Credential theft News and Insights | Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog/tag/credential-theft/ Expert coverage of cybersecurity topics Thu, 03 Apr 2025 15:54:48 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.2 Threat actors leverage tax season to deploy tax-themed phishing campaigns http://approjects.co.za/?big=en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/ Thu, 03 Apr 2025 16:00:00 +0000 As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

]]>
As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training. 

In this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax season for social engineering. This also includes additional recommendations to help users and organizations defend against tax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the observed campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities related but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails

On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:

Example email subjects:

  • Notice: IRS Has Flagged Issues with Your Tax Filing
  • Unusual Activity Detected in Your IRS Filing
  • Important Action Required: IRS Audit

Example PDF attachment names:

  • lrs_Verification_Form_1773.pdf
  • lrs_Verification_Form_2182.pdf
  • lrs_Verification_Form_222.pdf

The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:

  • If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.
  • If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.
Screenshot of a sample phishing email claiming to be from the IRS
Figure 1. Sample phishing email that claims to be from the IRS
Screenshot of a fake DocuSign page that leads to a malicious PDF file.
Figure 2. PDF attachment masquerading as a DocuSign document

Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.

BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user’s credentials.

The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:

  • EMPLOYEE TAX REFUND REPORT
  • Project Funding Request Budget Allocation
  • Insurance Payment Schedule Invoice Processing
  • Client Contract Negotiation Service Agreement
  • Adjustment Review Employee Compensation
  • Tax Strategy Update Campaign Goals
  • Team Bonus Distribution Performance Review
  • proposal request
  • HR|Employee Handbooks
Screenshot of a PDF file that features a QR code purporting to lead to a file named Q1 Tax Refundreport.pdf
Figure 3. Screenshot of the opened PDF with the QR code

AHKBot delivered in IRS-themed phishing emails

On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.

The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.

The MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.

Screenshot of an email claiming to be from the IRS. The email contains a link to a malicious Excel file.
Figure 4. Screenshot of the email showing the link to download a malicious Excel file
Screenshot of macro code that installs a malicious MSI file
Figure 5. Macro code to install the malicious MSI file from hxxps://acusense[.]ae/umbrella/

GuLoader and Remcos delivered in tax-themed phishing emails

On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.

The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.

Screenshot of a phishing email wherein the sender requests for tax filing services from the target.
Figure 6. Sample phishing email shows the original benign request for tax filing services, followed by another email containing a malicious PDF attachment if the target replies.
A close up of a web page
Figure 7. The PDF attachment contains a prominent blue “Download” button that links to download of the malicious payload. The button is overlaid over a blurred background mimicking a “W-2” tax form, which further contributes to the illusion of the attachment being a legitimate tax file.

GuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.

Remcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

  • Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
  • Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Pilot and deploy phishing-resistant authentication methods for users.
  • Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
  • Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Possible Latrodectus activity
  • Brute Ratel toolkit related behavior
  • A file or network connection related to ransomware-linked actor Storm-0249 detected
  • Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.

  • A potentially malicious URL click was detected 
  • Email messages containing malicious URL removed after delivery
  • Email messages removed after delivery
  • A user clicked through to a potentially malicious URL
  • Suspicious email sending patterns detected
  • Email reported by user as malware or phish

Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both Microsoft first-party and third-party data sources.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 7d;
let ioc_ip_addr = dynamic(["181.49.105.59 "]); 
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) 
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes=dynamic(["fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422","bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a","9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc",
"3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960","165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5","a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7",
"a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727","0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a","4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec","9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e"]);  
imFileEvent
  | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "SHA256"

 Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 7d;
let ioc_domains = dynamic(["slgndocline.onlxtg.com ", "cronoze.com ", "muuxxu.com ", "proliforetka.com ", "porelinofigoventa.com ", "shareddocumentso365cloudauthstorage.com", "newsbloger1.duckdns.org"]);
  _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains)
 | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor  

In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.

Indicators of compromise

BruteRatel C4 and Lactrodectus infection chain

IndicatorTypeDescription
9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1eSHA-256lrs_Verification_Form_1730.pdf
0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36aSHA-256Irs_verif_form_2025_214859.js
4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222becSHA-256bars.msi
a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727SHA-256BRc4, filename: nvidiamast.dll
hxxp://rebrand[.]ly/243eaaDomain nameURL shortener to load fake DocuSign page
slgndocline.onlxtg[.]comDomain nameDomain used to host fake DocuSign page
cronoze[.]comDomain nameBRc4 C2
muuxxu[.]comDomain nameBRc4 C2
proliforetka[.]comDomain nameLatrodectus C2
porelinofigoventa[.]comDomain nameLatrodectus C2
hxxp://slgndocline.onlxtg[.]com/87300038978/URLFake DocuSign URL
hxxps://rosenbaum[.]live/bars.phpURLJavaScript downloading MSI

RaccoonO365

IndicatorTypeDescription
shareddocumentso365cloudauthstorage[.]comDomain nameRaccoonO365 domain

AHKBot

IndicatorTypeDescription
a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7SHA-256Tax_Refund_Eligibility_Document.xlsm
165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5SHA-256umbrella.msi
3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960SHA-256AutoNotify.ahk
9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fcSHA-256AHKBot Screenshotter module
hxxps://business.google[.]com/website_shared/launch_bw.html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL redirecting to URL hosting malicious Excel file
hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL hosting malicious Excel file
hxxps://acusense[.]ae/umbrella/URLURL in macro that hosted the malicious MSI file
181.49.105[.]59IP addressAHKBot C2

Remcos

IndicatorTypeDescription
bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6aSHA-2562024 Tax Document_Copy (1).pdf
fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422SHA-2562024 Tax Document.zip
hxxps://www.dropbox[.]com/scl/fi/ox2fv884k4mhzv05lf4g1/2024-Tax-Document.zip?rlkey=fjtynsx5c5ow59l4zc1nsslfi&st=gvfamzw3&dl=1URLURL in PDF
newsbloger1.duckdns[.]orgDomain nameRemcos C2

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

]]>
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware http://approjects.co.za/?big=en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/ Thu, 13 Mar 2025 15:00:00 +0000 Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]

The post Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware appeared first on Microsoft Security Blog.

]]>
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. As of February 2025, this campaign is ongoing.

This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency.

In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.

Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges. Organizations can reduce the impact of phishing attacks by educating users on recognizing such scams. This blog includes additional recommendations to help users and defenders defend against these threats.

Phishing campaign using the ClickFix social engineering technique

In this campaign, Storm-1865 identifies target organizations in the hospitality sector and targets individuals at those organizations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual. The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.

A screenshot of a email
Figure 1. A sample phishing email, purporting to be from a prospective guest.
A screenshot of a contact us
Figure 2. Another sample phishing email, purportedly requiring the recipient to address negative feedback about a hotel.
A screenshot of a security alert
Figure 3. Another sample phishing email, purportedly requiring the recipient to verify their Booking.com account.

The email includes a link, or a PDF attachment containing one, claiming to take recipients to Booking.com. Clicking the link leads to a webpage that displays a fake CAPTCHA overlayed on a subtly visible background designed to mimic a legitimate Booking.com page. This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised.

The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard:

A screenshot of a computer
Figure 4. A screenshot of the fake Booking.com webpage, with the fake CAPTCHA overlay outlining the ClickFix process.

The command downloads and launches malicious code through mshta.exe:

A black letter on a white background
Figure 5. An example of the mshta.exe command that the targeted user launches.

This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.

All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity. In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages. The addition of ClickFix to this threat actor’s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.

A diagram of a computer program
Figure 6. Diagram illustrating the stages of the infection process in this campaign.

Attribution

The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges. These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.

Recommendations

Users can follow the recommendations below to spot phishing activity. Organizations can reduce the impact of phishing attacks by educating users on recognizing these scams.

Check the sender’s email address to ensure it’s legitimate. Assess whether the sender is categorized as first-time, infrequent, or marked as “[External]” by your email provider. Hover over the address to ensure that the full address is legitimate. Keep in mind that legitimate organizations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organizations directly to sign into your account.

Contact the service provider directly. If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.

Be wary of urgent calls to action or threats. Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.

Hover over links to observe the full URL. Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.

Search for typos. Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.

Microsoft recommends the following mitigations to reduce the impact of this threat.

  • Pilot and deploy phishing-resistant authentication methods for users.
  • Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

Detection details

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity:

  • Suspicious command in RunMRU registry
  • Suspicious PowerShell command line
  • Use of living-off-the-land binary to run malicious code
  • Possible theft of passwords and other sensitive web browser information
  • Suspicious DPAPI Activity
  • Suspicious mshta process launched
  • Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

  • This URL has known registrant pattern for malicious activity.
  • This URL impersonates booking.com
  • This PDF has generic phishing traits.
  • This URL has generic phishing traits.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Network connections to known C2 infrastructure related to this activity

Look for network connections with known C2 infrastructure.

let c2Servers = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']);
DeviceNetworkEvents
| where RemoteIP has_any(c2Servers)
| project Timestamp, DeviceId, DeviceName, LocalIP, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 30d;
let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); 
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 30d;
let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); 
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr has_any (ioc_ip_addr)
 | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes =dynamic(["01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6"," f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e ","0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d"]);  imFileEvent
  | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "SHA256"

Indicators of compromise

IndicatorTypeDescription
92.255.57[.]155IP addressC2 server delivering XWorm
147.45.44[.]131IP addressC2 server delivering Danabot
176.113.115[.]170IP addressC2 server delivering LummaStealer
31.177.110[.]99IP addressC2 server delivering Danabot
185.7.214[.]54IP addressC2 server delivering XWorm
176.113.115[.]225IP addressC2 server delivering LummaStealer
87.121.221[.]124IP addressC2 server delivering Danabot
185.149.146[.]164IP addressC2 server delivering AsyncRAT
01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6  File hash (SHA-256)Danabot malware
f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981eFile hash (SHA-256)Danabot malware
0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d  File hash (SHA-256)Danabot malware

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware appeared first on Microsoft Security Blog.

]]>
Malvertising campaign leads to info stealers hosted on GitHub http://approjects.co.za/?big=en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/ Thu, 06 Mar 2025 17:00:00 +0000 Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain.

The post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog.

]]>
In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

Learn more about this malvertising campaign's multi-stage attack chain

Listen to the Microsoft Threat Intelligence podcast

GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.

The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.

In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.

We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.

GitHub activity and redirection chain

Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos. The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.

Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.

  • The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.
  • The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.
  • Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.

The full redirect chain was composed of four to five layers. Microsoft researchers determined malvertising redirectors were contained within an iframe on illegal streaming websites.

A screenshot of code from a streaming video website and iframe showing the malvertising redirector URL
Figure 1. Code from website of streaming video and iframe showing malvertising redirector URL

There were several redirections that occurred before arriving at the malicious content stored on GitHub.

A diagram of the redirection chain first depicting the illegal streaming website with iframe followed by the malicious redirector and counter, which redirects to the malvertising distributor, which finally lands on the malicious content hosted on GitHub.
Figure 2. Redirection chain from pirate streaming website to malware files on GitHub

Attack chain

Once the redirection to GitHub occurred, the malware hosted on GitHub established the initial foothold on the user’s device and functioned as a dropper for additional payload stages and running malicious code. The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of Doenerium. Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.

After the initial foothold was gained, the activity led to a modular and multi-stage approach to payload delivery, execution, and persistence. Each stage dropped another payload with a different function, as outlined below. Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder.

Several stages of malicious activity to conduct deployment of additional malware, collections, and exfiltration of data to a C2 were observed. While not every single initial payload followed these exact steps, this is an overall view of what occurred across most incidents analyzed:

A diagram generally displaying the four stages. The first stage involves the malvertising website redirecting users to GitHub pages, leading to a payload downloading from the repo. In the second stage, the payload performs system discovery and exfiltrates collected system information and stage-two payloads drop additional payloads. In the third stage, if the payload is a PowerShell script, it downloads NetSupport RAT from C2, sets persistence, and it may deliver a Lumma Stealer payload using MSBuild.exe for exfiltration. If the third stage payload is an .exe, it creates and runs a .cmd file and drops renamed AutoIT interpreter with a .com file extension, leading to the fourth stage. In the final stage, AutoIT launches binary and may drop an AutoIT interpreter with .scr file extensions, where a JavaScript file is dropped for running and persistence of those files. Finally, the AutoIT payload uses RegAsm.exe or PowerShell.exe to open files, enable browser remote debugging, and exfiltrate data. PowerShell may be deployed to set exclusion paths for Defender and/or drop NetSupport.
Figure 3. General depiction of the four stages

First-stage payload: Establishing a foothold on the host

During the first stage, a payload is dropped onto the user’s device from the binary hosted on GitHub, establishing a foothold on that device. As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate. A total of twelve different certificates were identified, all of which have been revoked.

Most of these initial payloads dropped the following legitimate files to leverage their functionality. These files were either leveraged by the first-stage payload or by later-stage payloads, depending on the actions being conducted.

File nameFunction
app-64.7zThis is a compressed archive that stores the second-stage payload and additional dropped files.
app.asarThis is an archive file specific to Electron applications, which are directly installed programs.
d3dcompiler_47.dllThis file is often included in DirectX redistributables, which are commonly bundled with Microsoft installers for games and graphics applications.
elevate.exeThis file is used by various installers and scripts to run processes with elevated privileges, not specific to Microsoft.
ffmpeg.dllThis file is associated with FFmpeg, a popular multimedia framework used to handle video, audio, and other multimedia files and streams.
libEGL.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL Embedded Systems (ES), including some web browsers and games.
libEGLESv2.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL ES, including some web browsers and games.
LICENSES.chromium.htmlThis file could contain information about the system or browser.
nsis7z.dllThis file is associated with the plugins for the Nullsoft Scriptable Install System (NSIS), which is used to create installers for various software.
StdUtils.dllThis file is associated with the plugins for the NSIS.
System.dllThis file is part of the .NET Framework assembly, typically included in Microsoft installers for applications that rely on the .NET Framework.
vk_swiftshader.dllThis file is associated with SwiftShader, which is used in applications that need a CPU-based implementation of the Vulkan API.
vulkan-1.dllThis file is associated with applications that use the Vulkan Graphics API, such as games and graphics software.

Depending on the first-stage payload that was initially established on the compromised device, Microsoft observed different second-stage payloads and several different methods for delivering these payloads to the device.

Second-stage payload: System discovery, collection, and exfiltration

The main purpose of the second-stage payload is to conduct system discovery and collect that data for exfiltration to the C2. The system information collected includes data such as memory size, graphic card details, screen resolution, operating system, user paths, and a reference to the second-stage payload’s file name.

This was accomplished by querying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName for the Windows OS version and running commands, such as the echo command, to gather the device’s name (%COMPUTERNAME%) and domain name (%USERDOMAIN%).

System data collected by the second-stage payload is Base64-encoded and exfiltrated as a query parameter to an IP address.

Screenshot of code depicting the typical format of the URL observed when exfiltrating information collected from the compromised device.
Figure 4. Typical format of the URL observed when exfiltrating information collected from the compromised device

Third-stage payload: PowerShell and .exe binary

Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration. The analysis of the dropped executables is first discussed below, followed by review of the PowerShell scripts observed.

