In the first few weeks of 2018, cybercriminals targeted five universities, 23 private companies and several government organizations. Despite the new, sophisticated types of malware the attackers used, they were unable to penetrate Comodo defenses.
The cybercriminals tried to build a complicated chain to bypass technical security means and deceive human vigilance.
Analysts at Comodo’s Threat Research Labs noted that the hackers did not send the malware via the usual route as an email attachment, but tried to camouflage it in several layers. First, the phishing email was disguised as a message from FedEx. As the screenshot shows, the message utilized cunning social engineering tricks to generate user clicks on the malicious link. Second, the malicious link itself is also well disguised – as a link on Google Drive. These tricks were able to deceive many users.
When a user clicks on the link, the attackers’ site opens in their browser, with malicious file “Lebal copy.exe” to download. Pay special attention to the address bar: as you can see, “secure,” “https” and “drive.google.com” are present there, so even a security vigilant user may not notice anything suspicious and take it for a trustworthy site. Actually, how can anyone know not to trust something with “google.com” in the address bar? But… the reality stings. For many, it’s hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware. And this case is not an isolated incident, so Google –as well as many other cloud storage services – definitely should take urgent steps to solve this problem. At minimum, they should provide constant real-time checks for malware. This would help to cut back malicious activity this type.
Also to note, the malicious file is also trickily disguised — as an Adobe Acrobat document. It not only has an icon similar to .pdf files, but even the file’s version information:
Of course, all of the above is deceitful: “Lebal copy” is dangerous malware sought to pull out your secrets.
What exactly can ‘lebal_copy.exe” do to your computer?
Comodo analysts defined the type of the file as Trojan (TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI, to be precise) – malware created to steal information.
But what kind of information?
Downloaded, the malware finds out the version of OS and applications running on a victim machine. Then it steals private data from the user’s browsers, including cookies and credentials, and looks for information about e-mail and instant messenger clients. It then Pulls out credentials from FTP clients like FileZilla or WinSCP and attempts to locate and access cryptocurrency wallets like Bitcoin or Electrum. In short, it grabs everything it can extract from a victim machine. Finally, it makes a connection with cybercriminals’ command-and-control server and passes all the gathered information to the attackers. It also tries to turn off OS defense means and hide itself from antimalware tools in various sophisticated ways.
As Comodo analysts revealed, this attack, aimed at 30 mail servers, was provided from one IP address 188.8.131.52 and domain dpsp.com.br from Sao Paolo, Brazil. All 328 phishing emails were sent during one day — Jan. 8.
“Phishing emails become more sophisticated and refined,” commented Fatih Orhan, the head of Comodo Threat Research Labs. “Cybercriminals actively invent new methods to trick users into clicking on a bait link. As we can see from the example above, it is not so easy to distinguish a malicious file or link, even for a cybersecurity aware user. That’s why for ensuring security today, companies need to not only train people for the cybersecurity vigilance skills but use reliable technical protection means as well. Objects of this attack were not impacted. only because they had prepared in advance: by protecting their networks with Comodo intelligence. And that was the right decision, because it’s much easier to prevent an attack than to overcome its consequences.”
Live secure with Comodo!
File name: Lebal copy.exe
Sample SHA1: e26e12ed8a5944b1dbefa3dbe3e5fc98c264ba49
Date: 11 January 2018
The file is an 814 KB Portable Executable trying to impersonate an Adobe Acrobat document in order to trick the user into running it. For more plausibility, it disguised with the icon of a .pdf file and faked file’s version information:
2. Behavior analysis
After running, it drops tmp.exe (SHA1: 0e9f43124e27fd471df3cf2832487f62eb30e1c) and copies MSBuild.exe
executable from Windows as .exe.
The purpose of copying MSBuild.exe is to run and inject it with the malware own instructions. As it is digitally signed with “Microsoft Corporation” certificate, some security applications might allow its actions, thus letting the malware to get access to the internet and local resources at its will.
After performing the injection, the malware downloads kensho-au.tk/file/payload.bin file, moves it to WinNtBackend-1751449698485799.tmp.exe (SHA1: 5245079fe71977c89915f5c00eaa4d1d6c36375c) in the system’s temporary folder and then executes it.
It allows the attacker to provide the malware with continuous updates and new components or installing additional malware on the compromised host.
The main purpose of the malware is to steal sensitive information. It tries to collect the following data:
— private data from web browsers, including cookies and login credentials;
— cryptocurrency wallets like Bitcoin or Electrum;
— credentials from known (s)ftp clients like FileZilla or WinSCP;
— instant messengers accounts;
— email clients accounts (Thunderbird and Outlook):
Collected data is sent to http://datacntrsecured.com/securityfilesdoc/gate.php
The malware is created to extract as much private information as possible for variety of malicious purposes, for instance:
–stolen email accounts can be used to send spam messages;
–ftp credentials give access to websites to compromise them;
–cryptocurrency accounts can be immediately cashed out.
Any stolen information can be utilized by the cybercriminals if affected users won’t take appropriate counter steps in time.
4. Indicators of compromise
– the presence of .exe file in %temp% folder
– the presence of tmp.exe file in %temp% folder
– the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder
Malware is detected by Comodo products with name TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI