Fake Power and Broadband Utility Bills serve Banking Trojans to Aussies

In our previous blog we highlighted how a group of scammers were targeting financial software customers by spamming out Microsoft SharePoint URLs that lead the target to fake invoices infected with malware. This time we observed the same group involved in another widespread campaign, spamming out similar Microsoft SharePoint URLs that link to fake Australian power and telco bills infected with malware.

Fake Energy Australia scam

EnergyAustralia formerly known as TRUenergy is an electricity generation and retail private company in Australia. On 18^th September, 2017, we witnessed a rise in phishing messages distributing spoofed EnergyAustralia Electricity bills.

Spam Message

The spam/phishing message appears as a fake EnergyAustralia power bill as shown in Figure 1 and 2. Scammers have copied legit email bill templates to lure victims into believing the authenticity of their phished messages. Here it's important to note that these messages are sent from a domain "energybrandlab.com" that is different from the official EnergyAustralia domain "energyaustralia.com.au". Further analysis of the domain "energybrandlab.com" revealed that it was created on 17^th September, 2017 and registered by the same group of scammers we pointed out in our previous blog. The registrant information for this domain is shown here:

Figure 1: Fake power bill

Figure 2: Fake power bill with different amount

The legit-looking message is designed to lure the user to click on the link to view his power bill. Clicking on this link points the web browser to the URL:

• hxxp://eoaclk(.)com/v5yMMueJT0/victim@domain(.)com.au/?docid=0c686998b26934002b1b3aa20d8340828&authkey=AfesB7cc4NVl6W0ZE5wKqSA&expiration=2017-12-16T21:48:00.000Z

This domain performs an HTTP 302 temporary redirect to a Microsoft SharePoint URL as shown in Figure 4:

• hxxps://viridor-my(.)sharepoint(.)com/personal/lawalters_viridor_co_uk/_layouts/15/guestaccess.aspx?docid=0c686998b26934002b1b3aa20d8340828&authkey=AfesB7cc4NVl6W0ZE5wKqSA&expiration=2017-12-16T21:48:00.000Z

Browsing to this URL downloads a zip file ("EnergyAustralia Electricity bill.zip") to the system as shown in Figure 3. The 302 redirect seems to be a new evasive tactic used by the scammers. In previous campaigns they directly pointed to the SharePoint URL hosting the malicious script.

Figure 3: Clicking on the URL downloads the fake EnergyAustralia Electricity bill.zip file

Figure 4: HTTP traffic illustrating the HTTP temporary 302 redirect to a Sharepoint URL

Unzipping the archive extracts to a JavaScript file "EnergyAustralia Electricity bill.js" (see Figure 5). Looking at the JavaSscript file it appears to be highly obfuscated and acts as a downloader and executor (see Figure 6).

Figure 5: The zipped archive extracts to a malicious JavaScript file named EnergyAustralia Electricity bill.js

Malware Analysis:

The JScript contains obfuscated strings which can be easily de-obfuscated with a one-liner Python code (see Figure 7):

Sample Obfuscated Strings:

DeObfuscation:

This JScript is basically a Trojan downloader and a launcher. It downloads two files, the first file is an EXE and the second is a PDF. The PDF is a fake Bill Invoice of Energy Australia which is displayed to trick the user while the binary (EXE) gets executed in the background.

Here's a screenshot of the fake Energy Australia Bill invoice that is presented to the unaware victim (see Figure 8)

Figure 8: Fake Energy Australia invoice shown to users

The executable was found to be a variant of a notorious banking Trojan known as ISFB A.K.A Ursnif/Gozi whose code was leaked in 2010. Upon execution, it creates a new process of svchost.exe and injects its code to that process.

The malware avoids process injection if its filename is "sample.exe", "mlwr_smpl.exe", or "artifact.exe". It also avoids running if any of the following Windows username are found:

• TEQUILABOOMBOOM
• Wilbert
• admin
• SystemIT
• KLONE_X64-PC
• John Doe
• BEA-CHI
• John

It collects system information and send it to its command and control at 178.33.188.154:443

This malware is designed to hook browser process and monitor browser activity. In addition, it can download additional plugins such as keylogger, email and FTP grabber, screen grabber and a downloader to install new malware.

Figure 9: Malware checks for browser process

Indicators of Compromise:

URLs

• hxxps://cyrilorchard-my[.]sharepoint[.]com/personal/craydon_care_cyrilorchard_co_uk/_layouts/15/guestaccess.aspx?docid=030b41de800d34d78b8255b678bc7271a&authkey=AYua-r8lG2pSyjyGVKylOz8
• hxxps://tracsc-my[.]sharepoint[.]com/personal/jonathan_tongue_tracscare_co_uk/_layouts/15/guestaccess.aspx?docid=0de8352ff82f2437ba7534ac18728d804&authkey=AT0x3YE-hry2jT-0qHSAesg
• hxxp://94[.]23[.]249[.]41/manager/manager.tool
• hxxp://94[.]23[.]61[.]195/files/Gas_bill.pdf
• hxxp://94[.]23[.]249[.]41/manager/Notification_1-BYH7K31.pdf

Command and Control:

• 33.188.154:443

Files

• %TEMP%/ZgUiIDs5.exe (SHA1: e44e92474796762c63d336c363ff7a0c43868ace)
• %TEMP%/j9eEWNq.pdf – non-malicious fake invoice

Fake Telstra scam

In addition to the fake Energy Australia Spam email, we also encountered a fake Telstra bill notification scam on 27^th September,2017 (See Figure 10). Telstra is an Australian telco company. Scammers spammed out legit-looking email messages containing counterfeit Telstra bill invoices having an embedded button to view the bill.

These spam messages were sent from the domain "businessdirs.com" that could be attributed to the same malicious actors as shown here:

Clicking on the "View Bill" button in the spam message downloads a JavaScript file from a SharePoint URL that is similar to the script seen in the Energy Australia scam (see Figure 11).

Figure 11: The malicious obfuscated JS sample that is downloaded

The JS downloader downloads a binary file of the EMOTET malware instead of the URSNIF as seen in Energy Australia scam (see Figure 12).

Figure 12: Downloading of Ursnif malware

It also downloads a PDF file of the Telstra Bill that is shown below (see Figure 13 and 14).

Figure 13: Fake PDF invoice downloaded and displayed to user

Figure 14: Fake Telstra bill PDF

Indicators of Compromise (IOC)

• URL:
  • hxxps://livedmsystemco-my(.)sharepoint(.)com/personal/vikki_dmsystem_co_uk/_layouts/15/guestaccess.aspx?docid=0005ccf72c5ae4fa6b492b233e27de460&authkey=AUfKUwbb0-6HBMJe8ZRrm-g
  • higgidy-my(.)sharepoint.com:443
  • hbhydraulicengineering-my(.)sharepoint.com:443
• CnC:
  • 94(.)23(.)211.92/type/type-c.info
  • 94(.)23(.)251.221/document/Telstra_Bill.pdf
• Hash:
  • SHA1: A54E9FD76848368002FE842E3F95D9A114742410

Conclusion

Scammers are spamming out counterfeit bills impersonating Australian telco and power companies in an attempt to spread malware. These bills are infested with malicious links to banking trojans. Scammers are abusing the Microsoft SharePoint service to host their malware. The spam emails are sent out using newly registered domains owned by the same group reported earlier. Hiding malware behind links to reputable online services is being used as a means to evade detection by the spam gateways. A legit-looking decoy PDF bill is presented to the oblivious victims once they are infected to avoid suspicion.