Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice.

Figure 1. Phishing email sample with zip file attachment

Figure 1. Phishing email sample with zip file attachment

 

Upon checking the email header, we see that it has an email address format that uses the domain ‘temporary[.]link’. We also saw the usage of Roundcube Webmail in User-Agent in the email header which is also often abused in phishing activity.

Figure 1.2. Email Header of the phishing email

Figure 1.2. Email Header of the phishing email

 

In this sample the attached HTML file contains a concatenated URL.

Figure 2

Figure 2. Snippet of the source-code of the HTML file with concatenated URL

 

Normally, accessing the given URL will lead to a suspended page.

Figure 3. Suspended page when access in a different region

Figure 3. Suspended page when access in a different region

 

Upon doing further research on the URL involved, it seems to be hosted on an IP 89[.]116[.]32[.]138 based on our internal telemetry.

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

 

These domains are newly created being about one year old, name servers are under Cloudflare, and some of the domains contact registrant are in Mexico.

Figure 5. The domain information from whois[.]com

Figure 5. The domain information from whois[.]com

 

However, if the URL is accessed using a Mexico-based IP it will redirect to a captcha page for human verification which leads to another URL hxxps[://]facturas[.]co[.]in/index[.]php?va that will download a malicious RAR file.

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

 

Figure 7  

Figure 7. Extracted malicious batch file with malicious URL connection

 

Upon checking, the RAR file contains a malicious payload. This is a PowerShell script that will check the victim’s machine for information like computer name, operating system, etc. It will also check for the presence of an antivirus product.

We also observed several base64 encoded strings in the script. One of them when decoded contains another URL request that uses the ‘Post’ method for the URL response.

Figure 8. Snippet of the code with base64 string encoded strings

Figure 8. Snippet of the code with base64 string encoded strings

 

The decoded URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php will check for the user’s country.

Figure 9. The feedback when URL

Figure 9. The feedback when URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php was accessed

 

Another notable base64 encoded string contains a malicious URL that will download a malicious ZIP file.

Figure 9.1

Figure 9.1 Snippet of the code with base64 string encoded strings that contains another malicious URL download

 

The malicious URL decoded was hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1. Downloading and extracting the ZIP file revealed a lot of many highly suspicious files. Some files were newly modified, while others were quite old with the last being modified in 2016. One of the listed files was also an executable AutoIt file. This campaign’s characteristics are quite similar to those observed in previous “Horabot” campaigns .

   Figure 10

 

Figure 10. Extracted ZIP file with suspicious executable AutoIt file

 

 

Conclusion

Understandably, from the threat actors’ point of view, phishing campaigns always try different to hide any malicious activity and avoid immediate detection. To do so some phishing emails may now include compressed file attachments, obfuscated code or even PowerShell scripts that often lead to malware download. Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.

Also, please remember t’s very important to be very wary with emails that contain file attachments or URLs pretending to be inaccessible or suspended page as sometimes they may actually lead to more malicious threats.

 

IOCs:

hxxps[://]facturasmex[.]cloud

hxxps[://]facturas[.]co[.]in/index[.]php?va

hxxp[://]ad2[.]gotdns[.]ch/22/22

hxxp[://]86[.]38[.]217[.]167/ps/index[.]php

hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1

 

References

https://whois.com

https://blog.talosintelligence.com/new-horabot-targets-americas/

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo