Investigation of the Slovak spam campaign
Today we want to talk about the campaign for the distribution of malware, which uses the theme of the timing of the filing of tax returns in Slovakia. Despite the fact that this attack is more local, such a case shows how dangerous social engineering methods used by attackers, in which the self-invoking topic is used, can be dangerous.
Distribution campaign
')
In the attack vector we recorded, we used the method of delivering malicious code using messages sent by e-mail. These letters were allegedly sent from the Slovak tax service. Below are the screenshots of such messages.
The topic of these messages can be translated as: Notification of a change in property tax . Further, the text written in the message body informs that instructions for making a payment can be found in the attachment attached to the letter. Interesting is the fact that the attackers focused on a specific tax subject in Slovakia. That is, for each of such entities or enterprises their details were sent to pay a certain amount. The attacker not only knew the Slovak language well, but also turned out to be quite well acquainted with local tax laws. The above factors have made this scam much more plausible.
The attacker slightly changed the way messages were delivered in the two campaigns, but the malware that was delivered as a result remained the same.
The first campaign to spread this spam included malicious links in the messages sent. In this case, the user could receive two files: one as an attachment in the letter, and the second through a link to download. The file could be an RTF document or be executable. The RTF file contained an exploit for CVE-2010-3333, which installed the installation of malicious code into the system. Links to download messages led to the popular file-sharing services.
The second campaign was simpler and was more successful according to the number of downloads of the malware object. Hypertext link in the letter pointed to the executable file with the extension .SCR.
Malicious code
Malicious software that was delivered using an attack was a Trojan program aimed at stealing credentials of various user accounts. ESET detects this Trojan as Win32 / Sazoora.A.
Win32 / Sazoora is focused on stealing all sorts of data forms entered into the browser. In particular, the Trojan program contains special libraries for implementation in MS Internet Explorer, Mozilla Firefox and Google Chrome, and also implements the following methods for stealing these forms.
The stolen data is then periodically sent to a remote server, the URLs of which are hardcoded in the executable file itself. The following screenshots show web injections used to lure a potential victim and then enter credit card information.
The last screenshot is especially interesting because it uses the form of payment for OS updates. Please note that none of the above methods are new and all of them have been used for a long time in various families of banking Trojans, such as Zeus and SpyEye. But unlike them, Win32 / Sazoora.A has less flexible options for configuring malicious code with respect to the addresses of command C & C servers and web injections for HTML, which are simply hardcoded in the executable threat file.
According to ESET LiveGrid statistics, the region where Win32 / Sazoora prevails is Slovakia (more than 60% of all detected detections). It leaves no doubt that such prevalence was the result of these ongoing spam campaigns. The next in terms of the prevalence of this threat is Switzerland. It is worth noting that Win32 / Sazoora is a generic (verdict) for the family of this threat, therefore various modifications of this code, which is found under this name, are possible. It is quite possible that another modification is detected in Switzerland, that is, a modification that was not used in this particular spam campaign.
The victims
The data of our telemetry system shows that the attack has reached its goal, since a sufficient number of computers were infected with malicious code, and the e-mails sent were not intended for random recipients. Obviously, a prepared list of Slovak addresses was used to send these messages. Among the victims that could be identified were doctors, accountants and employees of several scientific institutes. Most likely, the letters they received contained a topic from their profession, which was the reason for the discovery of these letters with the subsequent transition to a malicious link.
At the request of one of the users, we conducted a detailed analysis of his infected system, after they had noticed suspicious activity related to logging into his bank account. During the investigation, it turned out that the user was infected with a modification of Win32 / Sazoora.A, besides that, the user's credit card information was stolen. Interestingly, the attacker could not access the bank account in the online banking system due to the presence of a two-factor authentication system. Later on, the attacker sent the user another message to receive the second code necessary to access the account, which was the reason for seeking help. It is possible that other victims were less fortunate. This case once again confirms the need for users to be more vigilant when opening extraneous e-mail messages, especially when it comes to corporate security.
