Phish Global, Loot Local: 3 New Geo-Specific Threats

Witness three recent cyber attacks that turn geo-location services into a curse.

Dark Reading Staff, Dark Reading

December 4, 2017

4 Min Read
Figure 1 — The VBScript queries the three websites in the array and then parses the JSON output before continuing to the next step.

To phishing attackers, "sustainability" means any new tactics that help them keep stealing. The only green they see is money. We’re not talking crunch granola. Each of these attacks shrewdly uses geo-location to skirt defenses and throw security teams a curveball.

Locky or Trickbot? It depends where you are.

The first attack we’ll look at uses different malware tools based on the victim’s geo-location. While it’s common for an attack to mix malicious payloads—say, ransomware, a financial crimes trojan and some other botnet malware—until recently it was rare for location to determine which tools get used.

On September 28, threat actors used a phishing narrative that claims to deliver a scanned document needing the recipient’s attention. Attached to the message is a .7z archive containing a malicious VBScript application. Its task: obtaining and running the Locky ransomware or the TrickBot banking trojan.

Before executing the payload, the VBScript determines where the target is located. 

To identify the target’s location, the VBScript begins by querying three websites that provide IP-geo services. If the target is in one of six regions — Great Britain, United Kingdom, Australia, Luxembourg, Belgium or Ireland — it receives the TrickBot malware. If outside those locations, the lucky target gets the Locky ransomware.

By switching up tools and potentially delivering more than one threat, the attackers raise the difficulty factor. Multinational companies, for instance, might have to devise a different security strategy for each region they defend. (Just what they need.) Advantage: bad guys.

Threat Actors Refine the Tactic

Attack #2 came on October 11. Threat actors sent phishing emails with financially-themed subjects, although these didn’t appear to be targeted. Once again, embedded in the message was a .7z archive encoded in base64 containing a malicious VBScript, which, depending on the host’s location, delivered Locky or Trickbot. After payload delivery this script reveals a new twist. The payload URL, Windows Host OS version, and a unique identifier number are sent back to a separate command and control server.


In addition to the new reporting feature, the attackers also use pop culture references to name the functions, including inserted snippets of open source code from the video game, Cobalt. This is likely an attempt to defeat heuristic scanning of the code.

Once Locky is deployed, it quickly goes to work encrypting files with the .asasin extension. To remain hidden, it masquerades as Canon© PageComposer while it runs in the current user’s Temp directory. As in the previous month’s attacks, the threat actors used geo-location to complicate defenders’ lives. Advanced reporting and cheeky references show the kind of refinement we expect from creative foes.

Crafting a smaller attack to avoid detection.

October also saw a surge in emails with malware targeting users in Brazil. In this case, geo-location is used to narrow, not expand, the strike. The email arrived with the subject 'CURRICULO 1931520530 Data: 05/10/2017' or similar variations. A link containing a PHP determines if the source IP address is from Brazil. If the recipient clicks and is located in Brazil, a file followed by a random number and ZIP extension is downloaded to his or her

The attack then goes to great lengths to cover its traces and the malware it employs, a malicious extension for Google Chrome. As an extension, the code is executed as part of the browser operation. It has access to any information passing through it, including HTTPS traffic, bank details, passwords, etc. In other words, this geo-specific attack is pretty sophisticated. It’s smaller in scope to avoid detection and up the odds for success — one more example of scammers fine-tuning their methods to beat public malware analysis services and sandboxes. It’s also another example of attackers going local as phishing emails and their dangerous content remain a global plague.

Aaron is the co-founder and chief technology officer of PhishMe, Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The PhishMe method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron co-founded with Rohyt Belani in 2007. Aaron remains on the board of directors for Intrepidus Group to ensure it focuses on forging new service lines and attracting motivated researchers and consultants.

Before PhishMe and Intrepidus Group, Aaron served as principal consultant for McAfee’s Foundstone division, where he was a lead instructor and known for his ability to mentor and develop junior consultants into expert penetration testers. Prior to his seven years of consulting experience, Aaron worked for large internet service providers handling security and abuse incidents, subpoena compliance, and datacenter security.

Aaron is a speaker at regional conferences and associations as well large conferences such as BlackHat, DefCon, Shmoocon, etc. His expert opinion is a valuable resource for many media outlets interested in security

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights