Widespread Phishing and Business Email Compromise Campaign

Feb 24, 2022 2:18:40 PM / by Luke Rusten

In this blog post we cover a widespread phishing campaign Recon recently observed targeting multiple customers. This post is not meant to be highly technical, instead it walks through how these attacks unfold and but still provides defenders and organizations some tools to defend against these attacks.

This campaign was notable because the phishing emails included context from legitimate email threads. This is only possible if 1) the attacker previously compromised a recipient of the original message or 2) the original email was sent outside the organization. The malicious email is sent from a spoofed address impersonating someone in the organization.

We’ve determined this campaign is likely related to Qbot and is attempting to establish initial network access with the intent to spread internally. From there, the access would then be sold to a ransomware group or added to an existing botnet.

The attack looks something like this: 

  1. John had his email compromised in December.
  2. John legitimately sent out an email about invoices in November to Sally.
  3. The attacker uses the previous communication chain to send Sally a new email with the same message body & subject line to spoof John. The attacker uses a fake email address but copies John's name.
  4. The spoofed message asks Sally to access a new invoice with a password protected file. In all cases we observed the attackers were leveraging onedrive.live[.]com download links. (here’s a handy query to hunt for this: process.command_line.keyword:*onedrive.live*download*)  
  5. Once Sally clicks the link it will prompt her to download a password protected .zip file which contains a malicious excel spreadsheet (see screenshot below). 

While the spoofed sender address, attachment name, and message content changed each time, certain aspects of the malicious payload stayed consistent. This allows us to build detections for the payload. When the payload is executed, Excel.exe spawns regsvr32.exe to register ocx files:

ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Ldjaq\xn1.ocx,
Image: C:\Windows\System32\regsvr32.exe, 
ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, 
ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2688, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Ldjaq\xn1.ocx,

SigmaHQ already has at least one rule that detects suspicious processes spawning from Office products successful execution of the malware (we love Sigma): https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_office_shell.yml

To improve our ability to detect this threat, Recon built a new Sigma rule to detect users attempting to extract the malicious spreadsheet from the zip file:

title: Malicious xlsb extracted
id: 34244e11-53aa-4a91-996d-4211de6196cd
status: stable
description: Malicious xlsb file extracted potentially from a phishing campaign
author: Ronald Tran
reference:
   - MITRE ATT&CK Technique T1566.001
   - https://attack.mitre.org/techniques/T1566/001/
date: 2021/02/23
modified: 2021/02/23
tags:
   - attack.spearphishing_attachment
   - attack.t1566.001
   - attack.initial_access
logsource:
   category: process_creation
   product: windows
detection:
   selection:
       CommandLine: '*zip\\*.xlsb*'
   condition: selection
fields:
   - CommandLine
falsepositives:
   - legitimate files
level: medium

This attack specifically leveraged .xlsb files, but defenders could consider expanding this detection to cover other extensions with some hunting and additional tuning. In our experience .xlsb files tend to be used far less frequently and seeing them extracted from a .zip file is even more rare. 

What can my organization do?

  1. Multi-factor authentication. MFA on your email accounts is the #1 way to prevent business email compromise. There is an increasingly higher level of risk if you are operating without MFA on external facing systems.
  2. User training. We recommend you inform your users to be highly skeptical of any emails that contain a URL or attachment that require the user to use a password for access. If you do not have a formal user security awareness program, we’re happy to help you get started.
  3. Block macros. This stopped 100% of cases where we saw the user received and opened the malicious files. Microsoft is in the process of blocking macros by default for documents originating from the Internet.
  4. Report suspicious emails. This campaign was originally disclosed by a user reporting a suspicious email to our SOC. With a good user-reported email program, your users can be your best sensors!

Business email compromise remains a serious threat. These compromises lead to data theft, wire transfer fraud, network intrusions, and ransomware incidents. If you have any questions, please reach out to our team at info@reconinfosec.com

Tags: SecOps, Intel, phishing, sigma

Luke Rusten

Written by Luke Rusten

Security Operations Manager