At first glance, the attack described in this blog seems like a simple, plain vanilla cyber-attack seen on a daily basis via the email channel. However, by looking into both the context and details of the attack, one can see the uniqueness of this attempt:
Source IP: 173.201.192.110
URL: https://drive.google.com/uc?id=xxxxxxxxx
File Name: look_attach_k1g#521049.zip
File Name: look_attach_k1g.js
The weaponized email was sent from a known business associate of the victim and contained a conversation thread that the victim has been having with that business associate over the past few months. We aren’t sure how the attackers intercepted the original email but we can assume that one of the email accounts on the thread has been compromised.
However, our system successfully identified that the attackers sent the email using an email server that isn’t associated with the business associate’s domain, triggering our first layer that we call the BEC layer.
The IP address used, has a good reputation so traditional threat intelligence platforms would not have picked up on it. However, our technology saw this as a discrepancy since the IP has never been associated with the domain it poses to be, and could immediately identify this email is suspicious.
The attackers kept it short and simple: they included a link to an archive file that they stored on the Google Drive platform. By associating Google, they aim to circumvent any suspicions the victim might have and to bypass legacy email security solutions that they thought the target company might have. We’ve seen a significant increase in the use of trusted file hosting platforms such as OneDrive, Google Drive, Box, and Dropbox in such attacks (see examples on this blog). Our Recursive Unpacker engine interacts with each platform accordingly and retrieves the payload. This makes the attacker attempt to conceal the attack, ensuring Perception Point’s platform scans every piece of content sent.
The attackers encrypted the archive and provided the victim with the password in the body of the email. This is most likely done to circumvent security solutions that inspect the file such as firewalls and antivirus software. Again, our Recursive Unpacker successfully decrypts the encrypted archive with the provided password and continues unpacking the content within, rendering the attackers attempt to hide the malicious payload useless.
Down the rabbit hole we go arriving at the final stage of the attack; a JavaScript file. This file is heavily obfuscated and what it does is write a file to disk and execute it. This essentially is the end of the Exploitation stage or Delivery stage and from here the malware installed communicates with its operators and performs malicious tasks on their behalf.
Multilayer attacks require multi-layer defenses. This attack was flagged by no less than three different layers in our platform:
This example evidently shows how attackers are continuously evolving to avoid detection. Security and email experts should prepare their organizations to prevent such attacks.