CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake Power and Broadband Utility Bills serve Banking Trojans to Aussies

In our previous blog we highlighted how a group of scammers were targeting financial software customers by spamming out Microsoft SharePoint URLs that lead the target to fake invoices infected with malware. This time we observed the same group involved in another widespread campaign, spamming out similar Microsoft SharePoint URLs that link to fake Australian power and telco bills infected with malware.

Fake Energy Australia scam

EnergyAustralia formerly known as TRUenergy is an electricity generation and retail private company in Australia. On 18th September, 2017, we witnessed a rise in phishing messages distributing spoofed EnergyAustralia Electricity bills.

Spam Message

The spam/phishing message appears as a fake EnergyAustralia power bill as shown in Figure 1 and 2. Scammers have copied legit email bill templates to lure victims into believing the authenticity of their phished messages. Here it's important to note that these messages are sent from a domain "energybrandlab.com" that is different from the official EnergyAustralia domain "energyaustralia.com.au". Further analysis of the domain "energybrandlab.com" revealed that it was created on 17th September, 2017 and registered by the same group of scammers we pointed out in our previous blog. The registrant information for this domain is shown here:

BSL_11318_b303848c-c76a-444d-9c95-8e2c551c8ffd

BSL_9353_5561b70e-55bf-4649-9a13-5b1e43a2837c
Figure 1: Fake power bill

 

BSL_12624_f16819b3-ff36-4f6a-987e-bb30f735e2ae
Figure 2: Fake power bill with different amount

 

The legit-looking message is designed to lure the user to click on the link to view his power bill. Clicking on this link points the web browser to the URL:

  • hxxp://eoaclk(.)com/v5yMMueJT0/victim@domain(.)com.au/?docid=0c686998b26934002b1b3aa20d8340828&authkey=AfesB7cc4NVl6W0ZE5wKqSA&expiration=2017-12-16T21:48:00.000Z

This domain performs an HTTP 302 temporary redirect to a Microsoft SharePoint URL as shown in Figure 4:

  • hxxps://viridor-my(.)sharepoint(.)com/personal/lawalters_viridor_co_uk/_layouts/15/guestaccess.aspx?docid=0c686998b26934002b1b3aa20d8340828&authkey=AfesB7cc4NVl6W0ZE5wKqSA&expiration=2017-12-16T21:48:00.000Z

Browsing to this URL downloads a zip file ("EnergyAustralia Electricity bill.zip") to the system as shown in Figure 3. The 302 redirect seems to be a new evasive tactic used by the scammers. In previous campaigns they directly pointed to the SharePoint URL hosting the malicious script.

 

8477_2b0fcac7-8d42-4760-8d56-bfb351e91a76
Figure 3: Clicking on the URL downloads the fake EnergyAustralia Electricity bill.zip file

 

 

BSL_12530_eda3e834-5f4a-460d-9ba6-2ba4571abe3e
Figure 4: HTTP traffic illustrating the HTTP temporary 302 redirect to a Sharepoint URL

Unzipping the archive extracts to a JavaScript file "EnergyAustralia Electricity bill.js" (see Figure 5). Looking at the JavaSscript file it appears to be highly obfuscated and acts as a downloader and executor (see Figure 6).

 

BSL_8277_200865a8-ad3b-4197-93ea-d1dd2c8212f0
Figure 5: The zipped archive extracts to a malicious JavaScript file named EnergyAustralia Electricity bill.js

 

8940_429efd2e-ff1b-4691-bcfe-3923fcf7a914
Figure 6: The obfuscated JavaScript sample

 

Malware Analysis:

The JScript contains obfuscated strings which can be easily de-obfuscated with a one-liner Python code (see Figure 7):

Sample Obfuscated Strings:

8130_19540f4d-3a75-41d7-9708-063619f7f90a

DeObfuscation:

BSL_12277_e2fe95f9-6ab3-4089-966e-1d5db7724ee3

Figure 7: Code for De-obfuscation

 

This JScript is basically a Trojan downloader and a launcher. It downloads two files, the first file is an EXE and the second is a PDF. The PDF is a fake Bill Invoice of Energy Australia which is displayed to trick the user while the binary (EXE) gets executed in the background.

Here's a screenshot of the fake Energy Australia Bill invoice that is presented to the unaware victim (see Figure 8)

BSL_8529_2e321230-3aa9-4bbe-bc36-7041fe8e2ada
Figure 8: Fake Energy Australia invoice shown to users

 

The executable was found to be a variant of a notorious banking Trojan known as ISFB A.K.A Ursnif/Gozi whose code was leaked in 2010. Upon execution, it creates a new process of svchost.exe and injects its code to that process.

