Phishing attacks featuring an advanced, stealthy technique designed to exfiltrate a wide range of sensitive information have been observed by Barracuda threat analysts.
The technique involves a sophisticated infostealer malware able to collect PDF files and directories from most folders, as well as browser information such as session cookies, saved credit card details, bitcoin-related extensions, web history, and more, which the attackers then transmit to a remote email account as a zipped attachment.
It is unusual to see infostealers designed to collect and exfiltrate such a wide range of information. Infostealers typically seek out saved browser passwords and sometimes cryptocurrency wallets, but little else.
According to Barracuda researchers, the attack unfolds as follows.
Step 1: The phishing email
In the incidents observed by Barracuda, the attack begins with a phishing email encouraging the recipient to open an attached purchase order. The email includes several basic grammatical errors.
All the emails appear to be sent from the same address ‘yunkun[@]saadelbin.com.’ The company name and contact details all appear to be fictitious.
The attachment, which is named ‘P.O.7z’ in the examples seen by Barracuda, contains an ISO disc image file. An ISO file is an archive file that contains an identical image of data found on an optical disc, like a CD or DVD.
Within the ISO disc image file there is an HTA (HTML application) file. An HTA is a type of file used by Microsoft Windows to create applications using web technologies that run on the desktop rather than in a web browser. This means they are not limited by the security features of a web browser, which can make them a security risk.
Upon running the HTA file, a series of malicious payloads are downloaded and executed.
Step 2: The malicious payloads
When the HTA file is executed, it downloads to the compromised account an obfuscated JavaScript file from a remote server and executes the file.
This JavaScript file in turn downloads a PowerShell file, drops it in the account’s ‘Temp’ folder, and executes it.
The PowerShell script downloads a ZIP file from remote server and also drops it in Temp folder.
This ZIP file unzips into a ‘PythonTemp’ folder.
From this folder, the infostealer malware — a Python script — is executed. The Python file then sleeps for three seconds, after which it kills the Python process if it is still running and deletes all files in the PythonTemp folder before deleting itself.
The Python script is obfuscated and encrypted, making it harder for security analysts to reverse engineer the threat.
First level decoding
The script goes through various levels of decoding and decrypting to get to the final code.
The script decrypts the final payload
Step 3: The data exfiltration
Most phishing attacks are associated with data theft, where the attackers are looking to steal credentials, financial account details, and more. Data exfiltration is also a type of theft, but it is more often associated with ransomware and the active removal of information from the network, often in significant volumes by means of tools and exploits.
In these attacks, we are looking at data exfiltration, executed by a sophisticated infostealer malware that is designed to collect and exfiltrate a wider range of information than typical infostealers.
The Python infostealer malware
The capabilities of the infostealer used in this attack include:
Collecting browser information
- The malware is designed to kill browser processes and collect their MasterKeys. It can collect MasterKeys for Chrome, Edge, Yandex, and Brave.
- It can collect session cookies from the browser directories, saved passwords from web browsers, saved credit card information, web and download history, and autofill information.
- It can also copy any bitcoin-related browser extension folders, including MetaMask, BNB Chain Wallet, Coinbase Wallet, and Ronin Wallet.
Collecting files
- The infostealer tries to collect PDF files located in the following folders: Desktop, Downloads, Documents, the ‘Recent’ folder in %AppData% and %Temp%\Browser.
- It can copy and ZIP entire directories, including %AppData%\Zcash, %AppData%\Armory, and any gaming folders.
Exfiltration
The infostealer ZIPs the collected information and sends this ZIP file as an email attachment to ‘maternamedical[.]top’
- Collected cookies are sent to ‘cooklielogs[@]maternamedical[.]top’
- Collected PDF files are sent to ‘filelogs[@]maternamedical[.]top’
- Collected text files are sent to ‘minestealer8412[@]maternamedical[.]top’
- Browser extensions are sent to ‘extensionsmtp[@]maternamedical[.]top’
The amount of information collected is extensive and sensitive. The stolen saved passwords and cookies could help an attacker to move laterally in the organization, while credit card information and bitcoin wallet information could be used to steal money.
Conclusion
Data exfiltration poses a significant and ever-evolving threat to organizations of all sizes. As cybercriminals continue to develop sophisticated methods to steal sensitive information, it’s important for businesses to stay vigilant and proactive in their cybersecurity efforts. Implementing robust security protocols, continuously monitoring for suspicious activity, and, more importantly, educating employees on potential risks are key strategies in mitigating the risk of data exfiltration.
Email protection solutions that feature multilayered, AI- and machine-learning-powered detection prevent these types of attacks from reaching user inboxes. Barracuda Networks customers are protected against this attack.
Ashitosh Deshnur, Associate Threat Analyst at Barracuda also contributed to the research for this blogpost.
