We witnessed a sophisticated phishing campaign on 16th August 2017, targeting victims by sending spoofed phishing email messages appearing to come from Xero. Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. The scammers sent phishing email messages globally, impersonating Xero. These messages contained malicious links that trick the victim into downloading a zip archive, containing a malicious JavaScript file. On execution, this JavaScript downloads and launches banking malware on to the victim's computer that steals their personal and private information and leaves them vulnerable to the mercy of their attackers.
We first analyzed the email header for the wealth of information provided there (see Figure 1). The name part of the "From" header field suggests that this message was sent from "Xero Billing Notifications", while the email address is pointing to the domain "xeronet.org" instead of the legit business "xero.com"
Analyzing the domain "xeronet.org", we learn that it was registered in China on the same day the campaign was launched (August 16, 2017, using a free yahoo email address (see Figure 2). The domain points to an IP 94.23.4.201 in France. Browsing to the site reveals a static HTML page with the heading "XERONET.ORG" and text Powered by VESTA.
Analyzing the email body, it looks like a professionally crafted billing message that recommends that users view their bill invoice online by clicking on the invoice link (see Figure 3).
The invoice link in the email body points to a URL hosted on the fake Xero domain, while the other URLs point to the legitimate Xero.com site. We also observed a different set of malicious URLs, two of which are noted here:
Browsing to either URL has the same result, the URLs load JavaScript into the browser that forces a ZIP file download on to the victim's computer. Figure 4 shows a detailed flow of one of the emails.
Unzipping Xero Invoice.zip extracts to: "Xero Invoice.js". This is a highly obfuscated JavaScript sample (see Figure 5). On further analysis, it appears to be a generic JavaScript downloader and executer, that employs the Microsoft ActiveX object MSXML2.XMLHTTP to download the malware payload. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. The response is then saved to disk with the help of the Microsoft ADODB stream Active X object that saves the stream to the temp folder with a random name for the binary as: "%TEMP%\Y739Ayh.exe". This malware is downloaded from the hardcoded link:
hxxps://stakks-my(.)sharepoint(.)com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8. The downloaded payload is finally executed using the ActiveX WScript Shell object.
Any victim who double clicks on this JavaScript file may find it execute like any binary under Windows OS. This is facilitated by the Microsoft Windows Scripting Host (or WSH), which is a framework for running and automating scripts from the GUI using WScript.exe. The WSH supports various scripting formats like JScript and VBScript.
This is a sophisticated malware sample that performs multiple tasks. It first gathers information about the system, installed applications and users. This is followed by several system wide policy settings and configuration changes for Internet Explorer through the registry. The malware also attempts to hook benign windows processes like whoami.exe and net.exe. Figure 6 illustrates the flow of the processes spawned by the malware.
This executable turned out to be a variant of the Dridex banking trojan. When executed, Y739Ayh.exe performs a process hollowing technique to inject its malicious code into a legitimate process. It creates a suspended process of either of the two target processes: svchost.exe or spoolsv.exe, using the API CreateProcessInternalW(). Then the malicious code is written to the allocated virtual address region of the target process. After changing the entry point to the new code section, the malware then simply resumes the suspended process using the NTResumeThread() API. The main executable Y739Ayh.exe is then deleted.
However, if the executable is residing in Windows System directory, it skips the process hollowing routine and runs as a stand-alone process.
The malware probes the infected system by gathering computer name, system information as well as privilege information and integrity level. It uses built in Windows commands such as "whoami.exe /all" and "net.exe view" (see Figure 7) and then saves the result to a tmp file dropped in Windows %Temp% folder which is later ex-filtrated.
It also gathers the list of installed software by querying the "DisplayName" and "DisplayVersion" value of the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall (see Figure 8).
This information is stored as XML format and is then encrypted and ex-filtrated to the control server.
