Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

PhishINvite with Malicious ICS Files

In an earlier blog entitled “Phishing in the Cloud”, we outlined that threat actors are actively crafting multi-stage phishing campaigns utilizing online cloud services and are continuously finding ways to make their spams more evasive to email gateways and link scanners.

The first stage of the multi-stage phishing campaign is a sometimes a well-crafted email, mostly spoofing an organization. The email often contains a link pointing to a cloud service hosting a malicious or fake document. On rare occasions, the link can be found in an attachment, just like a recent campaign we present in this blog.

The Phishing Campaign

The phishing emails in this campaign, allege to be from the security team of certain organizations, make use of the “account suspension” theme to lure the recipient in opening the attachment. The text in the body of the emails are identical except for the signature part – the organization the spammers are trying to mimic.

The attachment “You Have A New Message.ics” is an iCalendar, a plain text file containing calendaring and scheduling information. ICS is one of the common filetypes of attachments on legitimate emails but is also sometimes abused, as it is here.

Email_sample
Figure 1: The phishing email with iCalendar attachment

 

The ICS file attached to the email is poorly constructed as the title and description of the event are not particularly coherent. The description just instructs the recipient to click or open the Sharepoint link contained in the calendar file. Based on the Sharepoint URL’s structure, since it contains “:b” in the path, the link will lead to a PDF file, as below.

Sharepoint_pdf
Figure 2: A Malicious PDF hosted on SharePoint contains a link to a Google Cloud Storage

 

Just like the emails, the PDF samples we collected in this campaign look like one another except for the logo and name of the organization the threat actors are spoofing. The text in the PDFs is just a reiteration of that in the email bodies.

A link to an HTML object hosted on Google Cloud Storage, disguised as the security key, is embedded in the PDF file. When the link in Figure 2 is clicked, the browser outright performs the redirection. No security alert about redirection is offered, in contrast to downloading and opening the PDF file in Adobe Reader, where you would be presented with a warning. The process is seamless, the user may not recognize, nor care, they are viewing a PDF in the browser.

Fig3_wellsfargophish
Figure 3: The phishing site spoofing Wells Fargo
 
Fig4_53phish
Figure 4: The phishing site spoofing Fifth Third Bank

 

Finally, the embedded link in the PDF file leads to a credential harvesting phishing page hosted in Google cloud. The credentials gathered by this phish are being posted to newly created domains registered under Namecheap.

Summary:

Employing a popular type of file as an attachment to malicious emails is a common trick by cybercriminals to boost the success rate of their cyber-attacks. As iCalendars files are not included in the list of automatically blocked attachments by email clients like Outlook, the possibility of the maliciously crafted iCalendar falling to the targets’ mailbox is increased.

Hosting the fake documents, malicious files, and phishing pages at cloud services instead of attaching them to the email is used more and more by the threat actors to evade email scanners. In addition, by utilizing PDFs on such platforms, threat actors don’t have to deal with the security settings of the on-premise applications like Adobe Reader, as the PDFs will be seamlessly opened, and links clicked by users redirected, without warning by browsers.

Cyber-attacks often start with phishing. The information obtained through credential phishing sites can be utilized in a more targeted and sophisticated attack on the victim or the organization they belong to. We advise all users to be careful before clicking on any URLs and check their browser’s address bar before submitting credentials to any login form.

The Trustwave Secure Email Gateway (SEG) detects these phishing messages and we are continuously watching this evolving “phishing in the cloud” scenario.

IOCs

http[s]://9391928482-my[.]sharepoint[.]com/:b:/g/personal/admin_9391928482_onmicrosoft_com/EWbA3w9fG3dFru7ooh4qFksBmk94Klp_7P9kzbE2g_P__g?e=WhYRUS
http[s]://9391928482-my[.]sharepoint[.]com/:b:/g/personal/admin_9391928482_onmicrosoft_com/Eb1fi-A0T7NBjhLit5nAI_QBDQf7eeU5SQ6iVHu6d2SmiA?e=NxdUew

53rd Message.pdf (67061 bytes) SHA1: 15548D6043623427E486B287C9A7A7789D2C6EC5
WELLS FARGO.pdf (66492 bytes) SHA1: 9918F6FF1C00266B303F772D0060C9F25BDCFB67

http[s]://storage[.]googleapis[.]com/afifththirdbank-overexpands-756955306/index[.]html
http[s]://storage[.]googleapis[.]com/awells-chiriguano-677756803/index[.]html

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More