Third-stage .exe analysis

The second-stage payloads run the dropped third-stage executables using the command prompt (for example, cmd.exe  /d /s /c “”C:\Users\<user>\AppData\Local\Temp\ApproachAllan.exe””). The /c flag ensures that the command runs and exits quickly. When the third-stage .exe runs, it drops a command file (.cmd) and launches it using the command prompt (for example, “cmd.exe” /c copy Beauty Beauty.cmd && Beauty.cmd). The .cmd file performs several actions, such as running tasklist, to initiate the discovery of running programs. This is followed by the findstr to search for keywords associated with security software:

findstr keywordAssociated software
wrsaWebroot SecureAnywhere
opssvcQuick Heal
AvastUIAvast Antivirus
AVGUIAVG Antivirus
bdservicehostBitdefender Antivirus
nsWscSvcNorton Security
ekrnESET
SophosHealthSophos

The .cmd file also concatenates multiple files into one with a single character file name: “cmd /c copy /b ..\Verzeichnis + ..\Controlling + ..\Constitute + ..\Enjoyed + ..\Confusion + ..\Min +..\Statutory J”. This single character filename is used next.

Following this, the third-stage .exe produces an AutoIT v3 interpreter file that is renamed from the typical file name of AutoIt3.exe and uses a .com file extension. The .cmd file initiates the execution of the .com file against the single character binary (such as Briefly.com J). Note, most of the second-stage payloads follow this progression chain, and as mentioned a second-stage payload can also drop multiple executables, all following the same process. For example:

First stage

  • X-essentiApp.exe

Second stage

  • Ionixnignx.exe

Third stage

  • EverybodyViewing.exe
  • ReliefOrganizational.exe
  • InflationWinston.exe

Third-stage command files

  • Beauty.cmd
  • Possess.cmd
  • Villa.cmd

Fourth-stage AutoIT .com files

  • Alexandria.com
  • Kills.com
  • Briefly.com

We observed multiple .com files originating from different dropped executables, each performing distinct functions while occasionally overlapping in behavior. These files facilitate persistence, process injection, remote debugging, and data exfiltration through various mechanisms. One .com file, such as Alexandria.com, drops a .scr file (another renamed AutoIT interpreter), and a .js (JavaScript) file with the same name as the .scr file. The purpose of the JavaScript file is to ensure persistence by creating a .url internet shortcut that points to the JavaScript file and is placed in the Startup folder, ensuring that the .scr file executes when the .js file executes (through Wscript.exe) upon user sign-in. Alternatively, persistence can be achieved using scheduled task creation. The .scr file can initiate C2 connections, enable remote debugging on Chrome or Edge within a hidden desktop session, or create TCP listening sockets on ports 9220-9229. This functionality allows threat actors to monitor browsing activity and interact with an active browser instance. These files can also open sensitive data files, indicating their role in facilitating post-exploitation activities.

Another .com file, such as affiliated.com, also focuses on remote debugging and browser monitoring. In addition to remote monitoring, affiliated.com initiates network connections to Telegram, Let’s Encrypt, and threat actor domains, potentially for C2 or exfiltration. It also accesses DPAPI to decrypt sensitive stored credentials and retrieve browser data.

The final observed .com file, such as Briefly.com, exhibits behavior similar to affiliated.com but extends its capabilities to include screenshot capture, data exfiltration, and PowerShell-based execution. This file accesses browser and user data for collection, establishes connections to Pastebin and additional C2 domains, and drops the fourth-stage PowerShell script.

The order in which these .com files run is not strictly defined, as one or multiple files can perform overlapping functions depending on the third-stage payload. In many cases, the .com files also leverage LOLBAS like RegAsm.exe by dropping a legitimate file into the %TEMP% directory or injecting malicious code into it using NtAllocateVirtualMemory and SetThreadContext API function calls. RegAsm.exe is used to establish C2 connections over TCP ports 15647 or 9000, exfiltrating data, accessing DPAPI for decryption, monitoring keystrokes using the WH_KEYBOARD_LL hook, and more. This flexibility in execution allows threat actors to tailor their approach based on environmental factors, such as security configurations and user activity.

Browser data files seen accessed:

  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\cookies.sqlite
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\formhistory.sqlite
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\key4.db
  • \AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\logins.json
  • \AppData\Local\Google\Chrome\User Data\Default\Web Data
  • \AppData\Local\Google\Chrome\User Data\Default\Login Data
  • \AppData\Local\Microsoft\Edge\User Data\Default\Login Data

User data file paths seen accessed:

  • C:\\Users\<user>\\OneDrive
  • C:\\Users\<user>\\Documents
  • C:\\Users\<user>\\Downloads

Third-stage PowerShell analysis

If a PowerShell script is also dropped by the second-stage payload, it includes Base64-obfuscated commands to conduct actions, such as use curl to download additional files like NetSupport from the C2, create persistence for the NetSupport RAT, and exfiltrate system information to C2 servers. To ensure no errors or the progress meter is displayed on the compromised device, the curl command is often used with the –silent option when downloading files from the C2. PowerShell is often configured to run without restrictions with the -ExecutionPolicy Bypass parameter.

As an example, in some of the incidents, when the second-stage payload runs, a PowerShell script is dropped and executed. The script sends the compromised device’s name to the C2 and downloads NetSupport RAT from the same C2.

  • Second-stage payload: Squarel.exe
  • PowerShell script: SHA-256: d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
  • C2 domain: keikochio[.]com
  • NetSupport RAT: SHA-256: 32a828e2060e92b799829a12e3e87730e9a88ecfa65a4fc4700bdcc57a52d995

In another case, a second-stage payload drops a PowerShell script, which connects to hxxps://ipinfo[.]io to gather the compromised device’s external-facing IP address. This information is sent to a Telegram chat, then drops presentationhost.exe (a renamed NetSupport binary) and remcmdstub.exe (NetSupport Command Manager) into the %TEMP% directory. Finally, the PowerShell script establishes persistence for presentationhost.exe by adding it to the auto-start extensibility points (ASEP) registry keys. When it runs, the NetSupport RAT connects to the C2 and captures a screenshot of the compromised device’s desktop. It also delivers a Lumma executable that drops a VBScript file with the same name. The VBScript file runs encoded PowerShell to initiate C2 connections and launches MSBuild.exe to enable Chrome remote debugging on a hidden desktop. Additionally, presentationhost.exe initiates remcmdstub.exe, which leverages iScrPaint.exe (iTop Screen Recorder) to run MSBuild.exe and access browser credential files for exfiltration. The iScrPaint.exe file also establishes persistence by placing a .lnk shortcut in the Windows Startup folder, ensuring it runs on system reboot.

  • Second-stage payload: Application.exe
  • PowerShell script: SHA-256: 483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64
  • C2: hxxp://5.10.250[.]240/fakeurl.htm

The last observed third-stage PowerShell script was dropped by three second-stage payloads. The script sends the compromised device’s name to the C2 server. It then changes the working directory to $env:APPDATA, before using Start-BitsTransfer to download NetSupport from the C2. To evade detection, it modifies system security settings forcing TLS1.2 for encrypted C2 communication. These files are extracted into a newly created WinLibraryClient directory under AppData and then are launched. The script establishes persistence for the client32.exe (NetSupport RAT) by modifying the ASEP registry. Client32.exe initiates C2 connections to hxxp://79.132.128[.]77/fakeurl.htm.

  • Second-stage payloads: SalmonSamurai.exe, LakerBaker.exe, and DisplayPhotoViewer.exe
  • PowerShell script: SHA-256: 670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c4164856b6
  • C2 domain: stocktemplates[.]net

Additionally, one observed execution included registry enumeration of HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ to identify installed applications and security software. It also queries the system’s domain status using Windows Management Instrumentation (WMI) and scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.

Fourth-stage PowerShell analysis

Depending on the .com file that ran (like Briefly.com), the renamed AutoIT file may drop a PowerShell script (SHA-256: 2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3). The obfuscated PowerShell code uses the Add-MpPreference cmdlet to modify Microsoft Defender to add in exclusion paths for Microsoft Defender, so the specified folders are not scanned.

Screenshot of code depicting the deobfuscated commands to add exclusion paths to Windows Defender.
Figure 5. Deobfuscated commands to add exclusion paths to Windows Defender

The script above is sometimes followed by an instance of Base64-encoded PowerShell commands. The PowerShell commands perform the following actions:

  • Sends a web request to hxxps://360[.]net and closes the response.
  • Sends a web request to hxxps://baidu[.]com and closes the response.
  • Downloads data from hxxps://klipcatepiu0[.]shop/int_clp_sha.txt using a web client.
  • Writes the downloaded data to a memory stream and saves it as a .zip file named null.zip (SHA-256: f07b8e5622598c228bfc9bff50838a3c4fffd88c436a7ef77e6214a40b0a2bae) in the C:\Users\<Username>\AppData\Local\Temp directory.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration

  • Ensure that tamper protection is enabled in Microsoft Defender for Endpoint. 
  • Enable network protection in Microsoft Defender for Endpoint. 
  • Turn on web protection.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.     
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.  
  • Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors. 
    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
    • Block execution of potentially obfuscated scripts
    • Block JavaScript or VBScript from launching downloaded executable content
    • Block process creations originating from PSExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem 
    • Block use of copied or impersonated system tools

Strengthen operating environment configuration

  • Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Enable Network Level Authentication for Remote Desktop Service connections.
  • Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem. 
  • AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

  • Possible theft of passwords and other sensitive web browser information
  • Possible Lumma Stealer activity
  • Renamed AutoIt tool
  • Use of living-off-the-land binary to run malicious code
  • Suspicious startup item creation
  • Suspicious Scheduled Task Process Launched
  • Suspicious DPAPI Activity
  • Suspicious implant process from a known emerging threat
  • Security software tampering
  • Suspicious activity linked to a financially motivated threat actor detected
  • Ransomware-linked threat actor detected
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Information stealing malware activity
  • Possible NetSupport Manager activity
  • Suspicious sequence of exploration activities
  • Defender detection bypass
  • Suspicious Location of Remote Management Software
  • A process was injected with potentially malicious code
  • Process hollowing detected
  • Suspicious PowerShell download or encoded command execution
  • Suspicious PowerShell command line
  • Suspicious behavior by cmd.exe was observed
  • Suspicious Security Software Discovery
  • Suspicious discovery indicative of Virtualization/Sandbox Evasion
  • A process was launched on a hidden desktop
  • Monitored keystrokes
  • Suspicious Process Discovery
  • Suspicious Javascript process
  • A suspicious file was observed
  • Anomaly detected in ASEP registry

Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

  • Detected suspicious combination of HTA and PowerShell
  • Suspicious PowerShell Activity Detected
  • Traffic detected from IP addresses recommended for blocking
  • Attempted communication with suspicious sinkholed domain
  • Communication with suspicious domain identified by threat intelligence
  • Detected obfuscated command line
  • Detected suspicious named pipe communications

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Github-hosted first-stage payload certificate serial numbers

let specificSerialNumbers = dynamic(["70093af339876742820d7941", "15042512e67e8275f3f7f36b", "5608cab7e2ce34d53abcbb73",
 "0fa27d2553f24da79d1cc6bd8773ee9a", "7a7bf2ae0cbc0f5500db2946", "30d6c83a715bddb32e7956fe52d6b352",
  "301385aa36fae635e74bb88e", "30013cbbb16a7fd3c57f82707fb99c32", "5d00264a6b804ae6b28d9b16",
   "3a9c76f8304f77bd271921d9982f1ab6", "01f2c6c363767056abd80e9c", "0b09c88c0c8d15bed51a9eb4440f4bb0"]); 
union
(
    DeviceFileCertificateInfo
    | where CertificateSerialNumber in (specificSerialNumbers)
    | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp
),
(
    DeviceTvmCertificateInfo
    | where SerialNumber in (specificSerialNumbers)
    | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate
)

Dropbox-hosted first-stage payload certificate serial number

Surface devices that may contain first-stage payloads hosted on Dropbox related to this activity. This query will search for the unique serial number of the known certificate related to this activity.

let specificSerialNumbers = dynamic(["7a7bf2ae0cbc0f5500db2946"]); 
union
(
    DeviceFileCertificateInfo
    | where CertificateSerialNumber in (specificSerialNumbers)
    | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp
),
(
    DeviceTvmCertificateInfo
    | where SerialNumber in (specificSerialNumbers)
    | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate
)

Second-stage C2 IP addresses

Surface devices that may have communicated with second stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["159.100.18.192", "192.142.10.246", "79.133.46.35", "84.200.24.191", "84.200.24.26", "89.187.28.253", "185.92.181.1"]);
union isfuzzy=true
(
    AzureDiagnostics
    | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, conditions_destinationIP_s), AdditionalInfo = tostring(AdditionalFields)
),
(
    IdentityQueryEvents
    | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch
    | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query
),
(
    AADSignInEventsBeta
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent
),
(
    Heartbeat
    | where ComputerIP == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName
),
(
    CloudAppEvents
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent
),
(
    DeviceNetworkEvents
    | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch
    | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine
),
(
    AADUserRiskEvents
    | where IpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType
),
(
    AADNonInteractiveUserSignInLogs
    | where IPAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent
),
(
    MicrosoftAzureBastionAuditLogs
    | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent
)
| sort by Timestamp desc

Fourth-stage C2 IP addresses

Surface devices that may have communicated with fourth stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["45.141.84.60", "91.202.233.18", "154.216.20.131", "5.10.250.240", "79.132.128.77"]);
union isfuzzy=true
(
    AzureDiagnostics
    | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, o),
(
    IdentityQueryEvents
    | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch
    | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query
),
(
    AADSignInEventsBeta
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent
),
(
    Heartbeat
    | where ComputerIP == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName
),
(
    CloudAppEvents
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent
),
(
    DeviceNetworkEvents
    | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch
    | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine
),
(
    AADUserRiskEvents
    | where IpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType
),
(
    AADNonInteractiveUserSignInLogs
    | where IPAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent
),
(
    MicrosoftAzureBastionAuditLogs
    | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent
)
| sort by Timestamp desc

Browser remote debugging 

Identify AutoIT scripts launching chromium-based browsers (such as chrome.exe, msedge.exe, brave.exe) in remote debugging mode.

DeviceProcessEvents 
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" // Check for "AutoIt" scripts, even if it's renamed.  
| where ProcessCommandLine has "--remote-debugging-port" // Identify Chromium based browsers (chrome.exe, msedge.exe, brave.exe etc) being launched in remote debugging mode. 
| project DeviceId, Timestamp, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

DPAPI decryption via AutoIT

Identify DPAPI decryption activity originating from AutoIT scripts.

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect")
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

DPAPI decryption via LOLBAS binaries

Identify DPAPI decryption activity originating from LOLBAS binaries (RegAsm.exe and MSBuild.exe).

