The Australian Securities and Investment Commission (ASIC) is an independent government agency that is Australia's corporate, market and financial services regulator. ASIC provides several services including registration services for Australian companies. Opportunist Scammers taking advantage of the new year, leveraged the authority and trust of the ASIC brand and targeted Australian companies by sending them fake company registration renewal spam messages purporting to be from ASIC on 30th January 2018 as shown in Figure 1.
For this spam campaign scammers leveraged the infrastructure provided by email service providers, specifically an online email marketing company. The evidence suggests that the scammers probably created a mailing list using one such service and added their target emails to it. Once the mailing list was set, it was then used to send out spam, in which case, the actual spam messages were sent via the third-party email infrastructure supporting the mailing list, thus abusing the service. The victims were then tricked to download and execute the malware that infected their systems with the Ursnif trojan.
Analyzing the spam message headers, it seems that it was sent from "ASIC Messaging Service", however looking at the From field closely, the email appears to be coming from "<email@example.com>", notice the non-ASIC domain "fastbusinesscards[.]net.au" in the header From field. The message is sent with the Subject "Renewal". Analyzing the headers further, it appears that the message was received from Mailjet, an e-mail marketing company and service provider, as illustrated here in the Received field: "Received: from o149.p9.mailjet.com ([220.127.116.11])". The Message-ID field also validates this by suggesting that the message was generated by a host within mailjet.com as shown here: <9c096f17.AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_A@mailjet.com>. Finally, the List-Id fields in the header suggests that the message was sent to a mailing list as illustrated here:
- List-Id: <asic.transaction.no-reply.fastbusinesscards.net.au.vlzt-00v3t.mj>
- List-Unsubscribe: <mailto:firstname.lastname@example.org>
- X-MJ-Mid: AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg
The embedded malicious links in the HTML of the email message are shown in Figure 2 and 3. They point to this custom Mailjet URL that redirects to the actual malware hosting site:
This Mailjet URL is setup in this campaign as an intermediary node and performs a 302 redirect to redirect the victim's browser to the actual URL hosting the malware (as shown in the Fiddler flow below, Figure 4). This URL forces the web browser to download the ZIP archive "Notification_1-QEM7S3P.zip" automatically, as shown in figure 4 and 5.
URL hosting the malware downloader: hxxp://fastbusinesscards[.]net.au/renewal/Notification_1-QEM7S3P.zip
In case of a network failure the scammers have set this backup URL to download the malware: hxxp://94.23[.]15[.]45/images/contact[.]png
The malware is hosted with the .PNG extension to disguise it as an image. The Wireshark flow below clearly shows the "MZ" header in the HTTP response, indicating that this is a Windows executable or PE binary hidden as a PNG image file.
- Malware MD5 hash: "7610794b808281e2cc1dae26895fe102"
- Malware saved to disk as: "%TEMP%\MjOg9iW.exe"
- URL hosting malware:
- URLs hosting JS Downloader zip file:
Scammers are using sophisticated means to attack their targets. In this campaign they concealed their attack under the guise of a benign looking email reminder, instructing Australian companies to renew their registration by downloading the letter provided via a link, while posing as an Australian government agency (ASIC). The attack is concealed further by launching it through the infrastructure of third party mailing list service provider, thus acting as a proxy for the scammers. Finally, the malware itself is concealed as a PNG image extension, thus adding deception at each step. This campaign is a multi-stage attack and requires user interaction with intentional layers of sophistications to evade detection. We detect and block such attacks at the email gateway level, we also advise customers to avoid opening any unsolicited email especially any email containing dodgy links and extensions. We shared our findings with Mailjet and coordinated with them to timely block the user account and thus inhibit further spread using this campaign.
We would like to acknowledge Phil Hay and Rodel Mendrez for their valuable feedback and advice.