Spear phishing is an email or communication scam that targets specific individuals, organizations, or companies. Although their goal is often to steal data for malicious purposes, cybercriminals can also try to install malware on a victim's computer.<\/strong><\/p>\nLately, the flow of malicious emails has been increasing, and with it, attacks directed at collaborators of an organization.<\/p>\n
We used to come across completely plain-coded HTML files, which redirected to the fake site in question, with no intention of looking real or going unnoticed. This is not the case of the report that we analyze in this article, where creativity and cunning can play an extremely important role and determine whether an attack is successful or not.<\/p>\n
threat analysis<\/h2>\n On Thursday, December 28, at 1:02 p.m., we received an email (see Illustration 1), which contained a PDF file named Payment EFT\/BACS<\/em> Remittance_074458.pdf<\/em>.<\/p>\nFigure 1. Phishing email<\/p>\n
When viewing the body of the message, it is found that it comes from an unknown domain, however, it has the name [Company]_EFT_Automated_Remittance<\/em>, hinting to be a service of the organization. These kinds of features are common in spoofing emails, and can even modify the sender's domain through DMARC spoof techniques and further confuse the victim user.<\/p>\nThe intention of the PDF is to appear to be an error from the client reading the file, indicating that the attempt to interpret it has failed. The URL address is linked to a considerable area of the document, making it possible to increase the probability that the user will click, even by mistake, and direct him to the site in question.<\/p>\n
Figure 2. Malicious PDF<\/p>\n
The URL initially consists of the following fragment:<\/p>\n
https:\/\/www[.]prontario[.]org\/mpower\/campaigner\/redirect.action<\/em><\/p>\nRelated to this domain, they have been related to a large number of PDF files, with identical nomenclatures, which is why it is assumed to be their modus operandi.<\/p>\n
Subsequently, a series of parameters are previously encoded in Base64 to be obfuscated and evade automated analysis. Among them, a URL containing the recipient's email address.<\/p>\n
\nu=https:\/\/itumotor.com.byonew\/7Jzw8S\/victim@dominio.cl<\/strong><\/em><\/li>\n<\/ul>\nWhen analyzing the domain of the last parameter, we could not find information, probably because it has been downloaded, or that the DNS record is in the first address.<\/p>\n
Subsequently, the final link to which it is redirected is hxxps:\/\/ipfs.io<\/em>, from which a JS file is invoked that, after a deobfuscation process, presents the following form.<\/p>\nFigure 3. Obfuscated JS<\/p>\n
Figure 4. Obfuscated output<\/p>\n
The techniques and methods that attackers have used lately to evade automated security systems and analysis have become increasingly sophisticated. Using robust and creative obfuscation methods, such as the one we just discussed, which relied on a function that would write the HTML code to be interpreted by the browser, without being detected.<\/p>\n
indicators of commitment<\/h2>\nurl<\/h3>\n\nhxxps:\/\/ipfs.io\/<\/li>\n hxxps:\/\/prontario.org\/<\/li>\n hxxps:\/\/itumotor.com.byonew\/<\/li>\n hxxps:\/\/itumotor.com.br\/<\/li>\n<\/ul>\nIPv4<\/h3>\n\n173.236.60.130<\/li>\n 158.85.79.41<\/li>\n<\/ul>\nIf you have any questions or comments regarding the security of your company, you can write to us, we will help you analyze any type of information, before this becomes a problem for you.<\/p>","protected":false},"excerpt":{"rendered":"
Spear Phishing El spear phishing es una estafa de correo electr\u00f3nico o comunicaciones dirigida a personas, organizaciones o empresas espec\u00edficas. Aunque su objetivo a menudo es robar datos para fines maliciosos, los cibercriminales tambi\u00e9n pueden tratar de instalar malware en la computadora de la v\u00edctima. \u00daltimamente, el flujo de correos maliciosos ha ido en aumento, y con ello, los ataques dirigidos a colaboradores de una organizaci\u00f3n. Sol\u00edamos encontrarnos con archivos HTML con c\u00f3digo totalmente plano, que redirig\u00edan al sitio falso en cuesti\u00f3n, sin ninguna intencionalidad de verse ver\u00eddico ni pasar desapercibido. No es el caso del reporte que en este art\u00edculo analizamos, donde la creatividad y la astucia pueden jugar un papel sumamente importante y