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe")
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and  AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect")
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT

Identify AutoIT scripts (renamed or otherwise) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); 
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
| where (AdditionalFields has_any(browserDirs) or  AdditionalFields has_any(browserSensitiveFiles)) 
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Sensitive browser file access via LOLBAS binaries

Identify LOLBAS binaries (RegAsm.exe and MSBuild.exe) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); 
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe")
 | where (AdditionalFields has_any(browserDirs) or  AdditionalFields has_any(browserSensitiveFiles)) 
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Streaming website domains with malicious iframe

Indicator Type 
 movies7[.]net Domain
 0123movie[.]art Domain

Malicious iframe redirector domains

Indicator Type 
 fle-rvd0i9o8-moo[.]com Domain
 0cbcq8mu[.]com Domain

Malvertisement distributor

Indicator Type 
 widiaoexhe[.]top Domain

Malvertising website domains

Indicator Type 
widiaoexhe[.]top Domain
predictivdisplay[.]com Domain
buzzonclick[.]com Domain
pulseadnetwork[.]com Domain
onclickalgo[.]comDomain
liveadexchanger[.]comDomain
greatdexchange[.]comDomain
dexpredict[.]comDomain
onclickperformance[.]comDomain

GitHub referral URLs

Indicator Type 
hxxps://pmpdm[.]com/webcheck35/URL
hxxps://startherehosting[.]net/todaypage/URL
hxxps://kassalias[.]com/pageagain/URL
hxxps://sacpools[.]com/pratespage/URL
hxxps://dreamstorycards[.]com/amzpage/URL
hxxps://primetimeessentials[.]com/newpagyes/URL
hxxps://razorskigrips[.]com/perfect/URL
hxxps://lakeplacidluxuryhomes[.]com/webpage37URL
hxxps://ageless-skincare[.]com/gn/URL
hxxps://clarebrownmusic[.]com/goodday/URL
hxxps://razorskigrips[.]com/gn/URL
hxxps://compass-point-yachts[.]com/nicepage77/pro77.phpURL
hxxps://razorskigrips[.]com/goodk/URL
hxxps://lilharts[.]com/propage6/URL
hxxps://enricoborino[.]com/propage66/URL
hxxps://afterpm[.]com/pricedpage/URL
hxxps://eaholloway[.]com/updatepage333/URL
hxxps://physicaltherapytustin[.]com/webhtml/URL
hxxps://physicaltherapytustin[.]com/web-X/URL
hxxps://razorskigrips[.]com/newnewpage/URL
hxxps://statsace[.]com/web_us/URL
hxxps://nationpains[.]com/safeweb3/URL
hxxps://vjav[.]com/URL
hxxps://thegay[.]com/URL
hxxps://olopruy[.]com/URL
hxxps://desi-porn[.]tube/URL
hxxps://cumpaicizewoa[.]net/partitial/URL
hxxps://ak.ptailadsol[.]net/partitial/URL
hxxps://egrowz[.]com/webview/URL
hxxps://or-ipo[.]com/nice/URL

GitHub URLs

Indicator Type 
hxxps://github[.]com/down4up/ URL
hxxps://github[.]com/g1lsetup/iln77URL
hxxps://github[.]com/g1lsetup/v2025URL
hxxps://github[.]com/git2312now/DownNew152/URL
hxxps://github[.]com/muhammadshahblis/URL
hxxps://github[.]com/JimelecarURL
hxxps://github[.]com/kloserwURL
hxxps://github[.]com/kopersparan/URL
hxxps://github[.]com/zotokilowaURL
hxxps://github[.]com/colvfile/bmx84542URL
hxxps://github[.]com/colvfile/yesyes333URL
hxxps://github[.]com/mp3andmovies/URL
hxxps://github[.]com/anatfile/newlURL
hxxps://github[.]com/downloadprov/wwwURL
hxxps://github[.]com/abdfilesup/readyyesURL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898537481URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898072392/ URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902107140URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902405338URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901430321/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903047306/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899121225URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899472962/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/900979287/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901553970URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901617842/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/897657726URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903499100/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903509708/URL
hxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/915668132/URL

DropBox URL

Indicator Type
 hxxps://uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent[.]com/cd/0/get/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY/file?dl=1# URL

Discord URL

Indicator Type
hxxps://cdn.discordapp[.]com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe URL

First stage GitHub-hosted payloads

FilenameSHA-256
NanoPhanoTool.execd207b81505f13d46d94b08fb5130ddae52bd1748856e6b474688e590933a718
Squarel_JhZjXa.exeb87ff3da811a598c284997222e0b5a9b60b7f79206f8d795781db7b2abd41439
PriceApp_1jth1MMk.exeef2d8f433a896575442c13614157261b32dd4b2a1210aca3be601d301feb1fef
Paranoide.exe5550ea265b105b843f6b094979bfa0d04e1ee2d1607b2e0d210cd0dea8aab942
AliasApp.exe0c2d5b2a88a703df4392e060a7fb8f06085ca3e88b0552f7a6a9d9ef8afdda03
X-essentiApp.exed8ae7fbb8db3b027a832be6f1acc44c7f5aebfdcb306cd297f7c30f1594d9c45
QilawatProtone.exe823d37f852a655088bb4a81d2f3a8bfd18ea4f31e7117e5713aeb9e0443ccd99
ElectronApp.exe588071382ac2bbff6608c5e7f380c8f85cdd9e6df172c5edbdfdb42eb74367dc
NativeApp_dRRgoZqi.exedd8ce4a2fdf4af4d3fc4df88ac867efb49276acdcacaecb0c91e99110477dbf2
NativeApp_G5L1NHZZ.exe380920dfcdec5d7704ad1af1ce35feba7c3af1b68ffa4588b734647f28eeabb7
NativeApp_86hwwNjq.exe96cc7c9fc7ffbda89c920b2920327a62a09f8cb4fcf400bbfb02de82cdd8dba1
NativeApp_01C02RhQ.exe800c5cd5ec75d552f00d0aca42bdade317f12aa797103b9357d44962e8bcd37a
App_aeIGCY3g.exeafdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0
Pictore.exede6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430
ScenarioIT.exef677be06af71f81c93b173bdcb0488db637d91f0d614df644ebed94bf48e6541
CiscoProton.exe7b88f805ed46f4bfc3aa58ef94d980ff57f6c09b86c14afa750fc41d32b7ada8
Alarmer.exedc8e5cae55181833fa9f3dd0f9af37a2112620fd47b22e2fd9b4a1b05c68620f
AevellaAi.2.exe3e8ef8ab691f2d5b820aa7ac805044e5c945d8adcfc51ee79d875e169f925455
avs.exed2e9362ae88a795e6652d65b9ae89d8ff5bdebbfec8692b8358aa182bc8ce7a4
mrg.exe113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1
mrg.exe732b4874ac1a1d4326fc1d71d16910fce2835ceb87e76ad4ef2e40b1e948a6cc
Application.exeaea0892bf9a533d75256212b4f6eaede2c4c9e47f0725fc3c61730ccfba25ec8
Application.exeea2e21d0c09662a0f9b42d95ce706b5ed26634f20b9b5027ec681635a4072453
SalmonSamurai.exe83679dfd6331a0a0d829c0f3aed5112b69a7024ff1ceebf7179ba5c2b4d21fc5
Arendada.exe47ef2b7e8f35167fab1ecdd5ddb73d41e40e6a126f4da7540c1c0394195cb3df
Arduino.exe92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02
SecondS.exe9d5c551f076449af0dbd7e05e1c2e439d6f6335b3dd07a8fa1b819c250327f39
ultraedit.msi0e20bea91c3b70259a7b6eef3bff614ce9b6df25e078bc470bfef9489c9c76e6

First-stage Dropbox-hosted payload

FilenameSHA-256
App_File-x38.3.exec0bc1227bdc56fa601c1c5c0527a100d7c251966e40b2a5fa89b39a2197dda67

First-stage Discord-hosted payload

FilenameSHA-256
NativeApp_G4QLIQRa.exe87200e8b43a6707cd66fc240d2c9e9da7f3ed03c8507adf7c1cfe56ba1a9c57d

Certificate signatures of GitHub-hosted payloads

Indicator 
c855f7541e50c98a5ae09f840fa06badb97ab46c
94c21e6384f2ffb72bd856c1c40b788f314b5298
74df2582af3780d81a8071e260c2b04259efc35a
07728484b1bb8702a87c6e5a154e0d690af2ff38
901f3fe4e599cd155132ce2b6bf3c5f6d1e0387c
be7156bd07dd7f72521fae4a3d6f46c48dd2ce9e
686b7ebba606303b5085633fcaa0685272b4d9b9
74a8215a54f52f792d351d66bd56a0ac626474fb
561620a3f0bf4fb96898a99252b85b00c468e5af
8137f599ac036b0eaae9486158e40e90ebdbce94
E9007755cfe5643d18618786de1995914098307f

Certificate signature of Dropbox-hosted payload

Indicator 
 fa6146f1fdad58b8db08411c459cb70acf82846d

Second-stage payloads

File nameSHA-256
NanoTool.exe9f958b85dc42ac6301fe1abfd4b11316b637c0b8c0bf627c9b141699dc18e885
Squarel.exe29539039c19995d788f24329ebb960eaf5d86b1f8df76272284d08a63a034d42
ParanoidResolver.exe1f73a00b5a7ac31ffc89abbedef17ee2281cf065423a3644787f6c622295ff29
AliasInstall.exe997671c13bb78a9acc658e2c3a1abf06aedc4f1f4f1e5fd8d469a912fc93993b
IoNixNginx.exe1d8ab53874b2edfb058dd64da8a61d92c8a8e302cc737155e0d718dbe169ba36
QilawatProton.exe 885f8a704f1b3aaa2c4ddf7eab779d87ecb1290853697a1e6fb6341c4f825968
ProtonEditor.exe48f422bf2b878d142f376713a543d113e9f964f6761d15d4149a4d71441739e5
AlEditor.exe 9daa63046978d7097ea20bfbb543d82374cf44ba37f966b87488f63daf20999e
Scielfic.exe6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157
Pictore.exe18959833da3df8d5d8d19c3fce496c55aa70140824d3a942fe43d547b9a8c065
AlarmWalker Solid.exe552f23590bdf301f481e62a9ce3c279bab887d64f4ba3ea3d81a348e3eff6c45
Aevella.exe 2a738f41b42f47b64be7dc2d16a4068472b860318537b5076814891a7d00b3bb
Application.exe5b50d0d67db361da72af2af20763b0dde9e5e86b792676acb9750f32221e955c
ArchiverApp.execfeac95017edbfe9a0ad8f24e7539f54482012d11dc79b7b6f41ff4ff742d9c6
LakerBaker.exeaf7454ca632dead16a36da583fb89f640f70df702163f5a22ba663e985f80d88
NanoTool.exeefdcd37ee0845e0145084c2a10432e61b1b4bf6b44ecd41d61a54b10e3563650
DisplayPhotoViewer.exe86ae0078776c0411504cf97f4369512013306fcf568cc1dc7a07e180dde08eda
CheryLady Application.exe773d3cb5edef063fb5084efcd8d9d7ac7624b271f94706d4598df058a89f77fd
SalmonSamurai.exe40abba1e7da7b3eaad08a6e3be381a9fc2ab01b59638912029bc9a4aa1e0c7a7
Heaveen Application.exe39dbf19d5c642d48632bfaf2f83518cfbd2b197018642ea1f2eb3d81897cf17d
Cisco Application.exe234971ecd1bf152c903841fac81bdaa288954a2757a73193174cde02fa6f937b
Simplify.exe221615de3d66e528494901fb5bd1725ecda336af33fe758426295f659141b931
SecondS.tmp5185f953be3d0842416d679582b233fdc886301441e920cb9d11642b3779d153

Second-stage C2s

Indicator Type 
159.100.18[.]192 C2
192.142.10[.]246 C2
79.133.46[.]35C2
84.200.24[.]191C2
84.200.24[.]26C2
89.187.28[.]253 C2
185.92.181[.]1C2
188.245.94[.]250 C2

Third-stage payloads: .exe and PowerShell files

File nameSHA-256
ApproachAllan.exe4e5fafffb633319060190a098b9ea156ec0243eb1279d78d27551e507d937947
DiscoConvicted.exe008aed5e3528e2c09605af26b3cda88419efb29b85ed122cab59913c18f7dc75
AwesomeTrader.exe21d4252a6492270f24282f8de9e985c9b8c61412f42d169ff4b128fd689d4753
CiteLips.exec9713c06526673bf18dbdaf46ea61ca9dd8fefe8ceec3be06c63db17e01e3741
RepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b
6Zh7MvxYtHTBFX90Mn.exeb96360d48c2755ded301dd017b37dfdce921bdea7731c4b31958d945c8a0b8f5
ExclusivePottery.exe54c8a4f58b548c0cf6dbea2522e258723263ccde11d23e48985bdd1fd3535ce2
squarel.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
MadCountries.exe9fe2c00641ece18898267b3c6e4ee0cb82ffefbc270c0767c441c3f38b63a12a
HockeyTract.exef136fa82ff73271708afe744f4e6a19cd5039e08ecd3ddad8e4d238f338f4d58
BruneiPlugins.exe453de65c9cc2dc62a67c502cd8bc26968acad9a671c1e095312c1fa6db4a7c74
CnnCylinder.exea76548a500d81dbb6f50419784a9b0323f5e42245ac7067af2adee0558167116
specreal.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
InflationWinston.exedfbba64219fc63815db538ae8b51e07ec7132f4b39ba4a556c64bd3a5f024c2d
netsup.ps1 d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
CfUltra.exe7880714c47260dba1fd4a4e4598e365b2a5ed0ad17718d8d192d28cf75660584
CalvinShoppercom.exe345a898d5eab800b7b7cbd455135c5474c5f0a9c366df3beb110f225ba734519
EscortUnavailable.exe258efd913cccdb70273c9410070f093337d5574b74c683c1cdff33baff9ffd7c
DisagreeProceed.exe9c82a2190930ec778688779a5ad52537d8b0856c8142c71631b308f1f8f0e772
BarbieBiblical.exe34f43bfc0a6f0d0f70b6eee0fa29c6dc62596ab2b867bbabd27c68153ea47f24
MysqlManaging.exeef1f9d507a137a4112ac92c576fc44796403eb53d71fe2ddb00376419c8a604e
PillsHarvest.exe4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3
BelfastProt.exead470bffbd120fc3a6c2c2e52af3c12f9f0153e76fee5e2b489a3d1870bdff03
HowardLikelihood.execc08892ace9ac746623b9d0178cd4d149f6a9ab10467fb9059d16f2c0038dcf9
SorryRequiring.exe4a2346d453b2ac894b67625640347c15e74e3091a9aa15629c3a808caaff1b2b
SearchMed.exeb0aab51b5e4a9cdd5b3d2785e4dea1ec06b20bc00e4015ccd79e0ba395a20fbd
RepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b
DesignersCrawford.exee8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936
HumanitarianProvinces.exe25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640b
ResetEngaging.exe51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7e
EducationalDerby.exe4a9a8c46ff96e4f066f51ff7e64b1c459967e0cdeb74b6de02cf1033e31c1c7b
StringsGrill.exef2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808
CongressionalMechanics.exe2060509a63180c2f5075faf88ce7079c48903070c1c6b09fa3f9d6db05b8d9da
SexuallyWheat.exed39075915708d012f12b7410cd63e19434d630b2b7dbe60bd72ce003cd2efeaf
PerceptionCircuits.exe0e7dd3aa100d9e22d367cb995879ac4916cb4feb1c6085e06139e02cc7270bba
WWv63SKrHflebBd4VW.ps1483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64
WritingsShanghai.exefa131ea3ce9a9456e1d37065c7f7385ce98ffa329936b5fdd0fd0e78ade88ecb
IUService.exed5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7
RttHlp.exe8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
ASmartService.exe75712824b916c1dc8978f65c060340dc69b1efa0145dddbf54299689b9f4a118
ClaireSpecifically.exe746abef4bde48da9f9bff3c23dd6edf8f1bea4b568df2a7d369cb30536ec9ce0
report.exe6daccc09f5f843b1fa4adde64ad282511f591a641cb474e123fed922167df6ae
xh6yIa7PXFCsasc0H5.exe5f17501193f5f823f419329bc20534461a7195aa4c456e27af6b0df5b0788041
yL6Iwcawoz3KDjg60m.exe5ecb4240fae36893973fb306c52c7e548308ebcfba6d101aad4e083407968a96
CustomsCampbell.exe5b80c7d65bb655ccb6e3264f4459a968edcda28084e0ddde16698f642b2d7d83
HoldemRover.exe4c60cdd1ee4045eb0b3bfda8326802d17565f3d1ff6829ac05775ebc6d9ca2dc
QUCvpZLobnhvno5v1t.exe4bac608722756c80c29fee6f73949c011ea78243e5267e86b7b20b3beeb79f9e
EmilyHaiti.exe3221f1356a91d4f06d1deee988be04597cc11bc1cab199ba9c43b9d80dfa88bd
PIPIPOO.exe15bf7a141a5a5e7e5c19ffbfbb5b781ae8db52d9ba5ffeb1364964580ed55b13
ReliefOrganizational.exe02533f92d522d47b9d630375633803dd8d6b4723e87d914cd29460d404134a66
HelloWorld.ps1670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c416485
251.zip0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d
251.exe4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78

