Malware Xeroing in on Cloud Accounting Customers

We witnessed a sophisticated phishing campaign on 16^th August 2017, targeting victims by sending spoofed phishing email messages appearing to come from Xero. Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. The scammers sent phishing email messages globally, impersonating Xero. These messages contained malicious links that trick the victim into downloading a zip archive, containing a malicious JavaScript file. On execution, this JavaScript downloads and launches banking malware on to the victim's computer that steals their personal and private information and leaves them vulnerable to the mercy of their attackers.

Analysis of the Email Header

We first analyzed the email header for the wealth of information provided there (see Figure 1). The name part of the "From" header field suggests that this message was sent from "Xero Billing Notifications", while the email address is pointing to the domain "xeronet.org" instead of the legit business "xero.com"

Figure 1: Email Header

Analyzing the domain "xeronet.org", we learn that it was registered in China on the same day the campaign was launched (August 16, 2017, using a free yahoo email address (see Figure 2). The domain points to an IP 94.23.4.201 in France. Browsing to the site reveals a static HTML page with the heading "XERONET.ORG" and text Powered by VESTA.

Figure 2: Domain registration details

Analysis of the Email Message Body:

Analyzing the email body, it looks like a professionally crafted billing message that recommends that users view their bill invoice online by clicking on the invoice link (see Figure 3).

Figure 3: Email message body

The invoice link in the email body points to a URL hosted on the fake Xero domain, while the other URLs point to the legitimate Xero.com site. We also observed a different set of malicious URLs, two of which are noted here:

1. hxxps://lakesambel-my(.)sharepoint(.)com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
2. hxxps://barenbruguk-my(.)sharepoint(.)com/personal/jfrench_baruk_co_uk/_layouts/15/guestaccess.aspx?docid=3D0c6a2791db75141c2b5601c982deb2638&authkey=3DAQMGIKwV1pN27XNsERquBCQ

Browsing to either URL has the same result, the URLs load JavaScript into the browser that forces a ZIP file download on to the victim's computer. Figure 4 shows a detailed flow of one of the emails.

Figure 4: Flow of the attack

Analysis of Downloaded file

The malicious JavaScript: Xero Invoice.js

Unzipping Xero Invoice.zip extracts to: "Xero Invoice.js". This is a highly obfuscated JavaScript sample (see Figure 5). On further analysis, it appears to be a generic JavaScript downloader and executer, that employs the Microsoft ActiveX object MSXML2.XMLHTTP to download the malware payload. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. The response is then saved to disk with the help of the Microsoft ADODB stream Active X object that saves the stream to the temp folder with a random name for the binary as: "%TEMP%\Y739Ayh.exe". This malware is downloaded from the hardcoded link:
hxxps://stakks-my(.)sharepoint(.)com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8. The downloaded payload is finally executed using the ActiveX WScript Shell object.

Figure 5: Malicious obfuscated JavaScript sample

Any victim who double clicks on this JavaScript file may find it execute like any binary under Windows OS. This is facilitated by the Microsoft Windows Scripting Host (or WSH), which is a framework for running and automating scripts from the GUI using WScript.exe. The WSH supports various scripting formats like JScript and VBScript.

Analysis of the Malware Payload: Y739Ayh.exe

This is a sophisticated malware sample that performs multiple tasks. It first gathers information about the system, installed applications and users. This is followed by several system wide policy settings and configuration changes for Internet Explorer through the registry. The malware also attempts to hook benign windows processes like whoami.exe and net.exe. Figure 6 illustrates the flow of the processes spawned by the malware.

Figure 6: Flow of the processes spawned by the malware

This executable turned out to be a variant of the Dridex banking trojan. When executed, Y739Ayh.exe performs a process hollowing technique to inject its malicious code into a legitimate process. It creates a suspended process of either of the two target processes: svchost.exe or spoolsv.exe, using the API CreateProcessInternalW(). Then the malicious code is written to the allocated virtual address region of the target process. After changing the entry point to the new code section, the malware then simply resumes the suspended process using the NTResumeThread() API. The main executable Y739Ayh.exe is then deleted.

However, if the executable is residing in Windows System directory, it skips the process hollowing routine and runs as a stand-alone process.

Reconnaissance

The malware probes the infected system by gathering computer name, system information as well as privilege information and integrity level. It uses built in Windows commands such as "whoami.exe /all" and "net.exe view" (see Figure 7) and then saves the result to a tmp file dropped in Windows %Temp% folder which is later ex-filtrated.