This malware uses a very common anti-analysis technique of indirectly calling APIs. This prevents defenders from conducting static analysis. For example in the code below, instead of directly calling the Windows API RegCloseKey(), it first calls a function that resolves the API given a pre-calculated hash. The first parameter passed is the dynamic library hash then the second one is the API hash , as shown In Figure 9.
3A9838D7h = Advapi32
945E62DCh = RegCloseKey
The folks at IBM posted a very good write-up of this API obfuscation technique.
At first execution, the malware sample attempts to make an outbound connection to the following IP addresses and ports:
From here, it attempts to download configuration with additional command and control nodes and additional bot modules. At the time of analysis, the bot failed to connect to its command and control server.
Dridex is designed to steal banking and personal information by injecting itself into web browsers such as Firefox, Chrome and Internet Explorer. It monitors browsing activity and steals sensitive information for target online banks listed in its configuration file.
The malware communicates with several hosts over different ports using SSL. The use of encrypted channels for communication over nonstandard ports adds to the sophistication of the malware.
The network communication has triggered several Emerging threat IDS rules, validating that this malware is a variant of Dridex, that is a known banking trojan, the rule description reads "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)". Multiple AV vendors also classify the sample as a Trojan.
This campaign is designed to steal banking and personal information from global customers, by infecting their systems with banking trojans. The packaging of malicious JavaScript in a Zip archive that is accessed through a URL sent via a legit-looking phishing email, provides the perfect means to evade detection mechanisms.
The Xeronet campaign was followed by a string of related campaigns using similar SharePoint URLs to target customers of online financial software services companies. Our research suggests that based on matching whois info, the cybercriminals behind this fresh wave of phishing attacks have been active in the past with similar campaigns using domains like (xeroaccounting.org , intuito.biz, quickbooks-support.biz, financialaccountant.info, myobaustralia.org, australiangovernments.com, btconnect.biz, drvenergy.com ). Let's take a look at a few such related campaigns that we've witnessed since the 20th August 2017 :
This campaign used fake MYOB statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 22nd August, 2017 and ended after a 24 hour period. MYOB is an Australian multinational corporation that provides tax, payroll, accounting and other services to small and medium businesses. To make their campaign as targeted and effective as possible, scammers registered a fake MYOB-like domain (myobemail.com) to send fraudulent phishing messages serving banking trojans.
This campaign used fake Quickbook statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 23rd August, 2017 and ended after a 24 hour period. QuickBooks is an accounting software package developed and marketed by Intuit. QuickBooks provides tax, payroll, accounting and other services to small and medium businesses, ranging from on-premise to cloud solutions. Scammers registered a fake quickbook-like domain (qbaccountants.net) to send fraudulent phishing messages.
This campaign used fake dropbox statements to lure users into clicking on attacker controlled URLs. The campaign surfaced on 21st August, 2017 and ended after a 24 hour period. Dropbox is a file hosting service. Scammers registered a fake dropbox-like domain to send fraudulent account statements as spam messages.
Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims. We observed one such campaign detected by our distributed honeypot sensors. These phishing messages contained a legit looking, yet spoofed email message from Xero, which is an accounting software company. The message was a professionally crafted billing message, suggesting that users to view their bill invoice online by clicking on the malicious invoice link. This malicious link leads to the download of a zip file containing a malicious obfuscated JavaScript file. Once executed, the malicious JavaScript file downloads and executes a sophisticated banking trojan onto the victim's computer. This banking trojan turned out to be a variant of the Dridex malware, targeted at stealing banking information from user's browser.
We also observed several similar campaigns throughout the week, targeting customers of other well known online accounting software companies. Such attacks have emerged as a recent trend on the attack landscape that exploit the trust that people associate with specific brands. As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unknown downloaded files. Customers should also refrain from opening zip archives that come from unknown sources and avoid executing unknown file format like JavaScript, as a lot of malware has been seen recently being distributed by such scripts.
We would like to thank Gerald Carsula for his contributions and Phil Hay and Karl Sigler for their valuable comments and feedback.
