We witnessed a widespread phishing campaign targeting O2 customers, that surfaced on 18th August, 2017 and continued intermittently until 21st August, 2017. Telefonica UK Limited, trading as O2, is a major telco provider in the UK. In this campaign scammers sent out fake O2 invoice emails as spam. These spam phishing emails contained links to malicious Microsoft Word documents, that in turn infected victims with a banking trojan. The attack flow is shown here:
The scammers used spoofed email addresses in the email "From" field and sent out the same emails using one of the two subject lines:
The fake email message appears as a legit automated O2 bill invoice, that encourages the victims to click on the link to "View Billing Statement" as shown in Figure 1 and 2.
Clicking on the link points the web browser to the Phishing site: (see Figure 3). The link appears to be hosted on a compromised web site, that downloads a malicious Word document "O2 bill - 805985874058.doc" (MD5: 2E8BBD0C8B7DE7D5F4E541C192421451). This word document contains a malicious obfuscated macro (see Figure 4):
Figure 3: Malicious word document download via HTTP
The macro executes a base 64 encoded Powershell command (see Figure 5).
A decoded version of the command is show in Figure 6.
Opening the macro enabled word document, launches the Powershell script, that downloads and executes a malware sample from the URL: hxxp://wernerbernheim(.)com(.)uy/capacitacion/bMLTBrcIE/
The downloaded malware is saved to: C:\Users\{user}\AppData\Local\Temp\{random}.exe , having MD5: D6EDE359E1ECBF8248B0FC8EF63CED7E .
The downloaded malware is a variant of the Emotet malware. Emotet is a notorious multi-faceted banking trojan that rolls out different behaviors such as:
Depending on the module behavior, it drops a malware component to the following path:
For persistence, it creates the following registry keys:
It also tries to connect to its CnC server at IP 62.39.95.185 using HTTPS (see Figure 7).
The malware then loads its spam module and attempts to send out new spam/phishing emails to thousands of email addresses (see Figure 8). This is a typical spambot behavior, where first it performs DNS lookups on each target email domain and then sends the spam to the respective SMTP server for that domain.
Following the link provided in the spammed email downloads the same malicious word document file, but this time hosted on a different domain (see Figure 9).
Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims. We observed one such targeted phishing campaign delivering counterfeit emails claiming to come from O2, a UK based telecom company. The legitimate-looking messages pretend to be dispatching a billing invoice, but the link included leads to a malicious Word document file. Upon opening the document it attempts to install a variant of the notorious Emotet banking Trojan. This variant is equipped with a spamming module that starts sending out spam messages containing infected links to email addresses globally. This type of attack flow (Spam->contains-malicious-link->downloads-malicious-document->downloads-and-executes-Trojan) appears to be on an increase on the threat landscape, likely as a measure to evade email gateways. Additionally, malware equipped with spamming modules used in such campaigns is designed to perpetuate the attack. As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unexpected office documents containing macros.
We would like to thank Phil Hay for his valuable advice and guidance.