Intro.

At first glance, the attack described in this blog seems like a simple, plain vanilla cyber-attack seen on a daily basis via the email channel. However, by looking into both the context and details of the attack, one can see the uniqueness of this attempt:

• Email account takeover (ATO) – The mail is part of a legitimate email correspondence between the targeted company and an outside stakeholder. The “injected” email and malicious payload to the ongoing email exchange indicate that the stakeholders’ email has been compromised which can lead to further attacks against other suppliers, customers, investors, and more.
  
• Evasion measures – The attackers jump through many loops in order to avoid detection.

Recommendations.

• The email threat landscape is vast and evolves rapidly. The only way to stop them is by taking a multi-layered approach that covers all types of attacks – “basic” and “advanced” altogether.
  
• Employ DMARC to authenticate email domains and minimize the opportunity for domain abuse, reducing the risk of spoofed emails.
  
• ֿConsider deploying internal email security solutions to scan intra-domain traffic. This will allow the organization to ensure that even once an account has been breached, the attacker won’t be able to spread the malicious message across the organization.

IOCS.

Source IP: 173.201.192.110

URL: https://drive.google.com/uc?id=xxxxxxxxx

• SHA256: 9f3f54eee2f36fd9ea4f28a87c2e27f6079cd6f324592a3ce8f439e50fc366a1
• MD5: 096c60be4e492746d28f1161c632cade
• SHA1: 9bbbadcfd247282ffcbef30ca5e83dd5ccdbc635

File Name: look_attach_k1g#521049.zip

• SHA256: 193ead6088b9dda6abf86e95e13e24147129cf4fbbe025394463f72c0cd8dd75
• MD5: 5a76a9c77b7caf6d35693812be689be4
• SHA1: 01ecfc13b68f24676b2739e833a5acdd1a05a1df

File Name: look_attach_k1g.js

• SHA256: 4f7a12a25432e292f94154c85b01659c58420dc0f6f92579f266896bf4401473
• MD5: 531e6c0862a9bc43c9ea0ecfdf1daa3b
• SHA1: 5ca4c4df124145a171f974c00843ce94cb6a7b2b

The Email.

The weaponized email was sent from a known business associate of the victim and contained a conversation thread that the victim has been having with that business associate over the past few months. We aren’t sure how the attackers intercepted the original email but we can assume that one of the email accounts on the thread has been compromised.

However, our system successfully identified that the attackers sent the email using an email server that isn’t associated with the business associate’s domain, triggering our first layer that we call the BEC layer.

The IP address used, has a good reputation so traditional threat intelligence platforms would not have picked up on it. However, our technology saw this as a discrepancy since the IP has never been associated with the domain it poses to be, and could immediately identify this email is suspicious.

The Link.

The attackers kept it short and simple: they included a link to an archive file that they stored on the Google Drive platform. By associating Google, they aim to circumvent any suspicions the victim might have and to bypass legacy email security solutions that they thought the target company might have. We’ve seen a significant increase in the use of trusted file hosting platforms such as OneDrive, Google Drive, Box, and Dropbox in such attacks (see examples on this blog). Our Recursive Unpacker engine interacts with each platform accordingly and retrieves the payload. This makes the attacker attempt to conceal the attack, ensuring Perception Point’s platform scans every piece of content sent.

The Encrypted Archive.

The attackers encrypted the archive and provided the victim with the password in the body of the email. This is most likely done to circumvent security solutions that inspect the file such as firewalls and antivirus software. Again, our Recursive Unpacker successfully decrypts the encrypted archive with the provided password and continues unpacking the content within, rendering the attackers attempt to hide the malicious payload useless.

The JS file – The Actual Malware.

Down the rabbit hole we go arriving at the final stage of the attack; a JavaScript file. This file is heavily obfuscated and what it does is write a file to disk and execute it. This essentially is the end of the Exploitation stage or Delivery stage and from here the malware installed communicates with its operators and performs malicious tasks on their behalf.

Summary.

Multilayer attacks require multi-layer defenses. This attack was flagged by no less than three different layers in our platform:

• BEC layer – identifying suspicious activity in the email and source IP level
  
• The Recursive Unpacker – unfolding and uncovering deeply embedded attacks and other evasion measures, including extracting content from archive files decrypting password-protected files
  
• The HAP^TM – a next-gen dynamic engine that intercepts advanced attacks in the exploit stage already.

This example evidently shows how attackers are continuously evolving to avoid detection. Security and email experts should prepare their organizations to prevent such attacks.