Figure 7: Malware collecting system information with the whoami.exe command

It also gathers the list of installed software by querying the "DisplayName" and "DisplayVersion" value of the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall (see Figure 8).

Figure 8: Registry values for installed software

This information is stored as XML format and is then encrypted and ex-filtrated to the control server.

Obfuscation

This malware uses a very common anti-analysis technique of indirectly calling APIs. This prevents defenders from conducting static analysis. For example in the code below, instead of directly calling the Windows API RegCloseKey(), it first calls a function that resolves the API given a pre-calculated hash. The first parameter passed is the dynamic library hash then the second one is the API hash , as shown In Figure 9.

3A9838D7h = Advapi32
945E62DCh = RegCloseKey

Figure 9: Obfuscation through API hash call

The folks at IBM posted a very good write-up of this API obfuscation technique.

At first execution, the malware sample attempts to make an outbound connection to the following IP addresses and ports:

1. 174.100.16:443
2. 121.243.232:1443
3. 208.64.187:1443
4. 236.218.169:4343
5. 31.77.229:1443

From here, it attempts to download configuration with additional command and control nodes and additional bot modules. At the time of analysis, the bot failed to connect to its command and control server.

Dridex is designed to steal banking and personal information by injecting itself into web browsers such as Firefox, Chrome and Internet Explorer. It monitors browsing activity and steals sensitive information for target online banks listed in its configuration file.

The malware communicates with several hosts over different ports using SSL. The use of encrypted channels for communication over nonstandard ports adds to the sophistication of the malware.

The network communication has triggered several Emerging threat IDS rules, validating that this malware is a variant of Dridex, that is a known banking trojan, the rule description reads "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)". Multiple AV vendors also classify the sample as a Trojan.

This campaign is designed to steal banking and personal information from global customers, by infecting their systems with banking trojans. The packaging of malicious JavaScript in a Zip archive that is accessed through a URL sent via a legit-looking phishing email, provides the perfect means to evade detection mechanisms.

Other Reports of Similar Phishing Campaigns

The Xeronet campaign was followed by a string of related campaigns using similar SharePoint URLs to target customers of online financial software services companies. Our research suggests that based on matching whois info, the cybercriminals behind this fresh wave of phishing attacks have been active in the past with similar campaigns using domains like (xeroaccounting.org , intuito.biz, quickbooks-support.biz, financialaccountant.info, myobaustralia.org, australiangovernments.com, btconnect.biz, drvenergy.com ). Let's take a look at a few such related campaigns that we've witnessed since the 20^th August 2017 :

The fake MYOB campaign:

This campaign used fake MYOB statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 22nd August, 2017 and ended after a 24 hour period. MYOB is an Australian multinational corporation that provides tax, payroll, accounting and other services to small and medium businesses. To make their campaign as targeted and effective as possible, scammers registered a fake MYOB-like domain (myobemail.com) to send fraudulent phishing messages serving banking trojans.

1. Similar to the Xeronet campaign, the domain myobemail.com also points to a French IP: 94.23.59.109
2. The domain was created on 22nd August, 2017 and is registered to the same individual as the Dropboxa.com domain (mentioned later) i.e. Wang Wiet from Xiamin, China, with the email: whois-protect@hotmail.com.
3. On browsing, it too reveals a similar static HTML page with the heading "MYOBEMAIL.COM" using the same font and same powered-by VESTA message (see Figure 10).
4. Figure 11 shows a screenshot of the email message. This is a specially crafted message using a fake MYOB email template, enticing the victim to click to view the invoice. On clicking the "View Invoice" button the user's browser is taken to a sharepoint URL. The use of sharepoint for hosting malicious URLs is relatively new and it is interesting that this service is being abused for this campaign.
5. The attackers used a similar sharepoint URL similar to the one used in the Xeronet campaign. This URL was active and upon accessing it with a browser, downloaded a zip file (another similarity with Xeronet) containing the malicious JavaScript (sample INV-P0719.js, with md5sum: d717b30c5799fcbd571ed44a54ffb187) in it.
6. Upon executing the JavaScript it downloads a different malware, specifically the Ursnif Trojan. This malware also injects its code to Firefox, Chrome or IE, monitors online banking activity and later ex-filtrates captured data to its control server
7. The URL shared via email is illustrated here: hxxps://crawfordltd-my(.)sharepoint.com/personal/brian_crawford-ltd_co_uk/_layouts/15/guestaccess.aspx?docid=0b0d2f24869b643a0a&authkey=3DAcjrc9zYJtukV1h2YDVyTXo

