Blue Hexagon Threat Lab Detects Two Phishing Sites, Including One In Development
Looking closer at the phishing campaign we discovered using the Blue Hexagon Real Time Deep Learning platform, powered by our HexNet architecture, Blue Hexagon Threat Labs identified a host of indicators of compromise that we have included in part two of this blog.
In an attack on a health insurance company, we learned that a single threat actor, operating behind five distinct identities, was behind the phishing campaign. Each of the five identities involved was created to mimic a company involved in a legitimate business with the target organization. These included:
- A pharmaceutical company based in Hong Kong (Fig 1);
- A German pharmaceutical company (Fig 2);
- Two Italian hospitality companies (Figs 3 and 4); and,
- A property management company based in Hong Kong (Fig 5).
Phishing Email Analysis
Emails with subject lines typical of a phishing campaign and appearing to originate from the Chinese pharmaceutical company CSPC Pharmaceutical Group Limited (Fig 6 and 7) were sent from the address firstname.lastname@example.org. Our investigation found that no employee named “Khalid” works for the company. Furthermore, emails sent to that address bounced back (Fig 8), confirming this address as a fake created by the threat actor.
Figure 6: Phishing email with malicious archive attachment
Figure 7: Phishing email with a malicious document
Figure 8: “email@example.com”is a fake email address abused by the threat actor
We found that the email address originated from the IP address 188.8.131.52, geolocated in New York, and belongs to Ubiquity Hosting, a web hosting subsidiary of LeaseWeb USA, one of the world’s largest web hosting brands.
In each case, the attack vector was a document carrying an exploit that allowed the threat actor to execute code on the victim’s system. Once the victim clicked on the attachment, the following steps in the killchain unfolded, leading to infection:
1. Download AgentTesla, HawkEye Information Stealer Malware:
- The Victim’s system downloads different windows executables hosted on the domain hastilyfing.co.kr (Fig 9).
Figure 9: Website for the domain hastilyfing.co.kr
At the time of this writing, the domain hastilyfing.co.kr had resolved to the IP address 184.108.40.206, which is an Amazon IP address. The threat actor capitalized on the reputation of Amazon Web Services (AWS) to host their website as they were aware that cybersecurity companies would not blacklist an AWS IP address and so they were able to abuse the reputation.
However, .KR is the country code top-level domain (ccTLD) for the Republic of South Korea, and the WHOIS information (Figs 10 and 11) for the domain shows that it was hosted on a South Korean web hosting provider (https://inames.co.kr/) and that it was registered by Joseph Mullich, whose email address is firstname.lastname@example.org and whose cell number is identified as 1588-5829. The local address, 경기도 성남시 분당구 성남대로925번길 37 한승베네피아 2층,” translates in English as “2F, 37, Seongnam-daero 925 Beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, Seoul, KR.”
Figure 10: WHOIS Information for hastilyfing.co.kr in the Korean Language
Figure 11: WHOIS Information for hastilyfing.co.kr in the English Language
The email address email@example.com actually belongs to Joe Mullich (Linkedin: https://www.linkedin.com/in/joemullich/), an award-winning writer whose work has been published in top business magazines like Forbes, Wall Street Journal, and Harvard Business Review, and for business institutions like HSBC Bank, Morgan Stanley, Ogilvy, Habitat For Humanity, Symantec, Ford Motor Company, FedEx, Cathay Pacific, Children’s Hospital of Los Angeles, Bombardier, and BBDO.
Blue Hexagon Labs notified Joe Mullich about the registration of malicious domains under his name. We are investigating why his identity was abused by the threat actor.
2. Execute Agent Tesla, Hawk Eye to Steal Sensitive Information from Victim’s Local Software: Both AgentTesla and HawkEye can be categorized as information stealers as they are capable of stealing sensitive information including, but not limited to, the following categories of software:
- Web Browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum
- Email Clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
- FTP Clients: WinSCP, SmartFTP, Filezilla, WS_FTP by IPSwitch, CoreFTP by FTPWare
- Internet Download Manager
Upon execution, both AgentTesla and HawkEye exfiltrate the stolen information to an attacker-controlled SMTP server.
