CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake ASIC Renewal Spam Delivers Malware to Australian Companies

The Australian Securities and Investment Commission (ASIC) is an independent government agency that is Australia's corporate, market and financial services regulator. ASIC provides several services including registration services for Australian companies. Opportunist Scammers taking advantage of the new year, leveraged the authority and trust of the ASIC brand and targeted Australian companies by sending them fake company registration renewal spam messages purporting to be from ASIC on 30th January 2018 as shown in Figure 1.

For this spam campaign scammers leveraged the infrastructure provided by email service providers, specifically an online email marketing company. The evidence suggests that the scammers probably created a mailing list using one such service and added their target emails to it. Once the mailing list was set, it was then used to send out spam, in which case, the actual spam messages were sent via the third-party email infrastructure supporting the mailing list, thus abusing the service. The victims were then tricked to download and execute the malware that infected their systems with the Ursnif trojan.

Header Analysis

Analyzing the spam message headers, it seems that it was sent from "ASIC Messaging Service", however looking at the From field closely, the email appears to be coming from "<asic.transaction.no-reply@fastbusinesscards.net.au>", notice the non-ASIC domain "fastbusinesscards[.]net.au" in the header From field. The message is sent with the Subject "Renewal". Analyzing the headers further, it appears that the message was received from Mailjet, an e-mail marketing company and service provider, as illustrated here in the Received field: "Received: from o149.p9.mailjet.com ([87.253.234.149])". The Message-ID field also validates this by suggesting that the message was generated by a host within mailjet.com as shown here: <9c096f17.AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_A@mailjet.com>. Finally, the List-Id fields in the header suggests that the message was sent to a mailing list as illustrated here:

  • List-Id: <asic.transaction.no-reply.fastbusinesscards.net.au.vlzt-00v3t.mj>
  • List-Unsubscribe: <mailto:unsub-9c096f17.vlzt.xlpm8zwgsm16@bnc3.mailjet.com>
  • X-MJ-Mid: AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg

Body Analysis

The message body has the official ASIC logo and uses official language thus imitating a legit appearance to the victim. This message is purportedly sent by executives from the ASIC "Registry" department instructing Australian companies to renew their company registration. The message instructs the user to renew their registration by using the renewal letter provided as a link. On clicking this link, it automatically downloads a zip archive containing a malicious JavaScript downloader in it. The unaware victim is enticed to open the zip archive named as "Notification_1-QEM7S3P.zip" and double click on the JavaScript file in it that he assumes is the renewal letter. This malicious JavaScript on execution fetches the Ursnif malware sample from an external host and executes the malware on the victim's computer.

9800_6d167d93-7ede-4583-beeb-7d1cbcebba24
Figure 1: The actual ASIC spam message with official look and feel to lure the victim to click on the renewal letter and open it

 

The embedded malicious links in the HTML of the email message are shown in Figure 2 and 3. They point to this custom Mailjet URL that redirects to the actual malware hosting site:
hxxp://vlzt[.]mjt[.]lu/lnk/AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg/1/tJEXVGn5th8G7avaGP2Q9Q/aHR0cDovL2Zhc3RidXNpbmVzc2NhcmRzLm5ldC5hdS9yZW5ld2FsL05vdGlmaWNhdGlvbl8xLVFFTTdTM1Auemlw

12778_f8986f97-ba5c-4e60-9fb8-96f0ba6ae6be
Figure 2: Link to an embedded 1x1 gif image pointing to the scammer controlled infrastructure Often used for keeping stats on which users clicked on the scam link
 
12753_f70d614f-4ecb-4f1d-b8df-b2fedc0799ab
Figure 3: Mailjet links embedded in the HTML of the email message leading to the malware site

 

Malware Analysis

This Mailjet URL is setup in this campaign as an intermediary node and performs a 302 redirect to redirect the victim's browser to the actual URL hosting the malware (as shown in the Fiddler flow below, Figure 4). This URL forces the web browser to download the ZIP archive "Notification_1-QEM7S3P.zip" automatically, as shown in figure 4 and 5.