Fourth-stage AutoIT, NetSupport RAT, PowerShell, and Lumma

File name(s)SHA-256
Korea.com
Fabric.com
Affiliated.com
Weeks.com
Briefly.com
Denmark.com
Tanzania.com
Cookies.com
Spice.com
SophieHub.scr
SpaceWarp.scr
SkillSync.scr
Quantify.scr
HealthPulse
CogniFlow.scr
ArgonautGuard.scr
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
Warrant.com
Ford.com
AutoIt3.exe
Seq.com
Underwear.com
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
Presentationhost.exe18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
erLX7UsT.ps12a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3
675aff18abddc.exeadf5a9c2db09a782b3080fc011d45eb6eb597d8b475c3c27755992b1d7796e91
675aff18abddc.vbs5f2b66cf3370323f5be9d7ed8a0597bffea8cc1f76cd96ebb5a8a9da3a1bdc71
251.exe707a23dcd031c4b4969a021bc259186ca6fd4046d6b7b1aaffc90ba40b2a603b

Third-stage C2s

Indicator Type
hxxp://keikochio[.]com/staz/gribs.zip C2
hxxp://keikochio[.]com/incall.php?=compName=<computer name> C2
hxxps://stocktemplates[.]net/input.php?compName=<computer name> C2
hxxp://89.23.96[.]126/?v=3&event=ready&url=hxxp://188.245.94[.]250:443/auto/28cd7492facfd54e11d48e52398aefa7/251.exe C2

Fourth-stage C2s

Indicator Type 
45.141.84[.]60 IP address
91.202.233[.]18 IP address
154.216.20[.]131 IP address
5.10.250[.]240 IP address
79.132.128[.]77 IP address
hxxps://shortlearn[.]clickURL
hxxps://wrathful-jammy[.]cyouURL
hxxps://mycomp[.]cyouURL
hxxps://kefuguy[.]shopURL
hxxps://lumdukekiy[.]shopURL
hxxps://lumquvonee[.]shopURL
hxxps://klipcatepiu0[.]shopURL
hxxps://gostrm[.]shopURL
hxxps://ukuhost[.]netURL
hxxps://silversky[.]clubURL
hxxps://pub.culture-quest[.]shopURL
hxxps://se-blurry[.]bizURL
hxxps://zinc-sneark[.]bizURL
hxxps://dwell-exclaim[.]bizURL
hxxps://formy-spill[.]bizURL
hxxps://covery-mover[.]bizURL
hxxps://dare-curbys[.]bizURL
hxxps://impend-differ[.]bizURL
hxxps://dreasd[.]xyzURL
hxxps://ikores[.]sbsURL
hxxps://violettru[.]clickURL
hxxps://marshal-zhukov[.]comURL
hxxps://tailyoveriw[.]myURL

Fourth-stage testing connectivity sites

Indicator Type 
hxxps://baidu.comURL
hxxps://360.netURL
hxxps://praxlonfire73.liveURL

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo: https://thecyberwire.com/podcasts/microsoft-threat-intelligence/39/notes. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog.

]]>
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine http://approjects.co.za/?big=en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/ Wed, 11 Dec 2024 17:00:00 +0000 Since January 2024, Microsoft has observed Secret Blizzard using the tools or infrastructure of other threat groups to attack targets in Ukraine and download its custom backdoors Tavdig and KazuarV2.

The post Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine appeared first on Microsoft Security Blog.

]]>
After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in our last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with the Tavdig backdoor creating the foothold to install their KazuarV2 backdoor.

Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware relating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected target devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.

Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret Blizzard uses spear phishing as its initial attack vector, then server-side and edge device compromises to facilitate further lateral movement within a network of interest.

As previously detailed, Secret Blizzard is known for targeting a wide array of sectors, but most prominently ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on gaining long-term access to systems for intelligence collection, often seeking out advanced research and information of political importance, using extensive resources such as multiple backdoors. The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group.

Microsoft tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. In addition, we highlight that while Secret Blizzard’s use of infrastructure and access by other threat actors is unusual, it is not unique, and therefore organizations that have been compromised by one threat actor may also find themselves compromised by another through the initial intrusion.

Amadey bot use and post-compromise activities

Between March and April 2024, Microsoft observed Secret Blizzard likely commandeering Amadey bots to ultimately deploy their custom Tavdig backdoor. Microsoft tracks some cybercriminal activity associated with Amadey bots as Storm-1919. Storm-1919’s post-infection goal is most often to deploy XMRIG cryptocurrency miners onto victim devices. Amadey bots have been deployed by Secret Blizzard and other threat actors comprising Storm-1919 to numerous devices around the world during 2024.

Microsoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices. The PowerShell dropper contained a Base64-encoded Amadey payload appended by code that invoked a request to Secret Blizzard C2 infrastructure.

Screenshot of code depicting the Amadey payload calling back to the Secret Blizzard C2 infrastructure
Figure 1. Amadey payload calling back to Secret Blizzard C2 infrastructure

The Amadey instance was version 4.18, but generally had the same functionality as the Amadey bot described in a Splunk blog from July 2023 analyzing version 3.83.

The Amadey sample gathered a significant amount of information about the victim system, including the administrator status and device name from the registry, and checked for installed antivirus software by seeing if it had a folder in C:\ProgramData. Numbers were recorded for each software found and likely sent back to the C2:

  • Avast Software
    • Avira
    • Kaspersky Lab
    • ESET
    • Panda Security
    • Doctor Web
    • AVG
    • 360TotalSecurity
    • Bitdefender
    • Norton
    • Sophos
    • Comodo

The retrieved information was gathered from the system to be encoded into the communication sent to the C2 at http://vitantgroup[.]com/xmlrpc.php. The Amadey bot then attempted to download two plugins from the C2 server:

  • hxxp://vitantgroup[.]com/Plugins/cred64.dll
  • hxxp://vitantgroup[.]com/Plugins/clip64.dll

Microsoft did not observe the two DLLs on the devices accessed by Secret Blizzard, but it is likely that they performed the same role as in other similar Amadey bots—to collect clipboard data and browser credentials. The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot.

Subsequently, Microsoft observed Secret Blizzard downloading their custom reconnaissance or survey tool. This tool was selectively deployed to devices of further interest by the threat actor—for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices. The survey tool consisted of an executable that decrypted a batch script or cmdlets at runtime using what appears to be a custom RC4 algorithm. One of the batch scripts invoked the following command:

Screenshot of code depicting the batch script command
Figure 2. Batch script command

The batch script collected a survey of the victim device, including the directory tree, system information, active sessions, IPv4 route table, SMB shares, enabled security groups, and time settings. This information was encrypted using the same RC4 function and transmitted to the previously referenced Secret Blizzard C2 server at hxxps://citactica[.]com/wp-content/wp-login.php.

In another use of the survey tool observed by Microsoft Threat Intelligence, the executable simply decrypted the cmdlet dir “%programdata%\Microsoft\Windows Defender\Support. The %programdata%\Microsoft\Windows Defender\Support folder contains various Microsoft Defender logs, such as entries of detected malicious files.

Microsoft assesses that this cmdlet was invoked to determine if Microsoft Defender was enabled and whether previous Amadey activity had been flagged by the engine. Since several of the targeted devices observed by Microsoft had Microsoft Defender disabled during initial infection, the Secret Blizzard implants were only observed by Microsoft weeks or months after initial malware deployment.

Microsoft assesses that Secret Blizzard generally used the survey tool to determine if a victim device was of further interest, in which case it would deploy a PowerShell dropper containing the Tavdig backdoor payload (rastls.dll) and a legitimate Symantec binary with the name (kavp.exe), which is susceptible to DLL-sideloading.  The C2 configuration for Tavdig was:

  • hxxps://icw2016.coachfederation[.]cz/wp-includeshttps://www.microsoft.com/images/wp/
  • hxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/

On several of the victim devices, the Tavdig loader was deployed using an executable named procmap.exe, which used the Microsoft Macro Assembler (MASM) compiler (QEditor). Microsoft assesses that procmap.exe was used to compile and run malicious ASM files on victim devices within Ukraine in March 2024, which then invoked a PowerShell script that subsequently loaded the Amadey bots and the Tavdig backdoor.

Secret Blizzard then used the Tavdig backdoor—loaded into kavp.exe—to conduct further reconnaissance on the device, including user info, netstat, and installed patches. Secret Blizzard also used Tavdig to import a registry file into the registry of the victim device, which likely installed the persistence mechanism and payload for the KazuarV2 backdoor.

Diagram depicting an example of how Amadey bots were used to load the Tavdig backdoor and KazuarV2 backdoor.

Figure 3. Example of how Amadey bots were used to load the Tavdig backdoor

The KazuarV2 payload was often injected into a browser process such as explorer.exe or opera.exe to facilitate command and control with compromised web servers hosting the Secret Blizzard relay and encryption module (index.php). This module facilitated encryption and onward transmission of command output and exfiltrated data from the affected device to the next-level Secret Blizzard infrastructure. 

Storm-1837 PowerShell backdoor use

Microsoft has observed Storm-1837 (overlaps with activity tracked by other security providers as Flying Yeti and UAC-0149) targeting devices belonging to the military of Ukraine since December 2023. Storm-1837 is a Russia-based threat actor that has focused on devices used by Ukrainian drone operators. Storm-1837 uses a range of PowerShell backdoors including the backdoor that the Computer Emergency Response Team of Ukraine (CERT-UA) has named Cookbox as well as an Android backdoor impersonating a legitimate system used for AI processing called “Griselda”, which according to CERT-UA is based on the Hydra Android banking malware and facilitates the collection of session data (HTTP cookies), contacts, and keylogging. In May 2024, Cloudflare detailed a Storm-1837 espionage phishing campaign against Ukrainian military devices for which Storm-1837 used both GitHub and Cloudflare for staging and C2.

In January 2024, Microsoft observed a military-related device in Ukraine compromised by a Storm-1837 backdoor configured to use the Telegram API to launch a cmdlet with credentials (supplied as parameters) for an account on the file-sharing platform Mega. The cmdlet appeared to have facilitated remote connections to the account at Mega and likely invoked the download of commands or files for launch on the target device. When the Storm-1837 PowerShell backdoor launched, Microsoft noted a PowerShell dropper deployed to the device. The dropper was very similar to the one observed during the use of Amadey bots and contained two base64 encoded files containing the previously referenced Tavdig backdoor payload (rastls.dll) and the Symantec binary (kavp.exe).

As with the Amadey bot attack chain, Secret Blizzard used the Tavdig backdoor loaded into kavp.exe to conduct initial reconnaissance on the device. Secret Blizzard then used Tavdig to import a registry file, which was used to install and provide persistence for the KazuarV2 backdoor, which was subsequently observed launching on the affected device.

Although Microsoft did not directly observe the Storm-1837 PowerShell backdoor downloading the Tavdig loader, based on the temporal proximity between the execution of the Storm-1837 backdoor and the observation of the PowerShell dropper, Microsoft assesses that it is likely that the Storm-1837 backdoor was used by Secret Blizzard to deploy the Tavdig loader.

Summary assessments

Microsoft Threat Intelligence is still investigating how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools onto devices in Ukraine. It is possible, for example, that Secret Blizzard operators could have purchased the use of Amadey bots, or it may have surreptitiously commandeered a part of the Amadey attack chain.

Regardless of the means, Microsoft Threat Intelligence assesses that Secret Blizzard’s pursuit of footholds provided by or stolen from other threat actors highlights this threat actor’s prioritization of accessing military devices in Ukraine. During its operations, Secret Blizzard has used an RC4 encrypted executable to decrypt various survey cmdlets and scripts, a method Microsoft assesses Secret Blizzard is likely to use beyond the immediate campaign discussed here.

Secret Blizzard deployed tools to these (non-domain-joined) devices that are encoded for espionage against large domain-joined environments. However, this threat actor has also built new functionality into them to make them more relevant for the espionage specifically conducted against Ukrainian military devices. In addition, Microsoft assesses Secret Blizzard has likely also attempted to use these footholds to tunnel and escalate toward strategic access at the Ministry level.

When parts one and two of this blog series are taken together, it indicates that Secret Blizzard has been using footholds from third parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish footholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead more threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses enable the detection of activities of multiple threat adversaries for remediation.

Mitigations

To harden networks against the Secret Blizzard activity listed above, defenders can implement the following:

Strengthen Microsoft Defender for Endpoint configuration

Strengthen Microsoft Defender Antivirus configuration

Strengthen operating environment configuration

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:Win32/Tavdig.Crypt
  • Trojan:JS/Kazuar.A

Microsoft Defender Antivirus detects additional threat components that may be related as the following malware:

  • Trojan:Win32/Amadey
  • Trojan:MSIL/Amadey
  • TrojanDownloader:Win32/Amadey

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Secret Blizzard Actor activity detected

Hunting queries

Microsoft Defender XDR

Surface instances of the Secret Blizzard indicators of compromise file hashes

let fileHashes = dynamic(["Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9", 
"d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea", 
"d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e", 
"dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c", 
"ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f", 
"Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9"]);
union
(
   DeviceFileEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
   DeviceEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
   DeviceImageLoadEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
   DeviceProcessEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Surface instances of the Secret Blizzard indicators of compromise C2s.

let domainList = dynamic(["citactica.com", "icw2016.coachfederation.cz", "hospitalvilleroy.com.br", "vitantgroup.com", "brauche-it.de", "okesense.oketheme.com", "coworkingdeamicis.com", "plagnol-charpentier.fr"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Additional hunting for likely malicious PowerShell commands queries can be found in this repository.

Look for PowerShell execution events that might involve a download

// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

Look for encoded PowerShell execution events

// Detect Encoded PowerShell
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))

Microsoft Sentinel

Look for encoded PowerShell

id: f58a7f64-acd3-4cf6-ab6d-be76130cf251
name: Detect Encoded Powershell
description: |	
This query will detect encoded Powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))

Look for PowerShell downloads

id: c34d1d0e-1cf4-45d0-b628-a2cfde329182
name: PowerShell downloads
description: |
Finds PowerShell execution events that could involve a download.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal, to get more information about this threat actor.

