CyberWire Daily - Hook, line, and sinker. [Research Saturday]
Episode Date: September 21, 2024Jonathan Tanner, Senior Security Researcher from Barracuda, discussing their work on "Stealthy phishing attack uses advanced infostealer for data exfiltration." The recent phishing attack, detailed by... Barracuda, uses a sophisticated infostealer malware to exfiltrate a wide array of sensitive data. The attack begins with a phishing email containing an ISO file with an HTA payload, which downloads and executes obfuscated scripts to extract and transmit browser information, saved files, and credentials to remote servers. This advanced infostealer is notable for its extensive data collection capabilities and complex exfiltration methods, highlighting the increasing sophistication of cyber threats. The research can be found here: Stealthy phishing attack uses advanced infostealer for data exfiltration Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Phishing emails are a very common way to distribute malware.
So the phishing emails, you know, pretending to be a purchase order,
and then the attachment is
not actually the purchase order.
And in this case, it's not even a file type that you would really expect for a purchase
order.
It's a 7-zip file, which contains an ISO file, which is like a disk image.
But they sort of don't count on people looking that closely into the attachments.
That's Jonathan Tanner, senior security researcher at Barracuda. The research we're
discussing today is titled Stealthy Phishing Attack Uses Advanced Info Stealer for Data Right, right.
And as the research points out, there are some of those telltale grammar errors in the email as well.
That's correct, yeah.
Yeah.
Well, let's dig into those payloads then because that's really where things get interesting here.
because that's really where things get interesting here.
As you said, this is a 7z file,
but there's many layers that you outlined here in the research as to what goes on here.
Can you walk us through that?
Yes.
So the 7z, which is also...
So zip files are commonly used as well,
but basic protections sometimes will block outright certain file types.
So the 7z itself is kind of an evasion as well because it's a lesser used and lesser known archive format that is still widely enough supported.
So they chose the 7z file.
enough supported. So they chose the 7z file and then inside is a as I mentioned an ISO file which is a disk image often used for like CDs or DVDs but that in itself is just another sort of archive
container. So then once that is executed and here's another aspect with these is, you know, when you open it up on Windows, it'll pop up things trying to help you open these files pretty easily.
So, you know, you click on the file, then it's like, oh, okay, do you want to open the ISO file inside?
Then it'll open that up and then it takes you to an HTA file, which is HTML.
But it's designed to run more in Microsoft Word. And it offers a lot more capabilities as far as interacting with the host operating system, because most browsers these days are sandboxed from being able to access as much on the host. So the HTA file allows them to write
in sort of a pretty easy language that they can understand,
but then execute it in a more privileged software space.
I see.
And so once that HTA file gets executed,
where do we go next?
So then that downloads a JavaScript file, which is heavily obfuscated, very common.
I mean, I don't think I've ever seen a non-obfuscated JavaScript file as far as malware goes.
as far as malware goes.
And then that will download a PowerShell script because even JavaScript doesn't always have
the same privileges to the host operating system.
But PowerShell can do pretty much anything
in the user space that's executing it
that the user can do.
So then the PowerShell strip will go and download a zip file
and that contains the Python software itself, as well as the Python script that is the malware payload.
Because Windows doesn't have Python installed by default, so they have to package up the Python software to actually run the script.
package up the Python software to actually run the script.
And that itself is also obfuscated and needs to be decoded.
And then it's finally run.
And so to the user, is all of this happening behind the scenes?
Or are they seeing anything that would indicate that something has gone awry?
I'm not actually 100% sure on that.
I think at most, the PowerShell would quickly pop up like a MS-DOS prompt or a terminal prompt.
But it's possible that it just runs behind the scenes as well.
And I mean, if it is popping up a prompt,
it's going to be very quick,
just the amount of time it takes to execute that file.
And then once it gets to the Python file,
unless they have something specifically,
you know, a UI set up, which they wouldn't,
that's all going to run behind the scenes.
One of the things that caught my eye in the research here
is you note that the Python file sleeps for three seconds.
Walk me through that. Why does it choose to do that?
I think the sleeping for three seconds is to allow the process to finish running before killing it.
Because it says after the three seconds,
it then kills the Python process.
And then if it's still running and then deletes all the files.
So that is probably to ensure that if something hangs within the software,
it's not going to set off any alarms on the user side.
That, oh no, things are slowing down or I got some errors. So they want
to ensure that everything cleans itself up afterwards and there isn't as many traces of
the actual execution. I see. And so what is it that they're after here once they get into the system?
They're actually after quite a bit, which was part of the interesting details.
Like, InfoStealers most commonly are after passwords,
saved passwords from your browsers,
which this does go after.
And then there's a subtype of InfoStealer
called a banker,
which will go after any sort of banking information,
and then they will dig a little deeper and they'll look for crypto wallets.
So this is also going after that information as well.
But what kind of is more unique about this sample is it is also going through the user's file system looking for PDF files,
and then it'll actually exfiltrate those as well
and send those off.