URL hosting the malware downloader: hxxp://fastbusinesscards[.]net.au/renewal/Notification_1-QEM7S3P.zip

8201_1c32b9a9-3e94-4798-a739-4ffb39717780
Figure 4: Fiddler flow showing redirection to malware link

 

Unzipping the zip archive reveals a JavaScript file named "Notification_1-QEM7S3P.js" as shown in figure 5. This JavaScript file is a highly obfuscated sample as shown in Figure 6. Double-clicking on the JavaScript sample would execute it under windows using WScript.

11132_aa3b0315-af50-450e-9764-87f4167b1b83
Figure 5: ZIP archive downloaded containing the JavaScript downloader
 
9555_5fc8776c-d5f8-44fe-885e-1be1c246d748
Figure 6: The obfuscated JavaScript sample that is a malware downloader and executor

 

The JavaScript downloader then fetches and executes the actual malware from this URL hosted on a server in France. Malware is downloaded by the JavaScript downloader from this URL: hxxp://91.121[.]68[.]80/images/contact[.]png

In case of a network failure the scammers have set this backup URL to download the malware: hxxp://94.23[.]15[.]45/images/contact[.]png

The malware is hosted with the .PNG extension to disguise it as an image. The Wireshark flow below clearly shows the "MZ" header in the HTTP response, indicating that this is a Windows executable or PE binary hidden as a PNG image file.

11729_c7525f9f-7dea-49cc-97be-4926343635bd
Figure 7: PE binary MZ header visible in this HTTP flow of the downloaded PNG image. Scammers use such tactics to evade detection by web gateways and hide their malware in plain sight

 

The malware that got downloaded and executed by the victim had the MD5 hash of "7610794b808281e2cc1dae26895fe102". Once downloaded the malware is stored in the temp folder as: "%TEMP%\MjOg9iW.exe". A closer look at the malware sample reveals similar behavior to the data stealing NSIS compressed URSNIF trojan that we have seen and reported in the past. This malware is executed by the JavaScript by creating a hidden PowerShell process as shown in the process tree diagram below and launches the process. This sample appears to be a variant of the URSNIF malware.

9651_65157b69-051a-4096-971d-418677234b90
Figure 8: Process tree showing hierarchy of processes launched.

IOC

  • Malware MD5 hash: "7610794b808281e2cc1dae26895fe102"
  • Malware saved to disk as: "%TEMP%\MjOg9iW.exe"
  • URL hosting malware:
    • hxxp://94.23[.]15[.]45/images/contact[.]png
    • hxxp://91.121[.]68[.]80/images/contact[.]png
  • URLs hosting JS Downloader zip file:
    • hxxp://fastbusinesscards[.]net.au/renewal/Notification_1-QEM7S3P.zip
    • hxxp://vlzt[.]mjt[.]lu/lnk/AEoAALTL_xoAAVIZi8gAAGg7k2AAAR0t0pgAGcRtAAaqxwBab8_AeDS9kupkSdaFuPdw-sBUfAAGYMg/1/tJEXVGn5th8G7avaGP2Q9Q/aHR0cDovL2Zhc3RidXNpbmVzc2NhcmRzLm5ldC5hdS9yZW5ld2FsL05vdGlmaWNhdGlvbl8xLVFFTTdTM1Auemlw

Conclusion

Scammers are using sophisticated means to attack their targets. In this campaign they concealed their attack under the guise of a benign looking email reminder, instructing Australian companies to renew their registration by downloading the letter provided via a link, while posing as an Australian government agency (ASIC). The attack is concealed further by launching it through the infrastructure of third party mailing list service provider, thus acting as a proxy for the scammers. Finally, the malware itself is concealed as a PNG image extension, thus adding deception at each step. This campaign is a multi-stage attack and requires user interaction with intentional layers of sophistications to evade detection. We detect and block such attacks at the email gateway level, we also advise customers to avoid opening any unsolicited email especially any email containing dodgy links and extensions. We shared our findings with Mailjet and coordinated with them to timely block the user account and thus inhibit further spread using this campaign.

Acknowledgements

We would like to acknowledge Phil Hay and Rodel Mendrez for their valuable feedback and advice.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More