Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice.

Figure 1. Phishing email sample with zip file attachment

Figure 1. Phishing email sample with zip file attachment

 

Upon checking the email header, we see that it has an email address format that uses the domain ‘temporary[.]link’. We also saw the usage of Roundcube Webmail in User-Agent in the email header which is also often abused in phishing activity.

Figure 1.2. Email Header of the phishing email

Figure 1.2. Email Header of the phishing email

 

In this sample the attached HTML file contains a concatenated URL.

Figure 2

Figure 2. Snippet of the source-code of the HTML file with concatenated URL

 

Normally, accessing the given URL will lead to a suspended page.

Figure 3. Suspended page when access in a different region

Figure 3. Suspended page when access in a different region

 

Upon doing further research on the URL involved, it seems to be hosted on an IP 89[.]116[.]32[.]138 based on our internal telemetry.

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

 

These domains are newly created being about one year old, name servers are under Cloudflare, and some of the domains contact registrant are in Mexico.

Figure 5. The domain information from whois[.]com

Figure 5. The domain information from whois[.]com

 

However, if the URL is accessed using a Mexico-based IP it will redirect to a captcha page for human verification which leads to another URL hxxps[://]facturas[.]co[.]in/index[.]php?va that will download a malicious RAR file.

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

 

Figure 7  

Figure 7. Extracted malicious batch file with malicious URL connection

 

Upon checking, the RAR file contains a malicious payload. This is a PowerShell script that will check the victim’s machine for information like computer name, operating system, etc. It will also check for the presence of an antivirus product.

We also observed several base64 encoded strings in the script. One of them when decoded contains another URL request that uses the ‘Post’ method for the URL response.

Figure 8. Snippet of the code with base64 string encoded strings

Figure 8. Snippet of the code with base64 string encoded strings

 

The decoded URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php will check for the user’s country.

Figure 9. The feedback when URL

Figure 9. The feedback when URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php was accessed

 

Another notable base64 encoded string contains a malicious URL that will download a malicious ZIP file.

Figure 9.1

Figure 9.1 Snippet of the code with base64 string encoded strings that contains another malicious URL download

 

The malicious URL decoded was hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1. Downloading and extracting the ZIP file revealed a lot of many highly suspicious files. Some files were newly modified, while others were quite old with the last being modified in 2016. One of the listed files was also an executable AutoIt file. This campaign’s characteristics are quite similar to those observed in previous “Horabot” campaigns .

   Figure 10

 

Figure 10. Extracted ZIP file with suspicious executable AutoIt file

 

 

Conclusion

Understandably, from the threat actors’ point of view, phishing campaigns always try different to hide any malicious activity and avoid immediate detection. To do so some phishing emails may now include compressed file attachments, obfuscated code or even PowerShell scripts that often lead to malware download. Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.

Also, please remember t’s very important to be very wary with emails that contain file attachments or URLs pretending to be inaccessible or suspended page as sometimes they may actually lead to more malicious threats.

 

IOCs:

hxxps[://]facturasmex[.]cloud

hxxps[://]facturas[.]co[.]in/index[.]php?va

hxxp[://]ad2[.]gotdns[.]ch/22/22

hxxp[://]86[.]38[.]217[.]167/ps/index[.]php

hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1

 

References

https://whois.com

https://blog.talosintelligence.com/new-horabot-targets-americas/

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More