Grupotech Points

Spear Phishing – A real case

spear phishing

Spear phishing is an email or communication scam that targets specific individuals, organizations, or companies. Although their goal is often to steal data for malicious purposes, cybercriminals can also try to install malware on a victim's computer.

Lately, the flow of malicious emails has been increasing, and with it, attacks directed at collaborators of an organization.

We used to come across completely plain-coded HTML files, which redirected to the fake site in question, with no intention of looking real or going unnoticed. This is not the case of the report that we analyze in this article, where creativity and cunning can play an extremely important role and determine whether an attack is successful or not.

threat analysis

On Thursday, December 28, at 1:02 p.m., we received an email (see Illustration 1), which contained a PDF file named Payment EFT/BACS Remittance_074458.pdf.

Figure 1. Phishing email

When viewing the body of the message, it is found that it comes from an unknown domain, however, it has the name [Company]_EFT_Automated_Remittance, hinting to be a service of the organization. These kinds of features are common in spoofing emails, and can even modify the sender's domain through DMARC spoof techniques and further confuse the victim user.

The intention of the PDF is to appear to be an error from the client reading the file, indicating that the attempt to interpret it has failed. The URL address is linked to a considerable area of the document, making it possible to increase the probability that the user will click, even by mistake, and direct him to the site in question.

Figure 2. Malicious PDF

The URL initially consists of the following fragment:

https://www[.]prontario[.]org/mpower/campaigner/redirect.action

Related to this domain, they have been related to a large number of PDF files, with identical nomenclatures, which is why it is assumed to be their modus operandi.

Subsequently, a series of parameters are previously encoded in Base64 to be obfuscated and evade automated analysis. Among them, a URL containing the recipient's email address.

  • u=https://itumotor.com.byonew/7Jzw8S/victim@dominio.cl

When analyzing the domain of the last parameter, we could not find information, probably because it has been downloaded, or that the DNS record is in the first address.

Subsequently, the final link to which it is redirected is hxxps://ipfs.io, from which a JS file is invoked that, after a deobfuscation process, presents the following form.

Figure 3. Obfuscated JS

Figure 4. Obfuscated output

The techniques and methods that attackers have used lately to evade automated security systems and analysis have become increasingly sophisticated. Using robust and creative obfuscation methods, such as the one we just discussed, which relied on a function that would write the HTML code to be interpreted by the browser, without being detected.

indicators of commitment

url

  • hxxps://ipfs.io/
  • hxxps://prontario.org/
  • hxxps://itumotor.com.byonew/
  • hxxps://itumotor.com.br/

IPv4

  • 173.236.60.130
  • 158.85.79.41

If you have any questions or comments regarding the security of your company, you can write to us, we will help you analyze any type of information, before this becomes a problem for you.

Doubts? GET ADVICE TODAY

Contact us to receive personalized advice on the details of the service and how it could benefit your organization.

BEGIN

ARTICLES RELATED

Follow us on networks

Join our newsletter

Complete the fields to join our list.

Please wait…

Thanks for joining!

RECENT ARTICLES

REQUEST YOUR ADVICE





    captcha