Microsoft Defender Threat Intelligence

IndicatorTypeAssociationLast seen
hxxps://citactica[.]com/wp-content/wp-login.phpC2 domain Survey Tool and Amadey dropperSecret BlizzardApril 2024
a56703e72f79b4ec72b97c53fbd8426eb6515e3645cb02e7fc99aaaea515273eTavdig payload (rastls.dll)Secret BlizzardApril 2024
hxxps://icw2016.coachfederation[.]cz/wp-includeshttps://www.microsoft.com/images/wp/Tavdig C2 domainSecret BlizzardApril 2024  
hxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/Tavdig C2 domainSecret BlizzardApril 2024
f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68Executable susceptible to DLL-sideload (kavp.exe)Secret BlizzardJan-April 2024
d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea Survey tool (ddra.exe)Secret BlizzardApril 2024
d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e PowerShell dropper for Amadey bot (nnas.ps1)Secret BlizzardMarch 2024
hxxps://brauche-it[.]de/wp-includes/blocks/blocksu9ky0oKazuarV2 C2Secret BlizzardJune 2024
hxxps://okesense.oketheme[.]com/wp-includes/sodium_compat/sodium_compatT4FF1aKazuarV2 C2  Secret BlizzardJune 2024  
 hxxps://coworkingdeamicis[.]com/wp-includes/Text/TextYpRm9l  KazuarV2 C2  Secret Blizzard  June 2024  
hxxps://plagnol-charpentier[.]fr/wp-includes/random_compat/random_compata0zW7QKazuarV2 C2  Secret Blizzard  June 2024  
dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c Amadey bot (av.exe/ dctooux.exe)Storm-1919March 2024
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f Amadey bot (dctooux.exe)Storm-1919March 2024
ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9MASM32 utility (procmap.exe)Storm-1919March 2024
hxxp://vitantgroup[.]com/xmlrpc.phpAmadey C2Storm-1919March 2024

Indicators of compromise

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine appeared first on Microsoft Security Blog.

]]>
File hosting services misused for identity phishing http://approjects.co.za/?big=en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ Tue, 08 Oct 2024 16:00:00 +0000 Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

]]>
Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

  • Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
  • Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Attack chain diagram. Step 1, attacker compromises a user of a trusted vendor via password spray/AiTM​ attack. Step 2, attacker replays stolen token a few hours later to sign into the user’s file hosting app​. Step 3, attacker creates a malicious file in the compromised user’s file hosting app​. Step 4, attacker shares the file with restrictions to a group of targeted recipients. Step 5, targeted recipient accesses the automated email notification with the suspicious file. Step 6, recipient is required to re-authenticate before accessing the shared file​. Step 7, recipient accesses the malicious shared file link​, directing to an AiTM page. Step 8, recipient submits password and MFA, compromising the user’s session token. Lastly, step 9, file shared on the compromised user’s file hosting app is used for further AiTM and BEC attack​s.
Figure 1. Example attack chain

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

  • Familiar topics based on existing conversations
    • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
  • Familiar topics based on current context
    • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
  • Topics based on urgency
    • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

  • Only the intended recipient can access the file
    • The intended recipient needs to re-authenticate before accessing the file
    • The file is accessible only for a limited time window
  • The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Screenshot of the SharePoint identity verification page
Figure 2. Screenshot of SharePoint identity verification

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

graphical user interface, application
Figure 3. Final landing page post authorization

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Microsoft recommends the following mitigations to reduce the impact of this threat:

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

  • Risky sign-in after clicking a possible AiTM phishing URL
  • User compromised through session cookie hijack
  • User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

ApplicationAction typeDescription
OneDrive/
SharePoint
AnonymousLinkCreatedLink created for the document, anyone with the link can access, prevalence is rare since mid-April 2024
SharingLinkCreatedLink created for the document, accessible for everyone, prevalence is rare since mid-April 2024
AddedToSharingLinkComplete list of users with whom the file is shared is available in this event
SecureLinkCreatedLink created for the document, specifically can be accessed only by a group of users. List will be available in the AddedToSecureLink Event
AddedToSecureLinkComplete list of users with whom the file is securely shared is available in this event
DropboxCreated shared linkA link for a file to be shared with external user created
Added shared folder to own DropboxA shared folder was added to the user’s Dropbox account
Added users and/or groups to shared file/folderThese action types include the list of external users with whom the files have been shared.
Changed the audience of the shared link
Invited user to Dropbox and added them to shared file/folder

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

]]>
Storm-0501: Ransomware attacks expanding to hybrid cloud environments http://approjects.co.za/?big=en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/ Thu, 26 Sep 2024 17:00:00 +0000 Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, […]

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

]]>
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

A diagram of the Storm-0501 attack chain
Figure 1. Storm-0501 attack chain

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

  • Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
  • scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

A screenshot of the on-premises account name in Microsoft Entra Connect Sync
Figure 2. The on-premises account name

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

A screenshot of the cloud account name in Microsoft Entra Connect Sync
Figure 3. The cloud account name

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

  1. If the password is known, then logging in to Microsoft Entra is possible from any device.
  2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
  3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

  • Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
  • Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
    • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Follow Microsoft’s best practices for securing Active Directory Federation Services.  
  • Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
  • Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
  • Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
  • Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
  • Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
  • Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
  • Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
  • Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
  • Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

Additional Cobalt Strike components are detected as the following:

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

Embargo Ransomware threat components are detected as the following:

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

  • Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

  • Possible Adobe ColdFusion vulnerability exploitation
  • Compromised account conducting hands-on-keyboard attack
  • Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
  • Ongoing hands-on-keyboard attack via Impacket toolkit
  • Suspicious Microsoft Defender Antivirus exclusion
  • Attempt to turn off Microsoft Defender Antivirus protection
  • Renaming of legitimate tools for possible data exfiltration
  • BlackCat ransomware
  • ‘Embargo’ ransomware was detected and was active
  • Suspicious Group Policy action detected
  • An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

  • Entra Connect Sync credentials extraction attempt
  • Suspicious cmdlets launch using AADInternals
  • Potential Entra Connect Tampering
  • Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

  • Data exfiltration over SMB
  • Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

  • Backdoor creation using AADInternals tool
  • Compromised Microsoft Entra ID Cloud Sync account
  • Suspicious sign-in to Microsoft Entra Connect Sync account
  • Entra Connect Sync account suspicious activity following a suspicious login
  • AADInternals tool used by a Microsoft Entra Sync account
  • Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

File nameSHA-256Description
PostalScanImporter.exe, win.exeefb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8dEmbargo ransomware
win.exea9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40Embargo ransomware
name.dllcaa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031Cobalt Strike
248.dlld37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4aCobalt Strike
cs240.dll53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9Cobalt Strike
fel.ocx827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5fCobalt Strike
theme.ocxee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348aCobalt Strike
hana.ocxde09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304Cobalt Strike
obfs.ps1d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670ADRecon
recon.ps1c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1ADRecon

References

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

]]>
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps http://approjects.co.za/?big=en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/ Wed, 01 May 2024 18:00:00 +0000 Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research more broadly so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent them from being introduced into new apps or releases.

The post “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps appeared first on Microsoft Security Blog.

]]>
Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation. Arbitrary code execution can provide a threat actor with full control over an application’s behavior. Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.

We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases.  As threats across all platforms continue to evolve, industry collaboration among security researchers, security vendors, and the broader security community is essential in improving security for all. Microsoft remains committed to working with the security community to share vulnerability discoveries and threat intelligence to protect users across platforms.

After discovering this issue, we identified several vulnerable applications. As part of our responsible disclosure policy, we notified application developers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) and worked with them to address the issue. We would like to thank the Xiaomi, Inc. and WPS Office security teams for investigating and fixing the issue. As of February 2024, fixes have been deployed for the aforementioned apps, and users are advised to keep their device and installed applications up to date.

Recognizing that more applications could be affected, we acted to increase developer awareness of the issue by collaborating with Google to publish an article on the Android Developers website, providing guidance in a high-visibility location to help developers avoid introducing this vulnerability pattern into their applications. We also wish to thank Google’s Android Application Security Research team for their partnership in resolving this issue.

In this blog post, we continue to raise developer and user awareness by giving a general overview of the vulnerability pattern, and then focusing on Android share targets, as they are the most prone to these types of attacks. We go through an actual code execution case study where we demonstrate impact that extends beyond the mobile device’s scope and could even affect a local network. Finally, we provide guidance to users and application developers and illustrate the importance of collaboration to improve security for all.

Overview: Data and file sharing on Android

The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory.

The Android software development kit (SDK) includes the FileProvider class, a subclass of ContentProvider that enables file sharing between installed applications. An application that needs to share its files with other applications can declare a FileProvider in its app manifest and declare the specific paths to share.

Every file provider has a property called authority, which identifies it system-wide, and can be used by the consumer (the app that wants to access the shared files) as a form of address. This content-based model bears a strong resemblance to the web model, but instead of the http scheme, consumers utilize the content scheme along with the authority, followed by a pseudo-path to the file that they want to access.

For example, assuming that the application com.example.server shares some files under the file:///data/data/com.example.server/fileshttps://www.microsoft.com/images directory that it has previously declared as shared using the name shared_images, a consumer can use the content://[authority]/shared_images/[sub-path]/[filename] URI to index these files.

Access is given by the data sharing application most commonly using the grantUriPermissions attribute of the Android manifest, in combination with special flags that are used to define a read or write mode of operation. The data sharing application creates and sends an intent to the consumer that provides temporary fine-grained access to a file.  Finally, when a provider receives a file access request, it resolves the actual file path that corresponds to the incoming URI and returns a file descriptor to it.  

Implementation pitfalls

This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control. However, we have frequently encountered cases where the consuming application doesn’t validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application’s internal data directory. If the serving application implements its own malicious version of FileProvider, it may be able to cause the consuming application to overwrite critical files.

Share targets

In simple terms, a share target is an Android app that declares itself to handle data and files sent by other apps. Common application categories that can be share targets include mail clients, social networking apps, messaging apps, file editors, browsers, and so on. In a common scenario, when a user clicks on a file, the Android operating system triggers the share-sheet dialog asking the user to select the component that the file should be sent to:

Android share sheet dialog displaying apps such as OneDrive, OneNote, Outlook, and others.
Figure 1. The Android share sheet dialog

While this type of guided file-sharing interaction itself may not trigger a successful attack against a share target, a malicious Android application can create a custom, explicit intent and send a file directly to a share target with a malicious filename and without the user’s knowledge or approval. Essentially, the malicious application is substituting its own malicious FileProvider implementation and provides a filename that is improperly trusted by the consuming application.

Diagram displaying the distry stream attack steps between the malicious app and a share target APK. First, the request to process file is sent to the APK, which replies with a request for the file name. The malicious app replies with the name, the APK allows it, granting the malicious app the ability to deliver the final malicious payload.
Figure 2. Dirty stream attack

In Figure 2, the malicious app, on the left, creates an explicit intent that targets the file processing component of the share target, on the right, and attaches a content URI as an intent’s extra. It then sends this intent to the share target using the startActivity API call.

After this point, most of the share targets that we have reviewed seem to follow a specific code pattern that includes the following steps:

  1. Request the actual filename from the remote file provider
  2. Use this filename to initialize a file that is subsequently used to initialize a file output stream
  3. Create an input stream using the incoming content URI
  4. Copy the input stream to the output stream

Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences.

Impact

We identified this vulnerability pattern in the then-current versions of several Android applications published on the Google Play Store, including at least four with more than 500 million installations each. In each case, we responsibly disclosed to the vendor. Two example vulnerable applications that we identified are Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).

In Xiaomi Inc.’s File Manager, we were able to obtain arbitrary code execution in version V1-210567. After our disclosure, Xiaomi published version V1-210593, and we verified that the vulnerability has been addressed. In WPS Office, we were able to obtain arbitrary code execution in version 16.8.1. After our disclosure, WPS published and informed us that the vulnerability has been addressed as of version 17.0.0.

The potential impact varies depending on implementation specifics. For example, it’s very common for Android applications to read their server settings from the shared_prefs directory. In such cases, the malicious app can overwrite these settings, causing the vulnerable app to communicate with an attacker-controlled server and send the user’s authentication tokens or other sensitive information.

In a worst-case (and not so uncommon) scenario, the vulnerable application might load native libraries from its data directory (as opposed to the more secure /data/app-lib directory, where the libraries are protected from modification). In this case, the malicious application can overwrite a native library with malicious code that gets executed when the library is loaded. In the following section, we use Xiaomi Inc.’s File Manager to illustrate this case. We demonstrated the ability for a malicious application to overwrite the application’s shared preferences, write a native library to the application’s internal storage, and cause the application to load the library. These actions provided arbitrary code execution with the file manager’s user ID and permissions.

In the following sections, we focus on this case and delve into the technical details of this vulnerability pattern.

Case study: Xiaomi Inc.’s File Manager

Xiaomi Inc.’s File Manager is the default file manager application for Xiaomi devices and is published under the package name com.mi.android.globalFileexplorer on the Google Play Store, where it has been installed over one billion times.

Xiaomi’s File Manager profile according to Android rank
Figure 3. Xiaomi’s File Manager profile according to Android rank (source: File Manager)

Besides having full access to the device’s external storage, the application requests many permissions, including the ability to install other applications:

Screenshot of code displaying the app's permissions
Figure 4. A snapshot of the application’s permissions

Further, it offers a junk files cleaner plugin as well as the ability to connect to remote FTP and SMB shares:

Screenshot of using the file manager to connect to remote shares.
Figure 5. Connecting to remote shares using the file manager

Vulnerability assessment findings

During our investigation, we identified that the application exports the CopyFileActivity, an activity alias of the com.android.fileexplorer.activity.FileActivity, which is used to handle copy-from-to file operations:

Screenshot of the copy to CopyFileActivity event.
Figure 6. Triggering the copy to CopyFileActivity

Since this activity is exported, it can be triggered by any application installed on the same device by using an explicit intent of action SEND or SEND_MULTIPLE and attaching a content URI corresponding to a file stream.

Upon receiving such an intent, the browser performs a validity check, which we found to be insufficient:

Screenshot of code displaying the steps for validating an incoming copy file request.
Figure 7. Validating an incoming copy file request

As depicted above, the initCopyOrMoveIntent method calls the checkValid method passing as an argument a content URI (steps 1 and 2). However, the checkValid method is designed to handle a file path, not a content URI. It always returns true for a content URI. Instead, a safer practice is to parse the string as a URI, including ensuring the scheme is the expected value (in this case, file, not content).The checkValid method verifies that the copy or move operation doesn’t affect the private directory of the app, by initializing a file object using the incoming string as an argument to the File class constructor and comparing its canonical path with the path that corresponds to the home directory of the application (steps 3 and 4). Given a content URI as a path, the File constructor normalizes it (following a Unix file system normalization), thus the getCanonicalPath method returns a string starting with “/content:/“, which will always pass the validity check. More specifically, the app performs a query to the remote content provider for the _size, _display_name and _data columns (see line 48 below). Then it uses the values returned by these rows to initialize the fields of an object of the com.android.fileexplorer.mode.c class:

Screenshot of code getting file metadata from the remote content provider.
Figure 8. Getting file metadata from the remote content provider

Given the case that the _display_name and _data values, returned from the external file provider, are relative paths to the destination directory, after exiting from the method above, these class fields will contain values like the ones depicted below:

Screenshot of code displaying the file model initialized after calling method a
Figure 9. The file model initialized after calling the method a

As shown above, the paths (variables d and e) of this file-model point to files within the home directory of the application, thus the file streams attached to the incoming intent are going to be written under the specific locations.

Getting code execution

As previously mentioned, the application uses a plugin to clean the device’s junk files:

Screenshot of the junk files cleaner plugin user interface
Figure 10. The junk files cleaner plugin user interface

When the application loads this plugin, it makes use of two native libraries: libixiaomifileu.so, which fetches from the /data/app directory, and libixiaomifileuext.so from the home directory:

Screenshot of code displaying the loaded native libraries traced using medusa
Figure 11. Tracing the loaded native libraries using medusa

As apps don’t have write access to the /data/app folder, the libixiaomifileu.so file stored there cannot be replaced. The easiest way to get code execution is to replace the libixiaomifileuext.so with a malicious one. However, an attempt to do so would fail since in this particular case, the vulnerability that we described can only be used to write new files within the home directory, not overwrite existing files. Our next inquiry was to determine how the application loads the libixiaomifileu.so.

