FortiGuard continues to investigate a series of attacks targeted at Bitcoin users. In our previous article, we discovered a numbers of fake websites registered by the perpetrators of these attacks in late 2017. We assumed at the time that these websites would soon be used for another series of attacks. And now, we have found proof of such attacks. During our new investigation we also discovered a number of tools used by the criminals for malicious documents crafting.
In this article we will take a deeper look into the malicious campaigns launched by these criminals in February 2018, and we will also take a glimpse into their development process and consider possible future attacks.
One of our FortiGuard Labs researchers received in his private email box a number of SPAM emails that drew his attention. When we looked into these emails, we realized that they were connected to one of our old investigations: all the emails were related to bitcoin trading.
The first of the emails looks like an advertisement for Gunbot. Note that the email name shown to a user is different from the actual underlying mailto link – noreply[@]bltcolntalk.org.
Visually, this email appears to contain a number of different hyperlinks. Actually, however, all of them are forwarded to the exact same location - qunthy.org. The malicious domains bltcolntalk.org and qunthy.org and their attack paths were discussed in detail in our previous article.
Hyperlinks from this email are forwarded through the use of a proxy server - mailpaths.org. The domain mailpaths.org was recently registered (2017-10-26) and currently has no web interface. We cannot verify whether this domain is actually owned and controlled by the criminals, or if it is just being misused by them. FortiGuard Labs will continue to monitor this domain.
The second wave of spam campaign brought something new. We registered two different types of such emails, and the examples of these are shown below in Figure 2.
Both emails share the same “reset password” attack style and try to trick a user into clicking on its links. These links direct the user along two different attacks paths, but both paths use new domain bitcointclk.org.
The link from the first email will dispatch a user to an attack path very similar to the one already discussed in our article, so we will describe it here very briefly:
bitcointclk.org/index.php?action=login -> desfichiers.com/?b4ufv8mg9q -> flashplayer28_ka_install.vbs -> github.com.sb/flashplayer.jpeg
github.com.sb/flashplayer.jpeg – is a renamed executable file, which contains packed Orcus Remote Administration Tool for Windows. It behaves almost identically to the samples already discussed, so we will not describe it here.
The links from the second email will leads user to the fake login page (no matter Authorize or Deauthorize link was clicked). The login page looks very similar to the original bitcointalk.org. But, once again, phishing is not the only attack vector here. As in the previous cases, there is malicious banner pops-up.
Clicking on the banner leads to the next redirect chain:
bitcointclk.org -> github.com.sb/Flashplayer28pp_ka_install.exe -> desfichiers.com/?j5xf39acp5
At the time of writing, the last link in the chain had already been removed by desfichiers.com, so we cannot tell what was the final object was in that case.
Both attacks paths use the new domain github.com.sb, which according to our information, was not previously used. This domain was registered under a different email address:
aldoshinanluf94[@]mail.ru. (Remember that previous domains were registered under cobainin[@]yandex.com; see our previous article for details).
For some reason, these criminals prefer to use email addresses registered on Russian mail services. Although the registrant emails are different, we found proof that allowed us to attribute this case to the actors we were already familiar with (in addition to the obvious similarity in the attack patterns).
When we examined Google search results for the domain, we noticed a link to another .DOCM file:
The file AdobeFlashPlayer28pp_ka_install.exe.docm looks like an unfinished decoy document used to lure victims to run embedded VBS macros. Although the embedded message asks a user to enable macros, no macros were found inside this document.
Interestingly, the message text is actually a part of an embedded image (with blurred text and graphics.) This image is not new: we found traces of this image in our Fortinet telemetry system from back in 2016. However, this document has a modification timestamp inside: 2017-12-18T23:07:00Z. (The timestamp on the picture shown below is in the time zone UTC +08:00.)
As a result, we believe that somebody simply reused the old image, but has not yet embedded any macros inside of it. Nevertheless, we believe we have found the way that this will be done in the future.
We checked every known object that contains this document as a sub-object. On 2017-12-25, somebody uploaded a file with name Sourcecode.zip on the Virustotal. Inside this Zip archive were two files: sourcecode.docm (already known to us as AdobeFlashPlayer28pp_ka_install.exe.docm), and a previously unknown file - sourcecode.xlsm.