BSL_11038_a55659d7-cd9e-4bdb-ba94-b4f678214b93

The malware avoids process injection if its filename is "sample.exe", "mlwr_smpl.exe", or "artifact.exe". It also avoids running if any of the following Windows username are found:

  • TEQUILABOOMBOOM
  • Wilbert
  • admin
  • SystemIT
  • KLONE_X64-PC
  • John Doe
  • BEA-CHI
  • John

It collects system information and send it to its command and control at 178.33.188.154:443

This malware is designed to hook browser process and monitor browser activity. In addition, it can download additional plugins such as keylogger, email and FTP grabber, screen grabber and a downloader to install new malware.

BSL_7998_121907ef-b55d-45b4-8c2a-d0ba793633fa
Figure 9: Malware checks for browser process

 

Indicators of Compromise:

URLs

  • hxxps://cyrilorchard-my[.]sharepoint[.]com/personal/craydon_care_cyrilorchard_co_uk/_layouts/15/guestaccess.aspx?docid=030b41de800d34d78b8255b678bc7271a&authkey=AYua-r8lG2pSyjyGVKylOz8
  • hxxps://tracsc-my[.]sharepoint[.]com/personal/jonathan_tongue_tracscare_co_uk/_layouts/15/guestaccess.aspx?docid=0de8352ff82f2437ba7534ac18728d804&authkey=AT0x3YE-hry2jT-0qHSAesg
  • hxxp://94[.]23[.]249[.]41/manager/manager.tool
  • hxxp://94[.]23[.]61[.]195/files/Gas_bill.pdf
  • hxxp://94[.]23[.]249[.]41/manager/Notification_1-BYH7K31.pdf

Command and Control:

  • 33.188.154:443

Files

  • %TEMP%/ZgUiIDs5.exe (SHA1: e44e92474796762c63d336c363ff7a0c43868ace)
  • %TEMP%/j9eEWNq.pdf – non-malicious fake invoice

Fake Telstra scam

In addition to the fake Energy Australia Spam email, we also encountered a fake Telstra bill notification scam on 27th September,2017 (See Figure 10). Telstra is an Australian telco company. Scammers spammed out legit-looking email messages containing counterfeit Telstra bill invoices having an embedded button to view the bill.

8497_2c6136bc-676e-4cea-ad0f-5ff4bb17c100

Figure 10: Fake Telstra Scam message
 

These spam messages were sent from the domain "businessdirs.com" that could be attributed to the same malicious actors as shown here:

8888_3fe9ba7f-cc1c-4a31-9785-70d7b6d97b3a

Clicking on the "View Bill" button in the spam message downloads a JavaScript file from a SharePoint URL that is similar to the script seen in the Energy Australia scam (see Figure 11).

9485_5bf866f7-9076-4e75-8bae-200bdacf12e0
Figure 11: The malicious obfuscated JS sample that is downloaded

 

The JS downloader downloads a binary file of the EMOTET malware instead of the URSNIF as seen in Energy Australia scam (see Figure 12).

9191_4de9bb55-7542-404a-92b3-681f97709872
Figure 12: Downloading of Ursnif malware

 

It also downloads a PDF file of the Telstra Bill that is shown below (see Figure 13 and 14).

9881_708507f7-c8e2-4561-beb6-3faa0774c5d9
Figure 13: Fake PDF invoice downloaded and displayed to user

 

9494_5c5f3627-efb6-4040-b770-a147bda0b590
Figure 14: Fake Telstra bill PDF

 

Indicators of Compromise (IOC)

  • URL:
    • hxxps://livedmsystemco-my(.)sharepoint(.)com/personal/vikki_dmsystem_co_uk/_layouts/15/guestaccess.aspx?docid=0005ccf72c5ae4fa6b492b233e27de460&authkey=AUfKUwbb0-6HBMJe8ZRrm-g
    • higgidy-my(.)sharepoint.com:443
    • hbhydraulicengineering-my(.)sharepoint.com:443
  • CnC:
    • 94(.)23(.)211.92/type/type-c.info
    • 94(.)23(.)251.221/document/Telstra_Bill.pdf
  • Hash:
    • SHA1: A54E9FD76848368002FE842E3F95D9A114742410

Conclusion

Scammers are spamming out counterfeit bills impersonating Australian telco and power companies in an attempt to spread malware. These bills are infested with malicious links to banking trojans. Scammers are abusing the Microsoft SharePoint service to host their malware. The spam emails are sent out using newly registered domains owned by the same group reported earlier. Hiding malware behind links to reputable online services is being used as a means to evade detection by the spam gateways. A legit-looking decoy PDF bill is presented to the oblivious victims once they are infected to avoid suspicion.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More