnif malware
It also downloads a PDF file of the Telstra Bill that is shown below (see Figure 13 and 14).
Figure 13: Fake PDF invoice downloaded and displayed to user
Figure 14: Fake Telstra bill PDF
Indicators of Compromise (IOC)
- SHA1: A54E9FD76848368002FE842E3F95D9A114742410
Scammers are spamming out counterfeit bills impersonating Australian telco and power companies in an attempt to spread malware. These bills are infested with malicious links to banking trojans. Scammers are abusing the Microsoft SharePoint service to host their malware. The spam emails are sent out using newly registered domains owned by the same group reported earlier. Hiding malware behind links to reputable online services is being used as a means to evade detection by the spam gateways. A legit-looking decoy PDF bill is presented to the oblivious victims once they are infected to avoid suspicion.