determinar si un ataque es exitoso o no. An\u00e1lisis de la amenaza El jueves 28 de diciembre, a las 13:02 horas se nos ha reportado un correo (ver Ilustraci\u00f3n 1), que conten\u00eda archivo PDF de nombre Payment EFT\/BACS Remittance_074458.pdf. Ilustraci\u00f3n 1. Correo phishing Al visualizar el cuerpo del mensaje, se encuentra que este proviene de dominio desconocido, no obstante, tiene de nombre [Empresa]_EFT_Automated_Remittance, insinuando ser un servicio propio de la organizaci\u00f3n. Esta clase de caracter\u00edsticas son usuales en correos de suplantaci\u00f3n, e incluso pueden modificar el dominio de remitente a trav\u00e9s de t\u00e9cnicas de Spoof DMARC y confundir a\u00fan m\u00e1s al usuario v\u00edctima. La intencionalidad del PDF es aparentar ser un error del cliente lector del archivo indicando que se ha fallado en el intento de interpretarlo. La direcci\u00f3n URL es enlazada a un \u00e1rea considerable del documento, permitiendo aumentar la probabilidad de que el usuario cliquee, incluso por error, y dirigirlo al sitio en cuesti\u00f3n. Ilustraci\u00f3n 2. PDF malicioso La URL inicialmente consta del siguiente fragmento: https:\/\/www[.]prontario[.]org\/mpower\/campaigner\/redirect.action Relacionado con este dominio, se han visto relacionados con una gran cantidad de archivos PDF, con nomenclaturas id\u00e9nticas, por lo que se asume como su modus operandi. Posteriormente, se encuentran una serie de par\u00e1metros previamente codificados en Base64 para verse ofuscado y evadir los an\u00e1lisis automatizados. Entre ellos, una direcci\u00f3n URL que conten\u00eda la direcci\u00f3n de correo destinatario. u=https:\/\/itumotor.com.byonew\/7Jzw8S\/victima@dominio.cl Al analizar el dominio del \u00faltimo par\u00e1metro, no hemos podido encontrar informaci\u00f3n, probablemente porque este ha sido bajado, o que el registro de DNS se encuentra en la primera direcci\u00f3n. Posteriormente, el enlace final al que se redirige es hxxps:\/\/ipfs.io, desde el cual se invoca un archivo JS que tras un proceso de des ofuscaci\u00f3n, presenta el siguiente formulario. Ilustraci\u00f3n 3. JS ofuscado Ilustraci\u00f3n 4. Resultado des ofuscado Las t\u00e9cnicas y m\u00e9todos que los atacantes han utilizado \u00faltimamente para evadir los an\u00e1lisis y sistemas de seguridad automatizados se han visto cada vez m\u00e1s sofisticados. Utilizando m\u00e9todos de ofuscaci\u00f3n robustos y creativos, tal como el que acabamos de analizar, el cual depend\u00eda de una funci\u00f3n que escribir\u00eda el c\u00f3digo HTML para ser interpretado por el navegador, sin ser detectado. Indicadores de compromiso URL hxxps:\/\/ipfs.io\/ hxxps:\/\/prontario.org\/ hxxps:\/\/itumotor.com.byonew\/ hxxps:\/\/itumotor.com.br\/ IPv4 173.236.60.130 158.85.79.41 Si tienes cualquier duda o comentario respecto a la seguridad de tu empresa, puedes escribirnos, te ayudaremos a analizar cualquier tipo de informaci\u00f3n, antes de que esto se transforme en un problema para ti.<\/p>","protected":false},"author":1,"featured_media":851,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_joinchat":[],"footnotes":""},"categories":[7],"tags":[8,14,9,13],"class_list":["post-846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cut-security","tag-ciberseguridad","tag-empresas","tag-hacking","tag-spear-phishing"],"_links":{"self":[{"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/posts\/846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/comments?post=846"}],"version-history":[{"count":1,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/posts\/846\/revisions"}],"predecessor-version":[{"id":852,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/posts\/846\/revisions\/852"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/media\/851"}],"wp:attachment":[{"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/media?parent=846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/categories?post=846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/grupotech.cl\/en\/wp-json\/wp\/v2\/tags?post=846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/grupotech.cl\/wp-content\/uploads\/2022\/12\/Imagen-1.png\")
![\"\"](\"https:\/\/grupotech.cl\/wp-content\/uploads\/2022\/12\/Imagen-2.png\")
![\"\"](\"https:\/\/grupotech.cl\/wp-content\/uploads\/2022\/12\/Imagen-3.png\")
![\"\"](\"https:\/\/grupotech.cl\/wp-content\/uploads\/2022\/12\/Imagen-4.png\")