March saw many notable phishing attacks, with criminals using new tactics and approaches to target unsuspecting victims.
It is time to explore some of the five most noteworthy campaigns to understand the current threat landscape better.
Pay close attention to the details of these attacks to determine whether your organization may be vulnerable.
Attack Using SmbServer to Steal Victims’ Credentials
The month kicked off with an attack likely carried out by the infamous TA577 threat actor.
The campaign targeted victims’ credentials and began with a social engineering email, written in English or German, with the subject line “I sent a material your side last day, have you able to get it?”
Attached to the email was a ZIP archive containing a weaponized HTML file. From there, the attack unfolded the following way:
- The victim opened the HTML page, built on a 450-byte template.
- The page redirected the user to a file on an external server, leveraging impacket-smbserver via the SMB protocol.
- The attackers received the victim’s data: IP address, NTLM challenge data, Username, and computer name.
To view a real-world sample of this phishing campaign, use this analysis session report in the ANY.RUN sandbox.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Attack Utilizing Fake MS Outlook Login Pages
Early in March, another phishing campaign combined a Telegram bot with phishing pages hosted on Cloudflare Workers.
The motivation here was to steal user login credentials by automatically mimicking the look and feel of their organizations’ MS Outlook login pages.
These pages incorporated several elements:
- Base64 encoded background images and design elements sourced directly from Microsoft.
- Common JavaScript libraries like popper.js, jQuery, and Bootstrap provided a familiar user experience.
- The victim’s company logo was fetched from the Clearbit Logo service.
The attackers transmitted the victim’s login information to a Telegram bot. The user was then redirected to a legitimate Microsoft Outlook page.
An actual example of the attack detonated and thoroughly followed through with a test set of credentials can be accessed in the ANY.RUN sandbox.
Attack Targeting Users in Latin America
In March, one of the geo-specific campaigns was targeted against victims in the LATAM region. In one instance, the attackers impersonated Colombian government agencies as part of their spam emails.
The messages were accompanied by PDFs accusing recipients of traffic violations or other legal issues. From there, the attack went as follows:
- The user opened a PDF and downloaded an archive.
- The archive contained a VBS script.
- Upon execution, the script ran a PowerShell script.
- This PowerShell script fetched the final payload from a legitimate storage service.
The final payload was one of several remote access trojans (RATs): AsyncRAT, NjRAT, and Remcos.
See the entire execution chain of the attack, resulting in NjRAT infection, in a sandbox.
Attack Abusing AWS to Drop STRRAT
Using legitimate services, such as AWS and Github to store payloads, this phishing campaign once again relied on social engineering.
Victims received emails that encouraged them to verify payment information by clicking a button, leading to the following:
- By clicking the button, victims downloaded a malicious JAR file disguised as a payment invoice.
- After launching, the file employed a PowerShell command to run two more JAR files.
- The final stage involved VCURMS or STRRAT malware being pulled from Github or AWs and infecting the victim’s system.
To see an example of STRRAT being downloaded from Github and collect this malware’s configuration, use this analysis session in ANY.RUN.
Attack Exploiting TikTok and Google AMP
The latest phishing campaign on this list employed several legitimate services simultaneously to get users to enter their credentials. It used a chain of redirects, starting from TikTok and ending with Cloudflare.
Here is a detailed overview of the attack:
- A TikTok link that embeds a Google AMP external address within the URI “&target=” parameter triggers a redirect.
- Google AMP then disguised a hidden address, which led to a URL Shortener Service. The destination domain address contained Unicode characters to mask the redirection target.
- The URL shortener service redirected the victim’s browser to Cloudflare, which is used to host the phishing page.
The page featured a form containing various encrypted code elements that were gradually decrypted and assembled during browser rendering. It also blocked right-click interactions, making element inspection difficult.
After form submission, the victim’s stolen data got transmitted via an HTTP POST request to the attackers.
To get an inside look into this campaign, refer to this analysis session.
Analyze Phishing Campaigns in ANY.RUN
ANY.RUN is a cloud sandbox for advanced analysis of malware and phishing attacks.
The service provides a fully interactive virtual environment where you can study the threat and interact with it and the system.
For instance, in the case of phishing, it can help you complete steps requiring human interaction to understand the entire chain of attack.
The sandbox also lets you easily monitor malicious network and registry activity, track and examine processes, extract indicators of compromise, and download threat reports.
See how ANY.RUN can benefit your organization. Schedule a personalized demo for your security team.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