First, we checked the properties of the newly discovered file. The modification timestamp is: 2017-12-18T23:19:07Z, which is fairly close to the initial DOCM document.
Moreover, the cp:lastModifiedBy file contains the username: Scarfo. At this point, we had little to no doubt left that this file is related to our previous investigation. The name Scarfo was used on two of Bltcointalk.org pages where our investigation originally started (see our previous blogpost for details).
The file itself looks like a “testing polygon” for crafting VBS scripts. It contains VBA Project inside. If a user allows the content to run, then Excel will try to download and execute an object which is hyperlink filled in the cell I2. This cell was filled with a hyperlink to the already known file-sharing hosting site desfichiers.com. However, the object had already been deleted by the time of our inspection.
In the Cell I3 there is a message, which will probably be used to lure victims to enable the embedded macros:
In addition, this document contains some cells filled with meaningless pictures or zeroes. On the next Sheet (Sheet1) there are three cells filled with the same hyperlink to the image found on the domain revryl.com. The hyperlink leads to a normal PNG file, and is not used by any macros. This link was probably used during a previous testing phase.
The FortiGuard Labs team examined domain revryl.com, but we could not find any traces of malicious activity or any possible connection to the criminals. Nevertheless, this website looks strange and had not been updated for more than a year. Therefore, FortiGuard Labs will continue to monitor this domain since it has been abandoned, and yet is vulnerable and potentially compromised by hackers.
In the media directory of the Sourcecode.xlsm we found a group of objects with names starting with “Image”. All of those objects with VBS extensions were variations of the same VBS macros that were used in the previous attacks.
Interestingly, the parts of the objects found in the “media” directory have the wrong extension. For example, image4.png is simply another variant of the same VBS script that we saw earlier.
Moreover, part of the .VBS files were not actually VBS scripts, but HTML pages. One of these in particular drew our attention - image6.vbs
This file is a saved HTML page from the already mentioned file-sharing hosting site desfichiers.com. What is interesting here is the name of the server used for upload: it starts with ru-3.
We conducted an experiment: we tried to connect to desfichiers.com using different IP’s. Ru-3 server is always chosen if we used Russian IP’s for other countries, we usually had server up2(although we must note that on some rare occasions we received ru-3 server for non-Russian IPs).
So we believe it is likely that the criminals behind these malicious documents are using a Russian IP at the moment (although we cannot exclude the possible use of a proxy.)
FortiGuard Labs has now confirmed the discovery of a second wave of attacks targeted at bitcoin users. We also found documents that we believe will be used for future attacks. We also found solid proof that links these attacks to the same group of actors from the first series. Furthermore, the actors in this group are likely to be using email boxes on Russian mail services, and also possibly using Russian IPs (at least in one case).
FortiGuard will continue to monitor the activity of this group and analyze the situation with specified suspicion domains.
The author wants to thanks Evgeny Ananin for providing the email samples used in this blog.
-= FortiGuard Lion Team =-
36c0edccd4d28be9ecf7cfd225dee2bb05c9cbe7a36f021404b8fb73da885572 - VBS/Agent.NYT!tr.dldr
4b6b18067b7e5de5688e8b3d66308fdf9751ecdcb067f16343a0cf563d68c464 - VBS/Agent.NYT!tr.dldr
66029723f3c3430e9f68c1af829e75dc97638aab4a67d20aa1e458121feb66ba - VBS/Agent.NYT!tr.dldr
8f2a34f1f2be2beebe957ba8702915ef9065a74d755abea9097d33d10791e4ab - VBS/Agent.NYT!tr.dldr
b3f3f2b9e7239b773a588161f4bac8ac34754cda56b68b6236b1346804b4968a - VBA/Agent.QEXK!tr.dldr
c0547082272b94a2f28c0c681188edac865631bff6eabc3ff3e5845f9d4eb51d - MSIL/Orcus.KAD!tr
e0d0c28ef46088813289a7b483c15b0cc5dde130cb377eb9ebbcf44b82175475 - VBS/Agent.NYT!tr.dldr
d1f5d611c83d381c9430d5a8b0eb9058702defdf5f0da10bb4f35598177bc50c – AdobeFlashPlayer28pp_ka_install.exe.docm (non malicious)