Figure 10: myobemail.com site content

Figure 11: Fake MYOB email message

The Fake Quickbooks campaign:

This campaign used fake Quickbook statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 23rd August, 2017 and ended after a 24 hour period. QuickBooks is an accounting software package developed and marketed by Intuit. QuickBooks provides tax, payroll, accounting and other services to small and medium businesses, ranging from on-premise to cloud solutions. Scammers registered a fake quickbook-like domain (qbaccountants.net) to send fraudulent phishing messages.

1. The domain qbaccountants.net was not pointing to any IP when tested.
2. The domain was created on 20^th August, 2017 and is registered to Wang Wiet from Xiamin, China, with the email: whois-protect@hotmail.com.
3. This time browsing to the site qbaccountants.net doesn't work since as the site is not serving any content.
4. A screenshot of the email message is show in Figure 12. This is a specially crafted message using a fake Quickbook-like email template, enticing the victim to click on the button to view an invoice, that requires prompt payment. After clicking the "View Invoice" button the user's browser is taken to a sharepoint URL.
5. The attackers used a Sharepoint URL similar to the one used in the Xeronet campaign. At the time of testing this, the URL was not downloading any content and the URL seemed to be down. The URL shared via email is illustrated here: hxxps://officechoiceau-my(.)sharepoint.com/personal/brad_obrien_officechoice_com_au/_layouts/15/guestaccess.aspx?docid=0c38ed7472ef548cba04d894ec061f296&authkey=AbjI3ElfLWkKwdg3yJtoSIM

Figure 12: Fake Quickbook phishing email

The Fake Dropbox campaign:

This campaign used fake dropbox statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 21^st August, 2017 and ended after a 24 hour period. Dropbox is a file hosting service. Scammers registered a fake dropbox-like domain to send fraudulent account statements as spam messages.

1. Similar to the Xeronet campaign, the domain dropboxa.com too points to a French IP: 94.23.195.103
2. The domain was created on 20^th August, 2017 and is registered to Wang Wiet from Xiamin, China, with the email: whois-protect@hotmail.com.
3. Browsing to the site dropboxa.com reveals a similar static HTML page with the heading "DROPBOXA.COM" using the same font and same powered-by VESTA message.
4. A screenshot of the email message is show in Figure 13. This is a specially crafted message using a fake Dropbox email template and enticing the victim to click on the shared account statement.zip file. On clicking the "View File" button the user's browser is taken to a sharepoint URL.
5. The attackers used a Sharepoint URL similar to the one used in the Xeronet campaign. At the time of testing this, the URL was not downloading any content and the URL seemed to be down. The URL shared via email is illustrated here: https://easyshed-my.sharepoint.com/personal/vicky_taylor_easyshed_com_au/_layouts/15/guestaccess.aspx?docid=05ab5a1c6f1364d5fac71e1ecb76ca2f6&authkey=Aafhr9BMCydDXxJRuWz6xYE

Figure 13: Fake Dropbox phishing email

Conclusion

Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims. We observed one such campaign detected by our distributed honeypot sensors. These phishing messages contained a legit looking, yet spoofed email message from Xero, which is an accounting software company. The message was a professionally crafted billing message, suggesting that users to view their bill invoice online by clicking on the malicious invoice link. This malicious link leads to the download of a zip file containing a malicious obfuscated JavaScript file. Once executed, the malicious JavaScript file downloads and executes a sophisticated banking trojan onto the victim's computer. This banking trojan turned out to be a variant of the Dridex malware, targeted at stealing banking information from user's browser.

We also observed several similar campaigns throughout the week, targeting customers of other well known online accounting software companies. Such attacks have emerged as a recent trend on the attack landscape that exploit the trust that people associate with specific brands. As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unknown downloaded files. Customers should also refrain from opening zip archives that come from unknown sources and avoid executing unknown file format like JavaScript, as a lot of malware has been seen recently being distributed by such scripts.

Acknowledgement

We would like to thank Gerald Carsula for his contributions and Phil Hay and Karl Sigler for their valuable comments and feedback.