Our assessment showed that before the application loads this library, it follows the following steps:

  1. Calculate the hash of the file libixiaomifileu.so, located in the /data/app directory
  1. Compare this hash with the value assigned to the “libixiaomifileu.so_hm5” string, fetched from the com.mi.android.globalFileexprorer_preferences.xml file
Screenshot of code displaying the com.mi.android.globalFileexprorer_preferences.xml
Figure 12. the com.mi.android.globalFileexprorer_preferences.xml
  1. If the values don’t match, search for the libixiaomifileu.so file in the /files/lib path in the home directory
  1. If the file is found there, calculate its hash and compare it again with the value from the shared_preferences folder
  1. If the hashes match, load the file under the /files/lib using the System.load method

Given this behavior, in order to get code execution with the file manager’s user ID, an attacker must take the following steps:

  1. Use the path traversal vulnerability to save a malicious library as /files/lib/libixiaomifileu.so (the file does not already exist in that directory, so overwriting is not an issue)
  1. Calculate the hash of this library to replace the value of the libixiaomifileu.so_hm5 string
  1. Trigger the junk cleaner plugin with an explicit intent, since the activity that loads the native libraries is exported

An acute reader might have noticed that the second step requires the attacker to force the browser to overwrite the com.mi.android.globalFileexprorer_preferences.xml, which, as we already mentioned, was not possible.

To overcome this restriction, we referred to the actual implementation of the SharedPreferences class, where we found that when an Android application uses the getSharedPreferences API method to retrieve an instance of the SharedPreferences class, giving the name of the shared preferences file as an argument, then the constructor of the SharedPreferencesImpl class performs the following steps:

  1. Create a new file object using the name provided to the getSharedPreferences method, followed by the .xml extension, followed by the .bak extension
  1. Check if this file exists, and in case it does, delete the original xml file and replace it with the one created in the first step

Through this behavior, we were able to save the com.mi.android.globalFileexprorer_preferences.xml.bak under the shared preferences folder (as during the application’s runtime it is unlikely to exist), so when the app tried to verify the hash, the original xml file was already replaced by our own copy. After this point, by using a single intent to start the junk cleaner plugin, we were able to trick the application to load the malicious library instead of the one under the /data/app folder and get code execution with the browser’s user ID.

Impact

One reason we chose to use this app as a showcase is because the impact extends beyond the user’s mobile device. The application gives the option to connect to remote file shares using the FTP and SMB protocols and the user credentials are saved in clear text in the /data/data/com.mi.android.globalFileexplorer/files/rmt_i.properties file:

Screenshot of code displaying the SMB or FTP credentials being saved in clear text
Figure 13. SMB/FTP credentials saved in clear text

If a third party app was able to exploit this vulnerability and obtain code execution, an attacker could retrieve these credentials. The impact would then extend even further, since by the time that a user requests to open a remote share, the browser creates the directory /sdcard/Android/data/com.mi.android.globalFileexplorer/files/usbTemp/ where it saves the files that the user retrieves:

Screenshot of code displaying the SMB shared files saved in the external storage
Figure 14. SMB shared files, saved in the external storage

This means that a remote attacker would be able to read or write files to SMB shares of a local network, assuming that the device was connected to it. The same stands for FTP shares as they are handled exactly in the same way:

Screenshot of code displaying the FTP shared files saved in the external storage
Figure 15. FTP shared files, saved in the external storage

In summary, the exploitation flow is depicted in the figure below:

Diagram displaying how the attacker obtains remote access to local shares, as further detailed in text.
Figure 16. Getting remote access to local shares

In step 1, the user opens a malicious app that may pose as a file editor, messaging app, mail client, or any app in general and request the user to save a file. By the time that the user attempts to save such a file, no matter what destination path they choose to save it, the malicious app forces the file browser app to write it under its internal /files/lib folder. Then, the malicious app can start the junk cleaner using an explicit intent (no user interaction is required) and this will lead to code execution with the browser’s ID (step 2).

In step 3, the attacker uses the arbitrary code execution capability to retrieve the SMB and FTP credentials from the rmt_i.properties file. Subsequently, the attacker can now jump to step 5 and access the shares directly using the stolen credentials. Alternatively, after retrieving the share credentials, the mobile device can connect to a local network (step 4) and access an SMB or FTP share, allowing the attacker to access the shared files through the /sdcard/Android/data/com.mi.android.globalFileexplorer/files/usbTemp/ folder (step 5).

Recommendations

Recognizing that this vulnerability pattern may be widespread, we shared our findings with Google’s Android Application Security Research team. We collaborated with Google to author guidance for Android application developers to help them recognize and avoid this pattern. We recommend developers and security analysts familiarize themselves with the excellent Android application security guidance provided by Google as well as make use of the Android Lint tool included with the Android SDK and integrated with Android Studio (supplemented with Google’s additional security-focused checks) to identify and avoid potential vulnerabilities. GitHub’s CodeQL also provides capabilities to identify vulnerabilities.

To prevent these issues, when handling file streams sent by other applications, the safest solution is to completely ignore the name returned by the remote file provider when caching the received content. Some of the most robust approaches we encountered use randomly generated names, so even in the case that the content of an incoming stream is malformed, it won’t tamper with the application.

In cases where such an approach is not feasible, developers need to take extra steps to ascertain that the cached file is written to a dedicated directory. As an incoming file stream is usually identified by a content URI, the first step is to reliably identify and sanitize the corresponding filename. Besides filtering characters that may lead to a path traversal and before performing any write operation, developers must verify that the cached file is within the dedicated directory by performing a call to the File.getCanonicalPath and validating the prefix of the returned value.

Another area to safeguard is in the way developers try to extract a filename from a content URI. Developers often use Uri.getLastPathSegment(), which returns the (URL) decoded value of the last path URI segment. An attacker can craft a URI with URL encoded characters within this segment, including characters used for path traversal. Using the returned value to cache a file can again render the application vulnerable to this type of attack.

For end users, we recommend keeping mobile applications up to date through the Google Play Store (or other appropriate trusted source) to ensure that updates addressing known vulnerabilities are installed. Users should only install applications from trusted sources to avoid potentially malicious applications. We recommend users who accessed SMB or FTP shares through the Xiaomi app before updates to reset credentials and to investigate for any anomalous behavior. Microsoft Defender for Endpoint on Android can alert users and enterprises to malicious applications, and Microsoft Defender Vulnerability Management can identify installed applications with known vulnerabilities.

Dimitrios Valsamaras

Microsoft Threat Intelligence

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps appeared first on Microsoft Security Blog.

]]>
Threat actors misuse OAuth applications to automate financially driven attacks http://approjects.co.za/?big=en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/ Tue, 12 Dec 2023 18:00:00 +0000 Microsoft Threat Intelligence presents cases of threat actors misusing OAuth applications as automation tools in financially motivated attacks.

The post Threat actors misuse OAuth applications to automate financially driven attacks appeared first on Microsoft Security Blog.

]]>
Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. OAuth is an open standard for token-based authentication and authorization that enables applications to get access to data and resources based on permissions set by a user. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.

In attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications. The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.

Microsoft continuously tracks attacks that misuse of OAuth applications for a wide range of malicious activity. This visibility enhances the detection of malicious OAuth applications via Microsoft Defender for Cloud Apps and prevents compromised user accounts from accessing resources via Microsoft Defender XDR and Microsoft Entra Identity Protection. In this blog post, we present cases where threat actors compromised user accounts and misused OAuth applications for their financially driven attacks, outline recommendations for organizations to mitigate such attacks, and provide detailed information on how Microsoft detects related activity:

OAuth applications to deploy VMs for cryptomining

Microsoft observed the threat actor tracked as Storm-1283 using a compromised user account to create an OAuth application and deploy VMs for cryptomining. The compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application. As the compromised account had an ownership role on an Azure subscription, the actor also granted Contributor’ role permission for the application to one of the active subscriptions using the compromised account.

The actor also leveraged existing line-of-business (LOB) OAuth applications that the compromised user account had access to in the tenant by adding an additional set of credentials to those applications. The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications and initiated the cryptomining activity. The actor then later returned to deploy more VMs using the new application. Targeted organizations incurred compute fees ranging from 10,000 to 1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack.

Storm-1283 looked to maintain the setup as long as possible to increase the chance of successful cryptomining activity. We assess that, for this reason, the actor used the naming convention [DOMAINNAME]_[ZONENAME]_[1-9] (the tenant name followed by the region name) for the VMs to avoid suspicion.  

A diagram of Storm-1283's attack chain involving the creation of VMs for cryptocurrency mining.
Figure 1. OAuth application for cryptocurrency mining attack chain

One of the ways to recognize the behavior of this actor is to monitor VM creation in Azure Resource Manager audit logs and look for the activity “Microsoft.Compute/virtualMachines/write” performed by an OAuth application. While the naming convention used by the actor may change in time, it may still include the domain name or region names like “east|west|south|north|central|japan|france|australia|canada|korea|uk|poland|brazil

Microsoft Threat Intelligence analysts were able to detect the threat actor’s actions and worked with the Microsoft Entra team to block the OAuth applications that were part of this attack. Affected organizations were also informed of the activity and recommended further actions.

OAuth applications for BEC and phishing

In another attack observed by Microsoft, a threat actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing activity. The threat actor used an adversary-in-the-middle (AiTM) phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations. In AiTM attacks, threat actors attempt to steal session tokens from their targets by sending phishing emails with a malicious URL that leads to a proxy server that facilitates a genuine authentication process.

A screenshot of a phishing email sent by the threat actor.
Figure 2. Snippet of sample phishing email sent by the threat actor

We observed the following email subjects used in the phishing emails:

  • <Username> shared “<Username> contracts” with you.
  • <Username> shared “<User domain>” with you.
  • OneDrive: You have received a new document today
  • <Username> Mailbox password expiry
  • Mailbox password expiry
  • <Username> You have Encrypted message
  • Encrypted message received

After the targets clicked the malicious URL in the email, they were redirected to the Microsoft sign-in page that was proxied by the threat actor’s proxy server. The proxy server set up by the threat actor allowed them to steal the token from the user’s session cookie. Later, the stolen token was leveraged to perform session cookie replay activity. Microsoft was able to confirm during further investigation that the compromised user account was flagged for risky sign-ins when the account was used to sign in from an unfamiliar location and from an uncommon user agent.

For persistence following business email compromise

In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as paymentandinvoice”. This action typically precedes financial fraud attacks where the threat actor seeks out financial conversations and attempts to socially engineer one party to modify payment information to an account under attacker control.

A diagram of the attack chain wherein the threat actor uses OAuth applications following BEC.
Figure 3. Attack chain for OAuth application misuse following BEC

Later, to maintain persistence and carry out malicious actions, the threat actor created an OAuth application using the compromised user account. The actor then operated under the compromised user account session to add new credentials to the OAuth application.  

For email phishing activity

In other cases, instead of performing BEC reconnaissance, the threat actor created multitenant OAuth applications following the stolen session cookie replay activity. The threat actor used the OAuth applications to maintain persistence, add new credentials, and then access Microsoft Graph API resource to read emails or send phishing emails.

A diagram of the attack chain wherein the threat actor misuses OAuth applications to send phishing emails.
Figure 4. Attack chain for OAuth application misuse for phishing

At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts. The created applications mostly had two different sets of application metadata properties, such as display name and scope:

  • Malicious multitenant OAuth applications with the display name set as “oauth” were granted permissions “user.read; mail.readwrite; email; profile; openid; mail.read; people.read” and access to Microsoft Graph API and read emails.
  • Malicious multitenant OAuth applications with the display name set as “App” were granted permissions “user.read; mail.readwrite; email; profile; openid; mail.send” and access to Microsoft Graph API to send high volumes of phishing emails to both intra-organizational and external organizations.
A screenshot of the phishing email sent by the threat actor.
Figure 5. Sample phishing email sent by the malicious OAuth application

In addition, we observed that the threat actor, before using the OAuth applications to send phishing emails, leveraged the compromised user accounts to create inbox rules with suspicious rule names like “…” to move emails to the junk folder and mark them as read. This is to evade detection by the compromised user that the account was used to send phishing emails.

A screenshot of the inbox rule created by the threat actor.
Figure 6. Inbox rule created by the threat actor using the compromised user account

Based on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails. Microsoft has taken down all the malicious OAuth applications found related to this campaign, which ran from July to November 2023.

OAuth applications for spamming activity

Microsoft also observed large-scale spamming activity through OAuth applications by a threat actor tracked as Storm-1286. The actor launched password spraying attacks to compromise user accounts, the majority of which did not have multifactor authentication (MFA) enabled. We also observed the user agent BAV2ROPC in the sign-in activities related to the compromised accounts, which indicated the use of legacy authentication protocols such as IMAP and SMTP that do not support MFA.

We observed the actor using the compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client. The threat actor then granted consent to the applications using the compromised accounts. These applications were set with permissions like email, profile, openid, Mail.Send, User.Read and Mail.Read, which allowed the actor to control the mailbox and send thousands of emails a day using the compromised user account and the organization domain. In some cases, the actor waited for months after the initial access and setting up of OAuth applications before starting the spam activity using the applications. The actor also used legitimate domains to avoid phishing and spamming detectors.

A diagram of the attack chain wherein Storm-1286 misuses OAuth applications for a large-scale spam attack.
Figure 7. Attack chain for large-scale spam using OAuth applications

In previous large-scale spam activities, we observed threat actors attempting to compromise admin accounts without MFA and create new LOB applications with high administrative permissions to abuse Microsoft Exchange Online and spread spam. While the activity of the actor then was limited due to actions taken by Microsoft Threat Intelligence such as blocking clusters of the OAuth applications in the past, Storm-1286 continues to try new ways to set a similar high-scale spamming platform in victim organizations by using non-privileged users.

Mitigation steps

Microsoft recommends the following mitigations to reduce the impact of these types of threats.

Mitigate credential guessing attacks risks

A key step in reducing the attack surface is securing the identity infrastructure. The most common initial access vector observed in this attack was account compromise through credential stuffing, phishing, and reverse proxy (AiTM) phishing. In most cases the compromised accounts did not have MFA enabled. Implementing security practices that strengthen account credentials such as enabling MFA reduced the chance of attack dramatically.

Enable conditional access policies

Conditional access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies for User and Sign-in Risk, device compliance and trusted IP address requirements. If your organization has a Microsoft-Managed Conditional Access policy, make sure it is enforced.

Ensure continuous access evaluation is enabled

Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Enable security defaults

While some of the features mentioned above require paid subscriptions, the security defaults in Azure AD, which is mainly for organizations using the free tier of Azure Active Directory licensing, are sufficient to better protect the organizational identity platform, as they provide preconfigured security settings such as MFA, protection for privileged activities, and others.

Enable Microsoft Defender automatic attack disruption

Microsoft Defender automatic attack disruption capabilities minimize lateral movement and curbs the overall impact of an attack in its initial stages.

Audit apps and consented permissions

Audit apps and consented permissions in your organization ensure applications are only accessing necessary data and adhering to the principles of least privilege. Use Microsoft Defender for Cloud Apps and its app governance add-on for expanded visibility into cloud activity in your organization and control over applications that access your Microsoft 365 data. 

