Beware of Phishing Emails Disguised as Project Proposals

Beware of Phishing Emails Disguised as Project Proposals
ASEC reported phishing emails disguised as project proposals that trick recipients into downloading a compressed attachment containing JavaScript malware. When executed, the script runs PowerShell to decrypt and load SnakeKeylogger in memory, which steals browser data, system information, and keystrokes before sending them via SMTP or Telegram. #SnakeKeylogger #AhnLabSEC

Keypoints

  • ASEC confirmed a phishing campaign using emails disguised as project proposals.
  • The email body urges recipients to download an attached compressed file by pretending to request a proposal and delivery schedule.
  • Inside the archive is JavaScript malware presented as a proposal document.
  • When run, the JavaScript launches PowerShell commands and passes encrypted SnakeKeylogger data for in-memory execution.
  • SnakeKeylogger steals web browser data, system information, and keylogging data from infected systems.
  • The stolen data is exfiltrated externally through SMTP or Telegram using the listed C2 infrastructure.
  • The article also advises verifying senders, checking links and attachments, and avoiding suspicious pages before entering sensitive information.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The attackers send email lures disguised as project proposals and persuade recipients to open a compressed attachment (‘The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file.’).
  • [T1204.002] User Execution: Malicious File – The infection begins when the user downloads and decompresses the attachment and executes the disguised JavaScript file (‘When a user downloads and decompresses the attached compressed file, they will find JS malware disguised as a proposal.’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The malicious attachment is JavaScript malware that launches the next stage (‘they will find JS malware disguised as a proposal’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The JavaScript malware executes PowerShell commands to run the payload (‘The JavaScript malware executes PowerShell commands’).
  • [T1027] Obfuscated Files or Information – The malware uses obfuscated JavaScript and PowerShell to hinder analysis (‘Part of the obfuscated JavaScript malware’ and ‘Part of the obfuscated PowerShell script’).
  • [T1055] Process Injection – The PowerShell script decrypts and executes SnakeKeylogger in memory without writing it to disk (‘decrypts it, and executes it in memory without saving it to disk’).
  • [T1057] Process Discovery – SnakeKeylogger gathers system information from the infected host (‘collects various types of information from the infected system, such as web browser data, system information, and keylogging data’).
  • [T1113] Screen Capture – SnakeKeylogger is described as collecting browser data and keylogging, but no explicit screen capture is mentioned; not included.
  • [T1056.001] Input Capture: Keylogging – SnakeKeylogger collects keylogging data from the infected system (‘keylogging data’).
  • [T1071.001] Application Layer Protocol: Web Protocols – The malware sends stolen data out through email and Telegram channels (‘transmits it externally through SMTP or Telegram’).
  • [T1114.001] Email Collection – The use of SMTP implies email-based exfiltration through a mail server (‘transmits it externally through SMTP’).

Indicators of Compromise

  • [Email addresses] C2/exfiltration infrastructure and recipient targets – nova3@mnt[.]Com, keishstanford5@gmail[.]Com
  • [Domain] Mail server used for SnakeKeylogger C2 – mail.Trimnt[.]Com
  • [File hash] Sample identifier for the attachment/malware – 0cbfcc3573399368a2a9abcfa42af134
  • [File types / attachment names] Suspicious attachment type and masqueraded payload – compressed file, JavaScript (.Js)


Read more: https://asec.ahnlab.com/en/94433/