Distribution campaign
')
In the attack vector we recorded, we used the method of delivering malicious code using messages sent by e-mail. These letters were allegedly sent from the Slovak tax service. Below are the screenshots of such messages.
The topic of these messages can be translated as: Notification of a change in property tax . Further, the text written in the message body informs that instructions for making a payment can be found in the attachment attached to the letter. Interesting is the fact that the attackers focused on a specific tax subject in Slovakia. That is, for each of such entities or enterprises their details were sent to pay a certain amount. The attacker not only knew the Slovak language well, but also turned out to be quite well acquainted with local tax laws. The above factors have made this scam much more plausible.
The attacker slightly changed the way messages were delivered in the two campaigns, but the malware that was delivered as a result remained the same.
The first campaign to spread this spam included malicious links in the messages sent. In this case, the user could receive two files: one as an attachment in the letter, and the second through a link to download. The file could be an RTF document or be executable. The RTF file contained an exploit for CVE-2010-3333, which installed the installation of malicious code into the system. Links to download messages led to the popular file-sharing services.
The second campaign was simpler and was more successful according to the number of downloads of the malware object. Hypertext link in the letter pointed to the executable file with the extension .SCR.
Malicious code
Malicious software that was delivered using an attack was a Trojan program aimed at stealing credentials of various user accounts. ESET detects this Trojan as Win32 / Sazoora.A.
Win32 / Sazoora is focused on stealing all sorts of data forms entered into the browser. In particular, the Trojan program contains special libraries for implementation in MS Internet Explorer, Mozilla Firefox and Google Chrome, and also implements the following methods for stealing these forms.
- Intercepts any information entered into the HTML forms of browsers that were mentioned above.
- Retrieves user credential information stored there from the browser’s memory.
- Carries out the introduction of special malicious HTML-code in the web page in order to steal credit card data.
The stolen data is then periodically sent to a remote server, the URLs of which are hardcoded in the executable file itself. The following screenshots show web injections used to lure a potential victim and then enter credit card information.
The last screenshot is especially interesting because it uses the form of payment for OS updates. Please note that none of the above methods are new and all of them have been used for a long time in various families of banking Trojans, such as Zeus and SpyEye. But unlike them, Win32 / Sazoora.A has less flexible options for configuring malicious code with respect to the addresses of command C & C servers and web injections for HTML, which are simply hardcoded in the executable threat file.
According to ESET LiveGrid statistics, the region where Win32 / Sazoora prevails is Slovakia (more than 60% of all detected detections). It leaves no doubt that such prevalence was the result of these ongoing spam campaigns. The next in terms of the prevalence of this threat is Switzerland. It is worth noting that Win32 / Sazoora is a generic (verdict) for the family of this threat, therefore various modifications of this code, which is found under this name, are possible. It is quite possible that another modification is detected in Switzerland, that is, a modification that was not used in this particular spam campaign.
The victims
The data of our telemetry system shows that the attack has reached its goal, since a sufficient number of computers were infected with malicious code, and the e-mails sent were not intended for random recipients. Obviously, a prepared list of Slovak addresses was used to send these messages. Among the victims that could be identified were doctors, accountants and employees of several scientific institutes. Most likely, the letters they received contained a topic from their profession, which was the reason for the discovery of these letters with the subsequent transition to a malicious link.
At the request of one of the users, we conducted a detailed analysis of his infected system, after they had noticed suspicious activity related to logging into his bank account. During the investigation, it turned out that the user was infected with a modification of Win32 / Sazoora.A, besides that, the user's credit card information was stolen. Interestingly, the attacker could not access the bank account in the online banking system due to the presence of a two-factor authentication system. Later on, the attacker sent the user another message to receive the second code necessary to access the account, which was the reason for seeking help. It is possible that other victims were less fortunate. This case once again confirms the need for users to be more vigilant when opening extraneous e-mail messages, especially when it comes to corporate security.
Source: https://habr.com/ru/post/181490/
All Articles