Educate your organization on application permissions and data accessible by applications with respective permissions to identify malicious apps. 

Enhance suspicious OAuth application investigation with the recommended approach to investigate and remediate risky OAuth apps.

Enable “Review admin consent requests” for forcing new applications review in the tenant.

In addition to the recommendations above, Microsoft has published incident response playbooks for App consent grant investigation and compromised and malicious applications investigation that defenders can use to respond quickly to related threats.

Secure Azure Cloud resources

Deploy MFA to all users, especially for tenant administrators and accounts with Azure VM Contributor privileges. Limit unused quota and monitor for unusual quota increases in your Azure subscriptions, with an emphasis on the resource’s originating creation or modification. Monitor for unexpected sign-in activity from IP addresses associated with free VPN services on high privilege accounts. Connect Microsoft Defender for Cloud Apps connector to ARM or use Microsoft Defender for ARM

With the rise of hybrid work, employees might use their personal or unmanaged devices to access corporate resources, leading to an increased possibility of token theft. To mitigate this risk, organizations can enhance their security measures by obtaining complete visibility into their users’ authentication methods and locations. Refer to the comprehensive blog post Token tactics: How to prevent, detect, and respond to cloud token theft. 

Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to recheck links upon time of click and delete sent mail in response to newly acquired threat intelligence. Turn on Safe Attachments policies to check attachments in inbound emails. 

Detections for related techniques

Leveraging its cross-signal capabilities, Microsoft Defender XDR alerts customers using Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Application governance add-on, Microsoft Defender for Cloud, and Microsoft Entra ID Protection to detect the techniques covered in the attack through the attack chain. Each product can provide a different aspect for protection to cover the techniques observed in this attack:

Microsoft Defender XDR

Microsoft Defender XDR detects threat components associated with the following activities:

  • User compromised in AiTM phishing attack
  • User compromised via a known AiTM phishing kit
  • BEC financial fraud-related reconnaissance
  • BEC financial fraud

Microsoft Defender for Cloud Apps

Using Microsoft Defender for Cloud Apps connectors for Microsoft 365 and Azure, Microsoft Defender XDR raises the following alerts:

  • Stolen session cookie was used
  • Activity from anonymous IP address
  • Activity from a password-spray associated IP address
  • User added or updated a suspicious OAuth app
  • Risky user created or updated an app that was observed creating a bulk of Azure virtual machines in a short interval
  • Risky user updated an app that accessed email and performed email activity through Graph API
  • Suspicious creation of OAuth app by compromised user
  • Suspicious secret addition to OAuth app followed by creation of Azure virtual machines
  • Suspicious OAuth app creation
  • Suspicious OAuth app email activity through Graph API
  • Suspicious OAuth app-related activity by compromised user
  • Suspicious user signed into a newly created OAuth app
  • Suspicious addition of OAuth app permissions
  • Suspicious inbox manipulation rule
  • Impossible travel activity
  • Multiple failed login attempts

App governance

App governance is an add-on to Microsoft Defender for Cloud Apps, which can detect malicious OAuth applications that make sensitive Exchange Online administrative activities along with other threat detection alerts. Activity related to this campaign triggers the following alerts:

  • Entra Line-of-Business app initiating an anomalous spike in virtual machine creation
  • OAuth app with high scope privileges in Microsoft Graph was observed initiating virtual machine creation
  • Suspicious OAuth app used to send numerous emails

To receive this alert, turn on app governance for Microsoft Defender for Cloud Apps.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects threat activity associated with this spamming campaign through the following email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated immediately.

  • A potentially malicious URL click was detected
  • A user clicked through to a potentially malicious URL
  • Suspicious email sending patterns detected
  • User restricted from sending email
  • Email sending limit exceeded

Microsoft Defender for Cloud

Microsoft Defender for Cloud detects threat components associated with the activities outlined in this article with the following alerts:

  • Azure Resource Manager operation from suspicious proxy IP address
  • Crypto-mining activity
  • Digital currency mining activity
  • Suspicious Azure role assignment detected
  • Suspicious creation of compute resources detected
  • Suspicious invocation of a high-risk ‘Execution’ operation by a service principal detected
  • Suspicious invocation of a high-risk ‘Execution’ operation detected
  • Suspicious invocation of a high-risk ‘Impact’ operation by a service principal detected

Microsoft Entra Identity Protection

Microsoft Entra Identity Protection detects the threats described with the following alerts:

  • Anomalous Token
  • Unfamiliar sign-in properties
  • Anonymous IP address
  • Verified threat actor IP
  • Atypical travel

Hunting guidance

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

OAuth application interacting with Azure workloads

let OAuthAppId = <OAuth app ID in question>;
CloudAppEvents
| where Timestamp >ago (7d)  
| where AccountId == OAuthAppId 
| where AccountType== "Application"
| extend Azure_Workloads = RawEventData["operationName"]
| distinct Azure_Workloads by AccountId

Password spray attempts

This query identifies failed sign-in attempts to Microsoft Exchange Online from multiple IP addresses and locations.

IdentityLogonEvents
| where Timestamp > ago(3d)
| where ActionType == "LogonFailed" and LogonType == "OAuth2:Token" and Application == "Microsoft Exchange Online"
| summarize count(), dcount(IPAddress), dcount(CountryCode) by AccountObjectId, AccountDisplayName, bin(Timestamp, 1h)

Suspicious application creation

This query finds new applications added in your tenant.

CloudAppEvents
| where ActionType in ("Add application.", "Add service principal.")
| mvexpand modifiedProperties = RawEventData.ModifiedProperties
| where modifiedProperties.Name == "AppAddress"
| extend AppAddress = tolower(extract('\"Address\": \"(.*)\",',1,tostring(modifiedProperties.NewValue)))
| mvexpand ExtendedProperties = RawEventData.ExtendedProperties
| where ExtendedProperties.Name == "additionalDetails"
| extend OAuthApplicationId = tolower(extract('\"AppId\":\"(.*)\"',1,tostring(ExtendedProperties.Value)))
| project Timestamp, ReportId, AccountObjectId, Application, ApplicationId, OAuthApplicationId, AppAddress

Suspicious email events

NOTE: These queries need to be updated with timestamps related to application creation time before running.

//Identify High Outbound Email Sender
EmailEvents 
| where Timestamp between (<start> .. <end>) //Timestamp from the app creation time to few hours upto 24 hours or more 
| where EmailDirection in ("Outbound") 
| project
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId,
    NetworkMessageId 
| summarize
    RecipientCount = dcount(RecipientEmailAddress),
    UniqueEmailSentCount = dcount(NetworkMessageId)
    by SenderFromAddress, SenderMailFromAddress, SenderObjectId
| sort by UniqueEmailSentCount desc 
//| where UniqueEmailSentCount > <threshold> //Optional, return only if the sender sent more than the threshold
//| take 100 //Optional, return only top 100
 
//Identify Suspicious Outbound Email Sender
EmailEvents 
//| where Timestamp between (<start> .. <end>) //Timestamp from the app creation time to few hours upto 24 hours or more 
| where EmailDirection in ("Outbound") 
| project
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId, 
    DetectionMethods,
    NetworkMessageId 
| summarize
    RecipientCount = dcount(RecipientEmailAddress),
    UniqueEmailSentCount = dcount(NetworkMessageId),
    SuspiciousEmailCount = dcountif(NetworkMessageId,isnotempty(DetectionMethods))
    by SenderFromAddress, SenderMailFromAddress, SenderObjectId
| extend SuspiciousEmailPercentage = SuspiciousEmailCount/UniqueEmailSentCount * 100 //Calculate the percentage of suspicious email compared to all email sent
| sort by SuspiciousEmailPercentage desc 
//| where UniqueEmailSentCount > <threshold> //Optional, return only if the sender suspicious email percentage is more than the threshold
//| take 100 //Optional, return only top 100

//Identify Recent Emails Sent by Restricted Email Sender
AlertEvidence
| where Title has "User restricted from sending email"
| project AccountObjectId //Identify the user who are restricted to send email
| join EmailEvents on $left.AccountObjectId == $right.SenderObjectId //Join information from Alert Evidence and Email Events
| project
    Timestamp,
    RecipientEmailAddress,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderObjectId,
    SenderIPv4,
    Subject,
    UrlCount,
    AttachmentCount,
    DetectionMethods,
    AuthenticationDetails, 
    NetworkMessageId
| sort by Timestamp desc 
//| take 100 //Optional, return only first 100

BEC recon and OAuth application activity

//High and Medium risk SignIn activity
AADSignInEventsBeta
| where Timestamp >ago (7d)
| where ErrorCode==0
| where RiskLevelDuringSignIn >= 50
| project
    AccountUpn,
    AccountObjectId,
    SessionId,
    RiskLevelDuringSignIn,
    ApplicationId,
    Application

//Oauth Application creation or modification by user who has suspicious sign in activities
AADSignInEventsBeta
| where Timestamp >ago (7d)
| where ErrorCode == 0
| where RiskLevelDuringSignIn >= 50
| project SignInTime=AccountUpn, AccountObjectId, SessionId, RiskLevelDuringSignIn, ApplicationId, Application
| join kind=leftouter (CloudAppEvents | where Timestamp > ago(7d)
| where ActionType in ("Add application.", "Update application.", "Update application – Certificates and secrets management ")
| extend appId = tostring(parse_json(RawEventData.Target[4].ID))
| project
    Timestamp,
    ActionType,
    Application,
    ApplicationId,
    UserAgent,
    ISP,
    AccountObjectId,
    AppName=ObjectName,
    OauthApplicationId=appId,
    RawEventData ) on AccountObjectId
| where isnotempty(ActionType)

 
//Suspicious BEC reconnaisance activity 
let bec_keywords = pack_array("payment", "receipt", "invoice", "inventory"); 
let reconEvents = 
    CloudAppEvents
    | where Timestamp >ago (7d)
    | where ActionType in ("MailItemsAccessed", "Update")
    | where AccountObjectId in ("<Impacted AccountObjectId>")
    | extend SessionId = tostring(parse_json(RawEventData.SessionId))
    | project
        Timestamp,
        ActionType,
        AccountObjectId,
        UserAgent,
        ISP,
        IPAddress,
        SessionId,
        RawEventData;
reconEvents;
let updateActions = reconEvents
    | where ActionType == "Update" 
    | extend Subject=tostring(RawEventData["Item"].Subject)
    | where isnotempty(Subject)
    | where Subject has_any (bec_keywords)
    | summarize UpdateCount=count() by bin (Timestamp, 15m), Subject, AccountObjectId, SessionId, IPAddress;
updateActions;
let mailItemsAccessedActions = reconEvents 
    | where ActionType == "MailItemsAccessed" 
    | extend OperationCount = toint(RawEventData["OperationCount"])
    | summarize TotalCount = sum(OperationCount) by bin (Timestamp, 15m), AccountObjectId, SessionId, IPAddress;
mailItemsAccessedActions;
 
//SignIn to newly created app within Risky Session
AADSignInEventsBeta
| where Timestamp >ago (7d) 
| where AccountObjectId in ("<Impacted AccountObjectId>") and 
SessionId in ("<Risky Session Id>")
| where ApplicationId in ("<Oauth appId>") // Recently added or modified App Id
| project
    AccountUpn,
    AccountObjectId,
    ApplicationId,
    Application,
    SessionId,
    RiskLevelDuringSignIn,
    RiskLevelAggregated,
    Country

// To check suspicious Mailbox rules
CloudAppEvents
| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours, usually before spam emails sent
| where AccountObjectId in ("<Impacted AccountObjectId>")
| where Application == "Microsoft Exchange Online"
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox", "Set-TransportRule", "New-TransportRule", "Enable-InboxRule", "UpdateInboxRules")
| where isnotempty(IPAddress)
| mvexpand ActivityObjects
| extend name = parse_json(ActivityObjects).Name
| extend value = parse_json(ActivityObjects).Value
| where name == "Name"
| extend RuleName = value 
| project Timestamp, ReportId, ActionType, AccountObjectId, IPAddress, ISP, RuleName

// To check any suspicious Url clicks from emails before risky signin by the user
UrlClickEvents
| where Timestamp between (start .. end) //Timestamp around time proximity of Risky signin by user
| where AccountUpn has "<Impacted User’s UPN or Email address>" and ActionType has "ClickAllowed"
| project Timestamp,Url,NetworkMessageId

// To fetch the suspicious email details
EmailEvents
| where Timestamp between (start .. end) //Timestamp lookback to be increased gradually to find the email received
| where EmailDirection has "Inbound"
| where RecipientEmailAddress has "<Impacted User’s UPN or Email address>" and NetworkMessageId == "<NetworkMessageId from UrlClickEvents>"
| project SenderFromAddress,SenderMailFromAddress,SenderIPv4,SenderFromDomain, Subject,UrlCount,AttachmentCount
    
    
// To check if suspicious emails sent for spamming (with similar email subjects, urls etc.)
EmailEvents
| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours upto 24 hours or more
| where EmailDirection in ("Outbound","Intra-org")
| where SenderFromAddress has "<Impacted User’s UPN or Email address>"  or SenderMailFromAddress has "<Impacted User’s UPN or Email address>"
| project RecipientEmailAddress,RecipientObjectId,SenderIPv4,SenderFromDomain, Subject,UrlCount,AttachmentCount,NetworkMessageId

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Analytic rules:

Hunting queries:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors misuse OAuth applications to automate financially driven attacks appeared first on Microsoft Security Blog.

]]>
Star Blizzard increases sophistication and evasion in ongoing attacks http://approjects.co.za/?big=en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/ Thu, 07 Dec 2023 12:01:00 +0000 Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has continuously improved their detection evasion capabilities while remaining focused on email credential theft against targets.

The post Star Blizzard increases sophistication and evasion in ongoing attacks appeared first on Microsoft Security Blog.

]]>

January 2025 update – In mid-November 2024, Star Blizzard was observed shifting their tactics, techniques, and procedures (TTPs), likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organizations. Learn more about our observations and findings in this Microsoft Threat Intelligence blog post: New Star Blizzard spear-phishing campaign targets WhatsApp accounts.

October 2024 update – Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by Star Blizzard. We have updated this blog with the latest observed Star Blizzard tactics, techniques, and procedures (TTPs).

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian nation-state actor we call Star Blizzard. Star Blizzard has continuously improved their detection evasion capabilities while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.

Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.

This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the threat actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Star Blizzard TTPs observed in 2024

Star Blizzard persistently introduces new techniques to avoid detection. These TTPs are employed for brief periods and are either modified or abandoned once they become publicly known.

Microsoft has identified the following evasive techniques used by Star Blizzard in campaigns in 2024:

  • Use of multiple registrars to register domain infrastructure
  • Use of multiple link-shortening services and legitimate websites with open redirects, to hide actor-registered domains
  • Use of altered legitimate email templates as spear-phishing lures

Using multiple registrars to register domain infrastructure

In December 2023, we highlighted that Star Blizzard was using the registrar NameCheap to register their domain infrastructure. As CitizenLab reported (August 2024), the threat actor has also used Hostinger to register domains used in the infrastructure for email credential theft.

Microsoft can confirm that in 2024 Star Blizzard transitioned from their long-standing practice of primarily using a single domain name registrar. Among the registrars seen used by Star Blizzard in 2024 are the following:

  • Hostinger
  • RealTime Register
  • GMO Internet

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Since August 2024, Star Blizzard has made substantial changes in the methods they employ to redirect targets to their virtual private server (VPS) infrastructure, on which Evilginx is installed and then used to facilitate credential theft.