3. Exfiltrate Stolen Data to an Attacker-Controlled SMTP Servers:
The exfiltrated data was sent via encrypted SMTP messages to mail.privateemail.com, us2.smtp.mailhostbox.com, mail.brightsteelfactory.com on SMTP Port 587, over TLS.
- Exfiltrated the stolen data to mail.privateemail.com, us2.smtp.mailhostbox.com, mail.brightsteelfactory.com (Fig 12) which are SMTP mail servers controlled by the threat actor.
- The domain mail.privateemail.com is a web-based private email hosting service, provided by NameCheap (Fig 13).
- The domain us2.smtp.mailhostbox.com is a web-based private email hosting service, provided by Endurance (Fig 14).
- The domain mail.ushapolytubes.com (Fig 15) is a web-based private email hosting service, provided by Webhostbox (Figs 16 and 17).
Figure 12: Parent website for the SMTP Server mail.brightsteelfactory.com: http://brightsteelfactory.com (Saudi Arabia)
Figure 13: Email hosting provider for the SMTP Server mail.privateemail.com
Figure 14: Web hosting provider for the SMTP Server us2.smtp.mailhostbox.com:https://www.endurance.com/
Figure 15: Parent website for the SMTP Server mail.ushapolytubes.com: http://ushapolytubes.com/
Figure 16: Email hosting provider for the SMTP Server mail.ushapolytubes.com: http://mail.webhostbox.net/appsuite/
Figure 17: Email hosting provider for the SMTP Server mail.ushapolytubes.com: https://web.archive.org/web/20190629200849/http://www.brightsteelfactory.com/
Although contact information for brightsteelfactory.com (Fig 18) states that the company is based out of Saudi Arabia, the WHOIS information (Fig 19) says otherwise. According to WHOIS, the domain brightsteelfactory.com was registered by one “Sami Pasha” in the Punjab province of Pakistan.
Figure 18: Contact information for the domain brightsteelfactory.com: https://web.archive.org/web/20190629200849/http://www.brightsteelfactory.com/
Figure 19: WHOIS information for the domain brightsteelfactory.com
Finally, we show an analysis of the malware data exfiltration conducted through network traffic capture in Wireshark (Figs 20 and 21).
Figure 20: Malware data exfiltration via network traffic capture in Wireshark.
Figure 21: Malware data exfiltration via network traffic capture in Wireshark.
Blue Hexagon’s deep learning-based threat protection platform flagged the domain as malicious and monitored it for 48 hours for any additional signs of malicious activity, revealing the following interesting information:
- At a given time the domain would only host a single malware executable—an information stealer used to infect the victims’ systems;
- Although the domain had hosted two directories, named cgi-bin and x which suggested that domain could host websites, neither of these was accessible for further investigation for the first 24 hours of activity; and,
- The purpose of these two directories was later revealed when both became accessible to the public, which is when it was discovered that they were hosting two phishing websites. An inventory of the indicators of compromise associated with these phishing websites includes:
Fake email address abused by the threat actor:
Spoofed email addresses abused by the threat actor:
- “Attached Purchase order”
- “Quotation needed Asap”
Email attachment filenames:
- “Purchase Order.doc”
- “Purchase Order 74802 Port Jo’burg – Copy.doc”
Executive Impersonation: Threat actor impersonating the identity of the chief financial officer for CSPC Holdings Ltd, a Chinese pharmaceutical company.
- CFO CSPC Holdings Ltd, +86 4279002 (Chinese pharmaceutical company)
SHA-256 hashes of RTF documents carrying exploits:
- hastilyfing.co.kr (hosted the payloads)
URLs which hosted payloads:
SHA-256 hashes of malware executables:
SMTP mail servers used for data exfiltration
URLs which hosted the phishing sites:
- hxxp://hastilyfing.co.kr/x/ (Rogue Chase Bank Login Page)
- hxxp://hastilyfing.co.kr/x/surf2.php (Rogue Chase Bank Identity Verification Page)
- hxxp://hastilyfing.co.kr/cgi-bin/ (Phishing website under development)