Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice.
Figure 1. Phishing email sample with zip file attachment
Upon checking the email header, we see that it has an email address format that uses the domain ‘temporary[.]link’. We also saw the usage of Roundcube Webmail in User-Agent in the email header which is also often abused in phishing activity.
Figure 1.2. Email Header of the phishing email
In this sample the attached HTML file contains a concatenated URL.
Figure 2. Snippet of the source-code of the HTML file with concatenated URL
Normally, accessing the given URL will lead to a suspended page.
Figure 3. Suspended page when access in a different region
Upon doing further research on the URL involved, it seems to be hosted on an IP 89[.]116[.]32[.]138 based on our internal telemetry.
![Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/Figure%204.%20List%20of%20domains%20hosted%20on%20IP%2089%5B.%5D116%5B.%5D32%5B.%5D138.jpg?width=226&height=170&name=Figure%204.%20List%20of%20domains%20hosted%20on%20IP%2089%5B.%5D116%5B.%5D32%5B.%5D138.jpg)
Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138
These domains are newly created being about one year old, name servers are under Cloudflare, and some of the domains contact registrant are in Mexico.
![Figure 5. The domain information from whois[.]com](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/Figure%205.%20The%20domain%20information%20from%20whois%5B.%5Dcom.jpg?width=477&height=383&name=Figure%205.%20The%20domain%20information%20from%20whois%5B.%5Dcom.jpg)
Figure 5. The domain information from whois[.]com
However, if the URL is accessed using a Mexico-based IP it will redirect to a captcha page for human verification which leads to another URL hxxps[://]facturas[.]co[.]in/index[.]php?va that will download a malicious RAR file.
Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP
Figure 7. Extracted malicious batch file with malicious URL connection
Upon checking, the RAR file contains a malicious payload. This is a PowerShell script that will check the victim’s machine for information like computer name, operating system, etc. It will also check for the presence of an antivirus product.
We also observed several base64 encoded strings in the script. One of them when decoded contains another URL request that uses the ‘Post’ method for the URL response.
Figure 8. Snippet of the code with base64 string encoded strings
The decoded URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php will check for the user’s country.
Figure 9. The feedback when URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php was accessed
Another notable base64 encoded string contains a malicious URL that will download a malicious ZIP file.
Figure 9.1 Snippet of the code with base64 string encoded strings that contains another malicious URL download
The malicious URL decoded was hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1. Downloading and extracting the ZIP file revealed a lot of many highly suspicious files. Some files were newly modified, while others were quite old with the last being modified in 2016. One of the listed files was also an executable AutoIt file. This campaign’s characteristics are quite similar to those observed in previous “Horabot” campaigns .
Figure 10. Extracted ZIP file with suspicious executable AutoIt file
Conclusion
Understandably, from the threat actors’ point of view, phishing campaigns always try different to hide any malicious activity and avoid immediate detection. To do so some phishing emails may now include compressed file attachments, obfuscated code or even PowerShell scripts that often lead to malware download. Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.
Also, please remember t’s very important to be very wary with emails that contain file attachments or URLs pretending to be inaccessible or suspended page as sometimes they may actually lead to more malicious threats.
IOCs:
hxxps[://]facturasmex[.]cloud
hxxps[://]facturas[.]co[.]in/index[.]php?va
hxxp[://]ad2[.]gotdns[.]ch/22/22
hxxp[://]86[.]38[.]217[.]167/ps/index[.]php
hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1
References
https://whois.com
https://blog.talosintelligence.com/new-horabot-targets-americas/
