Cluster25 Threat Intel Team
October 25, 2023
Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of compromising their accounts by illicitly procuring their cookies, session data, and browser credentials.
The malware employed in these attacks has been positively identified as a member of the DuckTail family. This malware variant also possesses an automated functionality, enabling it to execute Facebook Business hijacking attacks, thereby providing the attackers with access to the email associated with any potential Facebook Business account owned by the victim.
The observed attacks have targeted professionals belonging to various Italian companies, especially in the technology sector. The attackers have shown a preference for focusing on personnel from the sales and finance departments of the targeted companies.
The campaign is executed through compromised LinkedIn accounts to distribute PDF documents disguised as job offers.
Once the initial contact with the victim has been established, the compromised account proceeds to send a subsequent message. This message includes the attached PDF document that contains the details of the job offer.
In the case under analysis, the fraudulent job posting pertained to a Senior Manager position at Electronic Arts (EA) company.
The PDF document contains two hyperlinks directing recipients to malicious URLs. The initial hyperlink leads to the legit Electronic Arts recruiting website.
The second one initiates the download of a ZIP archive named Senior_Manager_EA_Sport.zip from the Microsoft OneDrive cloud storage platform:
The ZIP archive comprises three MP4 video files and two identical executables, disguised as Microsoft Word documents by incorporating the Word icon.
The executables employed for the purpose of infection are identical 64-bit PE files, exhibiting a substantial size of 67.3 megabytes and containing the distinctive decryption string AHSDHAS092TEST. Furthermore, the metadata reveals a compilation timestamp of January 24th, 2023 at 05:31:29 UTC.
Evidently, this file appears to have been compiled using Microsoft Visual Studio, albeit it encompasses additional PE headers. Notably, one of these headers pertains to a Microsoft .NET executable, protected by the commercial obfuscator Smart Assembly.
The malicious file is, indeed, constructed within the .NET Core framework and compiled utilizing the single-file feature, which consolidates all dependent libraries and files into a unified executable. This utilization of .NET Core and its single-file feature is atypical in the realm of malware and yields a highly elusive form of malicious software. At the moment of composing this report, only six out of seventy (6/70) antivirus engines on VirusTotal have identified the file as malicious, underscoring its ability to evade detection.
Consequently, the "single file" application is essentially a collection of binaries concatenated together, but the actual malicious code can be uncovered by delving into the executable dependencies, from which the malware's primary DLL can be extracted.
The malicious DLL is a 64-bit PE file developed in Microsoft .NET and compiled on September 18th, 2023 at 01:20:39 UTC.
The primary function within the DLL initiates the creation of a mutex named ICollectVASD to guarantee the execution of only one instance of the malware. Subsequently, it proceeds to collect information about the victim, including the system's GUID and the IP address, which are temporarily stored in a file located at the following path:
|RECON FILE PATH|
As a decoy, the malware generates a lure PDF document at the specified path, which is subsequently opened to display the expected job description to the user:
|LURE FILE PATH|
The communication with the Command and Control (C&C) server is executed through a Telegram Bot, utilizing the BOT ID 6263348871. The communication is secured via TLS encryption, with the initial message referred to as a "Start Signal". This Start Signal involves sending an HTTP POST request to the attacker's Telegram Bot, conveying the ChatID and a text message structured by combining the strings "REQ|", the GUID of the compromised system, "READY|" and an associated counter.
The HTTP request is sent to the following URL, using the /sendMessage Telegram API:
|TELEGRAM BOT REQUEST URL|
Subsequent to the initial communication, the malware transfers the acquired data via ZIP archives enclosed within POST messages. These messages are dispatched using the /sendDocument API.
|TELEGRAM BOT EXFILTRATION URL|
The C&C server details are retrieved from a configuration file stored within the binary's resources, named "profile". This file has a JSON structure with two entities denoted as "k" and "v". The "k" object is a Base64-encoded AES-CBC key, utilized to decrypt the "v" object after decoding it from Base64. The encryption operations are executed using the external package Org.BouncyCastle.Crypto, which is also employed for encrypting the strings employed by the malware.
Upon successful decryption, the outcome is a new JSON file encompassing the parameters for communication with the C&C. This includes the Telegram Bot's Token, the ChatID, and a list of email addresses.
The configuration comprises seven (7) distinct profiles, each featuring unique tokens, chatIDs, and email lists.
The malware retrieves data from the victim's web browsers, which include Microsoft Edge, Google Chrome, Brave Browser, and Mozilla Firefox. The malware conducts scans on the target computer to identify the installed browsers by inspecting the registry keys located under HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet. Subsequently, it proceeds to extract and exfiltrate all the stored cookies, session information, and saved credentials through Telegram, enabling the execution of identity theft attacks.
The malware persists as a background process, routinely issuing requests to the Telegram API and transmitting small increments of data to the attacker.
Additionally, the malware incorporates a Facebook Business hijacking functionality, which is coupled with the email addresses obtained from the configuration. The malware dispatches links to email addresses that are randomly selected from the list, enabling the attacker to potentially gain access to the associated Facebook Business Account.
To do that, initially the malware retrieves the victim's business social accounts by interacting with the Facebook APIs and employing the session information extracted from the victim's browsers. It subsequently shares a link that allows for the transfer of account access to the attacker's email addresses.
MITRE ATT&CK MATRIX
|Initial Access||T1566.001||Phishing: Spearphishing Attachment|
|Initial Access||T1566.002||Phishing: Spearphishing Link|
|Execution||T1204.002||User Execution: Malicious File|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information|
|Defense Evasion||T1027.002||Obfuscated Files or Information: Software Packing|
|Defense Evasion||T1564||Hide Artifacts|
|Credential Access||T1606.001||Forge Web Credentials: Web Cookies|
|Credential Access||T1539||Steal Web Session Cookie|
|Discovery||T1082||System Information Discovery|
|Discovery||T1217||Browser Information Discovery|
|Collection||T1560||Archive Collected Data|
|Collection||T1185||Browser Session Hijacking|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols|
|Exfiltration||T1567||Exfiltration Over Web Service|
INDICATORS OF COMPROMISE