According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail Transfer Protocol services like SendGrid to send emails designed to bypass the filters from email service providers and security services that protect emails. This attack leveraged an HTML file that was attached to an email. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript and on the PHP code deployed by the attackers from the server side. Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. The threat actors behind this campaign used a malicious JavaScript attachment that redirects users to a fraudulent Microsoft phishing page. The screenshot below in Figure 1 shows an actual malicious spam used in this attack. Once the email attachment is opened, the target's computer will reach out to the command-and-control server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. This functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page. This can be used in multiple ways, such as validating the target and supplying email address data to the form login page of the phishing site. Details of how the attack works are explained in a separate section. The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. After a successful phishing attempt, the threat actors will login to their target's email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc. We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample. For several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. First, it checks if additional information needs to be validated before returning the redirect phishing URL to its target victim. The information to be validated includes the IP address and the browser's user-agent string, which are used for filtering on the server side. If IP address checking is not enabled, it will continue requesting a redirect URL for the phishing page. The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation. From one of the C&C servers used by Water Dybbuk redirect victims, we noticed that the threat actors used a compromised server from a government site. The files for the phishing toolkit are still hosted on the compromised server and one of the files hosted in the server revealed the name of the toolkit used in this campaign - BadaxxBot. As the tool can be bought and leveraged by other attack groups, it would not be surprising to see this malware used in other BEC campaigns. The redirection ends on a C&C server hosting an Evilginx2 phishing toolkit configured for phishing credentials and session cookies from Microsoft Office 365 accounts. Evilginx2 is a man-in-the-middle attack framework used to intercept and manipulate web traffic. It is designed to be used in phishing attacks and can be used to bypass two-factor authentication. The framework can be used to steal credentials and intercept the session cookies of commonly targeted platforms such as Microsoft Office 365, Microsoft Outlook, Facebook, and LinkedIn, among others. From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. We had access to a system that was a target of this attack, which provided us a unique angle that is rarely observed by researchers. Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2. Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. While BEC attempts involve social engineering to engage with victims and ultimately wire funds, it is important to note that phishing attempts are also typically used to gain access to email accounts that will be used for scamming victims who are contacts of the compromised account. Most of these attacks are not very technical or involve much work. The effort the attacker needs to put into this scam is low in comparison to other types of attacks that companies face. The potential profits are very high, thus we expect that these types of attacks will continue to happen. In the 2021 IC3 report, BEC attacks were listed as the most costly form of cybercrime. A common method of getting victimized by BEC scams is through phishing attacks. Constant phishing exercises using tools such as Phishing Insight that are conducted for employees can help minimize the effectiveness of these attacks, and turn what is traditionally the weakest link for this business model into an organization's greatest defensive strength.
This Cyber News was published on www.trendmicro.com. Publication date: Thu, 02 Feb 2023 13:04:02 +0000