Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2017
09:00 AM
By Aaron Higbee, CTO & Co-Founder, PhishMe
By Aaron Higbee, CTO & Co-Founder, PhishMe
Sponsored Article
50%
50%

Phish Global, Loot Local: 3 New Geo-Specific Threats

Witness three recent cyber attacks that turn geo-location services into a curse.

To phishing attackers, "sustainability" means any new tactics that help them keep stealing. The only green they see is money. We’re not talking crunch granola. Each of these attacks shrewdly uses geo-location to skirt defenses and throw security teams a curveball.

Locky or Trickbot? It depends where you are.

The first attack we’ll look at uses different malware tools based on the victim’s geo-location. While it’s common for an attack to mix malicious payloads—say, ransomware, a financial crimes trojan and some other botnet malware—until recently it was rare for location to determine which tools get used.

On September 28, threat actors used a phishing narrative that claims to deliver a scanned document needing the recipient’s attention. Attached to the message is a .7z archive containing a malicious VBScript application. Its task: obtaining and running the Locky ransomware or the TrickBot banking trojan.

Before executing the payload, the VBScript determines where the target is located. 

Figure 1 - The VBScript queries the three websites in the array and then parses the JSON output before continuing to the next step.
Figure 1 The VBScript queries the three websites in the array and then parses the JSON output before continuing to the next step.

To identify the target’s location, the VBScript begins by querying three websites that provide IP-geo services. If the target is in one of six regions — Great Britain, United Kingdom, Australia, Luxembourg, Belgium or Ireland — it receives the TrickBot malware. If outside those locations, the lucky target gets the Locky ransomware.

By switching up tools and potentially delivering more than one threat, the attackers raise the difficulty factor. Multinational companies, for instance, might have to devise a different security strategy for each region they defend. (Just what they need.) Advantage: bad guys.

Threat Actors Refine the Tactic

Attack #2 came on October 11. Threat actors sent phishing emails with financially-themed subjects, although these didn’t appear to be targeted. Once again, embedded in the message was a .7z archive encoded in base64 containing a malicious VBScript, which, depending on the host’s location, delivered Locky or Trickbot. After payload delivery this script reveals a new twist. The payload URL, Windows Host OS version, and a unique identifier number are sent back to a separate command and control server.

Figure 2 - POST request to the C&C server informing the threat actor of a successful infection.
Figure 2 POST request to the C&C server informing the threat actor of a successful infection.

In addition to the new reporting feature, the attackers also use pop culture references to name the functions, including inserted snippets of open source code from the video game, Cobalt. This is likely an attempt to defeat heuristic scanning of the code.

Once Locky is deployed, it quickly goes to work encrypting files with the .asasin extension. To remain hidden, it masquerades as Canon© PageComposer while it runs in the current user’s Temp directory. As in the previous month’s attacks, the threat actors used geo-location to complicate defenders’ lives. Advanced reporting and cheeky references show the kind of refinement we expect from creative foes.

Crafting a smaller attack to avoid detection.

October also saw a surge in emails with malware targeting users in Brazil. In this case, geo-location is used to narrow, not expand, the strike. The email arrived with the subject 'CURRICULO 1931520530 Data: 05/10/2017' or similar variations. A link containing a PHP determines if the source IP address is from Brazil. If the recipient clicks and is located in Brazil, a file followed by a random number and ZIP extension is downloaded to his or her

The attack then goes to great lengths to cover its traces and the malware it employs, a malicious extension for Google Chrome. As an extension, the code is executed as part of the browser operation. It has access to any information passing through it, including HTTPS traffic, bank details, passwords, etc. In other words, this geo-specific attack is pretty sophisticated. It’s smaller in scope to avoid detection and up the odds for success — one more example of scammers fine-tuning their methods to beat public malware analysis services and sandboxes. It’s also another example of attackers going local as phishing emails and their dangerous content remain a global plague.

Aaron is the co-founder and chief technology officer of PhishMe, Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The PhishMe method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron co-founded with Rohyt Belani in 2007. Aaron remains on the board of directors for Intrepidus Group to ensure it focuses on forging new service lines and attracting motivated researchers and consultants.

Before PhishMe and Intrepidus Group, Aaron served as principal consultant for McAfee’s Foundstone division, where he was a lead instructor and known for his ability to mentor and develop junior consultants into expert penetration testers. Prior to his seven years of consulting experience, Aaron worked for large internet service providers handling security and abuse incidents, subpoena compliance, and datacenter security.

Aaron is a speaker at regional conferences and associations as well large conferences such as BlackHat, DefCon, Shmoocon, etc. His expert opinion is a valuable resource for many media outlets interested in security

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16860
PUBLISHED: 2019-11-19
Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an ele...
CVE-2019-16861
PUBLISHED: 2019-11-19
Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated ...
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.