It zips them up and then sends them to a specific email address.
Each type of information is also sent to a different email address
at the same domain.
So they're kind of keeping track of what type of information
is being sent by segregating.
They're staying organized on their end.
Yeah, exactly.
Yeah.
We'll be right back.
Do you know the status
of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Any sense for why they're going after seemingly random PDF files?
Or is it just, while we're in here, let's grab everything we can?
I think that also has to do
kind of with the stealing sensitive data
and, you know, banking, the banker aspects.
In that, you know, if you go,
if you log into your online bank account
and then download a bank statement,
that could have your account number
or other sensitive information.
And then if you save that as a PDF,
it'll just be sitting on your file system.
You may not think to delete it later.
So I believe they're going after that sort of information.
Another thing that would have sensitive information is tax statements.
You fill out your taxes every year, download a PDF for your records.
That's going to have your social security number, which is very sensitive data
that is traded on dark marketplaces sometimes as well.
So they're just basically going after as much information as possible.
And some of it can be used to try to compromise your accounts directly
or your bank or steal money.
And then some of it can be sold or traded on marketplaces.
Is the sense here that they're after kind of a quick hit,
that they want to get in, grab what they want,
and then get out without leaving much of a trail behind?
Yes, definitely.
Because there's no sort of residual processes
to stick around and try to steal data later.
So deleting everything especially
is trying to not leave a trace on your system,
at least file-wise.
I'm sure there'll be plenty of indicators
if it touches the registry or executions,
but at least not leaving the files that were used in the infection process.
Right.
And is this the kind of thing that a typical antivirus system would detect, or is it stealthier
than that?
It depends.
The thing with typical antivirus is they're all based, basically, it's called like on signatures.
They look for specific strings.
If they're looking for Python, it would be more of text because Python is a scripting language.
But most executable malware, it's like binary encoded strings that they're trying to find.
And when they see malware, they'll create new rules to look for the malware that they've seen.
And they try to make it general enough to block as many possibilities of what they've seen,
but also specific enough that it doesn't block anything that it shouldn't.
So the traditional antivirus is very reactive.
It requires the analysts to create these rules to detect it.
And that is what most users have.
I mean, I'm sure even in a lot of companies,
there are more advanced endpoint solutions out there
that will look deeper into files,
but I don't know that there's a market
for that for end users
and even within business,
it's not as widely used
as it should be.
Do you have any sense
for how widespread this is
or how extensive an operation this might be?
So, yeah. So for this particular sample, we've seen 40,000 hits so far.
50 of our customers have escalated the attack through our feedback.
Interesting.
So it's definitely getting a lot.
But that's also for this specific one.
They could change things up to create different file hashes,
change up the payload a little bit,
and that could result in something that has to be detected separately
but is the same thing ultimately, which is very common.
How would you?
No, go ahead.
which is very common.
That's another way that... No, go ahead.
That is another way that attackers will try to evade antivirus,
trying to vary at least the initial payload as much as possible.
It may end up downloading the exact same Python script at the end,
but a lot of protections, especially on the email end,
are maybe looking at the file hash.
So if they varied file hash and send it out to fewer customers,
it can be a lot stealthier that way.
How would you rate the sophistication of this?
Do these folks seem to know what they're doing here?
Yeah, it definitely is somewhat sophisticated.
It's also going for a very wide range of information,
which can have its pros and cons.
I mean, the more data that's getting sent out
can also lead to a you know, better chance of
it getting detected, say, by an intrusion detection system. But it also exposes a lot more
of, you know, a user's sensitive data. Right. And I suppose on the business end, they also could be looking for maybe customer PII or even confidential documents.
That is another thing that could be with the exfiltrating the PDFs that could be getting compromised.
So what are your recommendations then? How should folks best protect themselves here?
So what are your recommendations then?
How should folks best protect themselves here?
I mean, obviously, you know, having security solutions is one of the typical recommendations, and it is a good one. But there's also, you know, no security solution is going to be 100% effective at blocking everything.
security solution is going to be 100% effective at blocking everything.
So users should sort of have some vigilance in their own day-to-day of looking at emails.
There were several indicators on this one that you mentioned,
the language and spelling errors and grammar errors.
That's something that is often an indicator that something might be off because that's not super common in legitimate emails, at least not the same sort that you might see in phishing attacks.
Another thing is suspicious file extensions, paying attention to them. And sort of, you know, every, every step of
the way, it does require, you know, several user interactions
to actually get these payloads to run. So each one of those is
an opportunity for a user to go, Hey, should I really be
executing this? What is this actually? And then there's also
context is, is this person sending me this purchase order,
actually someone that I do business with
that I would be expecting a purchase order from? If not, then that should be a huge red flag right
there. Our thanks to Jonathan Tanner from Barracuda for joining us.
The research is titled,
Stealthy Phishing Attack Uses Advanced Info Stealer for Data Exfiltration.
We'll have a link in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making
your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed
by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.