The fake invoice phishing scam has been around for quite some time and it pops in the wild every once in a while, in a different form. Overall, the nature of all those scams are in the end the same – a clever con to defraud victims.
In January 2018, we saw a new version of fake invoice phishing scam wreaking havoc; this time targeting a large number of Italian organizations. In itself, the modus operandi of this attack was quite simple and did not require much sophistication from the attacker(s).
A botnet was used to launch a legitimate looking phishing email containing a short text written in Italian. It looked like it was sent from the Italian Treasury Department featuring subject lines such as “gennaio pagamento” (January payment) which could fool a lot of people considering the end of the fiscal year.
If the recipient would have taken a closer look at the sender’s email address, he or she could have noticed that this was not a legitimate email since the addresses that the scammers used were: firstname.lastname@example.org and email@example.com. It is clear that these are not used by the Italian Treasury Department. Furthermore, the senders, companies, names of employees, phone numbers, amounts, reference numbers etc. that were referred to in these emails, are not the actual ones performing these attacks. Cunningly enough, some are real and picked at random, while others were names of companies that do not even exist.
After review of a number of sources, it appears that two kinds of infection mechanisms were used for this attack:
- Emails which came with an attached Excel file imbedded malicious macro script.
- Emails which contained a link downloading a malicious JS file followed by a connection to a CNC.
Once the victim was fooled by the first infection mechanism, he or she then clicked on the attached Excel file containing an embedded macro script. Once the script was run, it delivered a malware payload to the victim’s machine. In itself, organizations using modern versions of Microsoft Office, such as Office 2010, 2013, 2016 and Office 365 should have been protected since these versions are supposed to use protected view and running macros should be disabled by default. But if protected view mode was turned off and macros are enabled, then opening this malicious word document could infect the organization. Please note that just previewing it in Windows Explorer or the email client, might already be enough to infect. At Cymulate, we strongly advice not to enable macros or editing to see any content when prompted to do so.
Once targeted by the second infection mechanism, the victim was tricked to click on the malicious link in the email body text. This link opened the browser and downloaded a JS file (using a GET connection to 239outdoors.com/themes5.php) to drop a file called 1t.exe to the host. This malicious file is then executed by the JS communicating back and forth with the CNC server. During this time, the victims’ network and assets are compromised.
Moreover, the link also appeared to drop another malicious payload (“Nuovo Documento 2008”), which is a .bat file that used the “certutil for delivery of file” technique to drop and execute another file, followed by downloading an encoded payload. Such a technique is silent and does not alert for suspicious activity. After decoding and running the payload unslaa.exe, it behaved the same as 1t.exe and communicated with the same CNC server.
The number of reported victims from various industries and organizations of different sizes, is currently estimated to be around 150. Might this attack was just a proof of concept prior to a much broader attack…?
Cymulate’s Breach & Assess Simulation (BAS) platform can test your security posture to withstand such attack methods using simulated attacks, which will try to bypass all security controls whether they are solutions or people.
Curious to test it out? Sign up for a free trial to find out if your organization is secure.