PhishMe has issued details of a malicious phishing campaign currently circulating, with an XORed payload that is capable of grabbing a ton of credentials, mostly FTP.
Ronnie Tokazowski, PhishMe’s senior researcher, explains, ” When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too. Yesterday, we came across an interesting phishing email that contained the following attachment.”
Ronnie continues ” While we’ve seen tons of word documents that contain macros, it’s typically more rare to see this triggering in conjunction with XOR exe’s. These types of payloads are usually used in conjunction with an exploit and later unpacked. By using xorsearch, we can confirm that there is a malicious payload inside.”
“Once the macro code executes, a copy of the word document will be saved to %temp%/300.rtf and %temp$/301.rtf, our malicious payload will be saved to %temp%/q2.exe, then executed. When looking at q2.exe, we can see the compile path of ‘T:\mandatory\Hence\one\Date\effort.pdb’ for the file. This gives us some information that the malware could have been compiled from the T directory, lies in the “mandatory” directory, and is the project name of “Hence”. But what about that XORed payload? By performing a single-byte XOR with the key of 0x66 (or “f”). We know this was successful, as we can start to see other strings and structures of an executable. By scrolling further into the encoded data, we can see the domains that will be used for calling out.”
Ronnie concludes that this malware “Is capable of grabbing a ton of credentials, mostly FTP”
To help organisations protect themselves from this malicious program, PhishMe has provided the C2 and user agents identified within this malware that can be downloaded via its github.
About PhishMe
PhishMe® provides organizations the ability to improve their employees’ resilience towards spear phishing, malware, and drive-by attacks. Our approach entails immersive training to effectively change employee behavior, empower users to detect and report targeted phishing attacks, and augment an organization’s existing security operations and incident response processes. With over 4 million individuals trained in 160 countries, PhishMe has been proven to reduce the threat of employees falling victim to advanced cyber-attacks by up to 80 percent. PhishMe works with Fortune 1,000 companies across many industries, including defense industrial base, energy, financial services, government, healthcare, and retail.
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.