Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Aaron Higbee, CTO & Co-Founder, PhishMe
By Aaron Higbee, CTO & Co-Founder, PhishMe
Sponsored Article

Phish Global, Loot Local: 3 New Geo-Specific Threats

Witness three recent cyber attacks that turn geo-location services into a curse.

To phishing attackers, "sustainability" means any new tactics that help them keep stealing. The only green they see is money. We’re not talking crunch granola. Each of these attacks shrewdly uses geo-location to skirt defenses and throw security teams a curveball.

Locky or Trickbot? It depends where you are.

The first attack we’ll look at uses different malware tools based on the victim’s geo-location. While it’s common for an attack to mix malicious payloads—say, ransomware, a financial crimes trojan and some other botnet malware—until recently it was rare for location to determine which tools get used.

On September 28, threat actors used a phishing narrative that claims to deliver a scanned document needing the recipient’s attention. Attached to the message is a .7z archive containing a malicious VBScript application. Its task: obtaining and running the Locky ransomware or the TrickBot banking trojan.

Before executing the payload, the VBScript determines where the target is located. 

To identify the target’s location, the VBScript begins by querying three websites that provide IP-geo services. If the target is in one of six regions — Great Britain, United Kingdom, Australia, Luxembourg, Belgium or Ireland — it receives the TrickBot malware. If outside those locations, the lucky target gets the Locky ransomware.

By switching up tools and potentially delivering more than one threat, the attackers raise the difficulty factor. Multinational companies, for instance, might have to devise a different security strategy for each region they defend. (Just what they need.) Advantage: bad guys.

Threat Actors Refine the Tactic

Attack #2 came on October 11. Threat actors sent phishing emails with financially-themed subjects, although these didn’t appear to be targeted. Once again, embedded in the message was a .7z archive encoded in base64 containing a malicious VBScript, which, depending on the host’s location, delivered Locky or Trickbot. After payload delivery this script reveals a new twist. The payload URL, Windows Host OS version, and a unique identifier number are sent back to a separate command and control server.

In addition to the new reporting feature, the attackers also use pop culture references to name the functions, including inserted snippets of open source code from the video game, Cobalt. This is likely an attempt to defeat heuristic scanning of the code.

Once Locky is deployed, it quickly goes to work encrypting files with the .asasin extension. To remain hidden, it masquerades as Canon© PageComposer while it runs in the current user’s Temp directory. As in the previous month’s attacks, the threat actors used geo-location to complicate defenders’ lives. Advanced reporting and cheeky references show the kind of refinement we expect from creative foes.

Crafting a smaller attack to avoid detection.

October also saw a surge in emails with malware targeting users in Brazil. In this case, geo-location is used to narrow, not expand, the strike. The email arrived with the subject 'CURRICULO 1931520530 Data: 05/10/2017' or similar variations. A link containing a PHP determines if the source IP address is from Brazil. If the recipient clicks and is located in Brazil, a file followed by a random number and ZIP extension is downloaded to his or her

The attack then goes to great lengths to cover its traces and the malware it employs, a malicious extension for Google Chrome. As an extension, the code is executed as part of the browser operation. It has access to any information passing through it, including HTTPS traffic, bank details, passwords, etc. In other words, this geo-specific attack is pretty sophisticated. It’s smaller in scope to avoid detection and up the odds for success — one more example of scammers fine-tuning their methods to beat public malware analysis services and sandboxes. It’s also another example of attackers going local as phishing emails and their dangerous content remain a global plague.

Aaron is the co-founder and chief technology officer of PhishMe, Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The PhishMe method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron co-founded with Rohyt Belani in 2007. Aaron remains on the board of directors for Intrepidus Group to ensure it focuses on forging new service lines and attracting motivated researchers and consultants.

Before PhishMe and Intrepidus Group, Aaron served as principal consultant for McAfee’s Foundstone division, where he was a lead instructor and known for his ability to mentor and develop junior consultants into expert penetration testers. Prior to his seven years of consulting experience, Aaron worked for large internet service providers handling security and abuse incidents, subpoena compliance, and datacenter security.

Aaron is a speaker at regional conferences and associations as well large conferences such as BlackHat, DefCon, Shmoocon, etc. His expert opinion is a valuable resource for many media outlets interested in security

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...