In December 2023, we detailed the threat actor’s use of email marketing platforms to prevent the need to embed the actor-registered domains in their spear-phishing emails. This technique was abandoned in early 2024, with the threat actor transitioning first to hosting the initial redirector website on shared infrastructure. Since August 2024, Star Blizzard has added multiple layers of redirection to their VPS infrastructure, utilizing various link-shortening services and legitimate websites that can be used as open redirectors.

For example, in a recent spear-phishing email that was sent from an actor-controlled Outlook account, we found that the threat actor had embedded an initial link, which was created using the Microsoft 365 Safe Links into the attached PDF lure. The Safe Links URL could only be generated by sending an email between actor-controlled accounts with the link in the body. The actor then copied that generated Safe Links URL to use in their attack.   

text
Figure 1. Initial link in a spear-phishing campaign by Star Blizzard embedded in a PDF file

This link redirected to a shortened URL created using the Bitly link-shortening service, which resolved to another shortened URL created using the Cuttly link-shortening service. The second shortened URL redirected to a legitimate website, used as an open redirector, which ultimately redirected to the first actor-controlled domain.

The website mechengsys[.]net was hosted on shared infrastructure at Hostinger and performed various filtering actions until ultimately redirecting to an actor-controlled VPS installed with Evilginx, resolving the domain vidmemax[.]com.

diagram
Figure 2. Chain of redirection from initial link to the Star Blizzard-controlled domain

Use of altered legitimate email templates as spear-phishing lures

For a brief period between July and August 2024, the threat actor utilized spear-phishing lures that did not contain or redirect to PDF lures embedded with links that redirected to actor-controlled infrastructure. Instead, Star Blizzard sent targets an altered OneDrive file share notification that included a clickable link to a malicious URL. When clicked, the link would initiate redirection to actor-controlled infrastructure. We observed Star Blizzard using this approach in spear-phishing attacks against its traditional espionage targets, including individuals associated with politics and diplomacy, NGOs, and think tanks.

diagram
Figure 3. The attack chain used in Star Blizzard’s 2024 spear-phishing lure campaign

In this approach, the threat actor began by creating a new email account, usually a Proton account, intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The actor then stored a benign PDF or Word file in a cloud file-hosting service (for example, when targeting Microsoft customers, OneDrive) and shared the file with the newly created email account. The threat actor edited the HTML of the email, changing the displayed sender name and the URL behind the “Open” button that would otherwise lead back to the OneDrive-hosted file so that it directed to the Evilginx redirector domain instead.  

Star Blizzard then sent the spear-phishing email to the target. When the “Open” button was clicked, it directed the user to the redirector domain, which, after performing filtering based on browser fingerprinting and additional methods, directed the target to an actor-controlled Virtual Private Server (VPS) with the Evilginx installation. The Evilginx server allowed Star Blizzard to perform an adversary-in-the-middle (AiTM) attack on an authentication session to an email provider, enabling the actor to receive the necessary information to perform subsequent sign-ins to the target’s email account, including the username, password, and MFA token, if MFA is used by the target.

graphical user interface, text, application
Figure 4. Star Blizzard spear-phishing lure

TTPs used in past Star Blizzard campaigns

Microsoft observed Star Blizzard using the following TTPs in campaigns before 2024, highlighting continuously evolving techniques used by the threat actor to evade detection:

  • Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure
  • Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
  • Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
  • Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
  • Shift to a more randomized domain generation algorithm (DGA) for actor-registered domains

Use of server-side scripts to prevent automated scanning

Between April 2023 and December 2023, we observed Star Blizzard gradually moving away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, first executing JavaScript code (titled “Collect and Send User Data”) before redirecting the browsing session to the Evilginx server.

Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled “Docs”), which is still in use today.

This capability collects various information from the browser performing the browsing session to the redirector server. The code contains three main functions:

  • pluginsEmpty(): This function checks if the browser has any plugins installed.
A screenshot of code for a function that checks if the browser has any plugins installed
  • isAutomationTool(): This function checks for various indicators that the page is being accessed by an automation tool (such as Selenium, PhantomJS, or Nightmare) and returns an object with information about the detected tools.
A screenshot of code for a function that checks for various indicators that the page is being accessed by an automation tool and returns an object with information about the detected tools.
  • sendToBackend(data): This function sends the data collected by isAutomationTool() to the server using a POST request. If the server returns a response, the message in the response is executed using eval().
A screenshot of code for a function that sends the data collected by isAutomationTool() to the server using a POST request.

Following the POST request, the redirector server assessed the data collected from the browser and decided whether to allow continued browser redirection.

When a good verdict is reached, the browser received a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.

A bad verdict resulted in the receipt of an HTTP error response and no further redirection.

Screenshot of code depicting the POST request and server response
Figure 5. Content of POST request and server response using “Collect and Send User Data” JavaScript

Use of email marketing platform services

We previously observed Star Blizzard using two different services, HubSpot and MailerLite. The actor used these services to create an email campaign, which provided them with a dedicated subdomain on the service that is then used to create URLs. These URLs acted as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services also provided the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the “From” address in their campaigns.

Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples were dedicated threat actor-controlled accounts.

Three screenshots of themed spear-phishing email headers for a US grants management portal
Figure 6. Examples of themed spear-phishing email headers

Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).

Figure 7. Example of victim redirection chain using initial HubSpot URL

Star Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.

Use of a DNS provider to resolve actor-controlled domain infrastructure

In December 2022, we began to observe Star Blizzard using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.

We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.

Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.

In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.

Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.

Screenshot of an example spear-phishing email with a password protecting link to Proton Drive
Figure 8. Example of spear-phishing email with password protected link to Proton Drive

Randomizing DGA for actor registered domains

Following the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.

Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.

Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:

  • Namecheap remains the registrar of choice
  • Domains are usually registered in groups, many times with similar naming conventions
  • X.509 TLS certificates are provided by Let’s Encrypt, created in the same timeframe of domain registration
Examples of two X.509 TLS certificates used by the threat actor
Figure 9. Examples of X.509 TLS certificates used by Star Blizzard

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Consistent TTPs since 2022

Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.

Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a “phishlet” for the intended targets’ email provider.

Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.

Dgram displaying the redirection chain from PDF spear-phishing lure, to the actor-controlled VPS hosting redirection server, to the actor-controlled VPS hosting Evilginx server.
Figure 10. Typical Star Blizzard redirection chain to Evilginx infrastructure

Protecting yourself against Star Blizzard

As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.

The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:

Am I at risk of being a Star Blizzard target?

Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:

  1. Government or diplomacy (both incumbent and former position holders).
  2. Research into defense policy or international relations when related to Russia.
  3. Assistance to Ukraine related to the ongoing conflict with Russia.

Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.

What will a Star Blizzard spear-phishing email look like?

Star Blizzard emails appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders  (@proton[.]me, @protonmail[.]com) as they are frequently used by the threat actor.

An initial email is usually sent to the target, asking them to review a document, but without any attachment or link to the document.

The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or an embedded link, as detailed above in “Star Blizzard TTPs observed in 2024.”

If the targeted user has not completed authentication by entering their password in the offered sign-in page and/or supplied all the required factors for multifactor authentication (MFA), the threat actor does not have the capability to successfully compromise the targeted account.

Our recommendation to all email users that belong to Star Blizzard targeted sectors is to always remain vigilant when dealing with email, especially emails containing links to external resources. When in doubt, contact the person you think is sending the email using a known and previously used email address, to verify that the email was indeed sent by them.

What happens if I interact with a Star Blizzard PDF lure?

Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is the beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.

The host domain in the web address is an actor-controlled domain (see appendix for full list), and not the expected domain of the email server or cloud service.

If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.

As long as the authentication process is not completed (a valid password is not entered and/or an authentication request is not approved), the threat actor has not compromised the account.

If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, even if multifactor authentication is enabled.

Four screenshots of what the PDF lures look like when opened, such as a CAPTCHAs or sign-in pages.
Figure 11. Examples of Star Blizzard PDF lures when opened

Recommendations

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Microsoft emphasizes that the following two mitigations will strengthen customers’ environments against Star Blizzard attack activity:

Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.

Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:

  • Use advanced anti-phishing solutions like Microsoft Defender for Office 365 that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that automatically identify and block malicious websites and provide solutions that detect and block malicious emails, links, and files.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.
  • Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Use  security defaults as a baseline set of policies to improve identity security posture. For more granular control, enable conditional access policies.  Conditional access policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
  • Implement continuous access evaluation.
  • Continuously monitor suspicious or anomalous activities. Investigate sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, and use of anonymizer services).
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos, and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both Microsoft and non-Microsoft browsers and processes.
  • Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques:

Appendix

Microsoft Defender XDR detections

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office 365 inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:

  • A potentially malicious URL click was detected
  • Email messages containing malicious URL removed after delivery
  • Email messages removed after delivery
  • Email reported by user as malware or phish

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling Network protection, organizations can block attempts to connect to these malicious domains.

Microsoft Defender for Endpoint

Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft Defender for Endpoint alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:

  • Star Blizzard activity group
  • Suspicious URL clicked
  • Suspicious URL opened in web browser
  • User accessed link in ZAP-quarantined email
  • Suspicious activity linked to a Russian state-sponsored threat actor has been detected
  • Connection to adversary-in-the-middle (AiTM) phishing site
  • User compromised in AiTM phishing attack
  • Possible AiTM phishing attempt

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Defender for Endpoint Threat analytics 

Hunting queries  

Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.  

Indicators of compromise

Domain infrastructure observed in 2024

Domain nameRegistrarRegistered
confsendlist[.]orgHostinger UAB2024/08/27 18:31
asyncmainfunc[.]netHostinger UAB2024/08/27 17:52
postpackfull[.]comRealtime Register2024/08/27 17:26
bootsgatein[.]netHostinger UAB2024/08/27 16:36
getshowprofile[.]comRealtime Register2024/08/27 15:11
universalindospices[.]comRealtime Register2024/08/26 16:00
nucleareng[.]netHostinger UAB2024/08/22 16:48
embriodev[.]orgHostinger UAB2024/08/22 12:36
compmatheng[.]comEranet International 2024/08/21 13:52
biomechsys[.]orgPublicDomainRegistry2024/08/21 13:02
abstractalg[.]comHostinger UAB2024/08/21 11:54
epidemioeng[.]orgHostinger UAB2024/08/21 11:44
entomoleng[.]orgPublicDomainRegistry2024/08/19 13:52
firewalliot[.]orgHostinger UAB2024/08/16 14:28
vidmemax[.]comHostinger UAB2024/08/16 09:22
authadm[.]toolsPublicDomainRegistry2024/08/15 21:35
opiloans[.]comGMO Internet2024/08/15 03:45
steeldartpro[.]comGMO Internet2024/08/15 01:09
mechengsys[.]netTucows2024/08/08 15:53
poortruncselector[.]comHostinger UAB2024/08/01 17:36
keyvaluepassin[.]netHostinger UAB2024/08/01 16:40
aeromechelec[.]orgHostinger UAB2024/07/25 13:46
quantumspherebyteonline[.]orgHostinger UAB2024/07/22 13:49
bittechxeondynamics[.]orgHostinger UAB2024/07/22 11:34
synchrosphere[.]orgHostinger UAB2024/07/19 17:52
quantumnyx[.]orgHostinger UAB2024/07/19 16:12
introsavemsg[.]orgHostinger UAB2024/07/11 18:20
grepfileintro[.]netHostinger UAB2024/07/11 16:53
innotechhub[.]netHostinger UAB2024/07/09 17:44
nextgenprotocol[.]orgHostinger UAB2024/07/09 16:57
cyberwaytransfer[.]netHostinger UAB2024/07/09 15:55
dentalmag[.]orgHostinger UAB2024/07/08 17:41
eichenfass[.]orgHostinger UAB2024/07/08 16:18
loyaltyfirst[.]orgHostinger UAB2024/07/05 18:02
investfix[.]orgHostinger UAB2024/07/03 15:36
spurcapitalconstruction[.]comHostinger UAB2024/06/29 09:45
nutritivoybarato[.]comHostinger UAB2024/06/29 07:56
crestwoodtok[.]comHostinger UAB2024/06/28 17:29
accountingempowered[.]comHostinger UAB2024/06/28 08:53
iinguinalhernia[.]comHostinger UAB2024/06/28 06:03
absardeiracargo[.]comHostinger UAB2024/06/27 18:18
destelloideal[.]comHostinger UAB2024/06/27 14:33
dontezandkrisselm[.]comHostinger UAB2024/06/27 11:45
jeredutech[.]comHostinger UAB2024/06/26 16:52
mettezera[.]comHostinger UAB2024/06/26 16:33
btxfirewood[.]comHostinger UAB2024/06/26 14:34
equipemyr[.]comHostinger UAB2024/06/25 16:13
vizionviews[.]comHostinger UAB2024/06/25 08:03
alonaservices[.]comHostinger UAB2024/06/24 19:08
getvfsmartwatch[.]comHostinger UAB2024/06/22 13:43
cellvariedades[.]comHostinger UAB2024/06/21 16:55
mashelterssettlement[.]comHostinger UAB2024/06/20 17:59
specialdiskount[.]comHostinger UAB2024/06/19 17:07
sinatagotasbrasil[.]comHostinger UAB2024/06/19 10:53
yorkviewstating[.]comHostinger UAB2024/06/19 09:12
supermercadolagocalima[.]comHostinger UAB2024/06/18 15:11
arsenalcaption[.]comHostinger UAB2024/06/15 20:02
carpenterkari[.]comPublicDomainRegistry2024/06/12 13:58
spandvi[.]comHostinger UAB2024/06/11 18:10
cucudor[.]comHostinger UAB2024/06/11 16:16
animalmedic[.]orgHostinger UAB2024/06/11 15:07
movercon[.]comHostinger UAB2024/06/07 13:11
crafflights[.]comHostinger UAB2024/06/06 16:14
pilotsheikh[.]comHostinger UAB2024/06/06 10:37
smlancer[.]comHostinger UAB2024/06/06 09:27
casioakocustom[.]comHostinger UAB2024/06/05 15:24
prismhavenphotography[.]comHostinger UAB2024/06/04 19:12
diananithilamills[.]comHostinger UAB2024/06/04 15:45
egenre[.]netHostinger UAB2024/05/19 16:20
cityessentials[.]netHostinger UAB2024/05/19 15:30
esestacey[.]netHostinger UAB2024/05/19 14:33
seltinger[.]comPublicDomainRegistry2024/05/16 20:54
livonereg[.]comPublicDomainRegistry2024/05/16 20:54
gothicshop[.]orgHostinger UAB2024/05/07 13:14
directic[.]netNameCheap2024/04/25 16:49
sgmods[.]netNameCheap2024/04/25 14:39
calmlion[.]orgNameCheap2024/04/18 13:11
mayquarkesthetic[.]comHostinger UAB2024/04/08 17:00
xacshop[.]comHostinger UAB2024/04/08 13:50
prostrokes[.]netNameCheap2024/03/29 13:34
imgrich[.]comHostinger UAB2024/03/15 14:56
editablezoom[.]orgHostinger UAB2024/03/15 13:33

Past Star Blizzard domain infrastructure

DomainRegisteredRegistrarX.509 TLS Certificate IssuerDNS provider resolving
centralitdef[.]com2023/04/03 14:29:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatewayshome[.]com2023/04/06 16:09:06NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directstoragepro[.]com2023/04/07 14:18:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infocryptoweb[.]com2023/04/07 14:44:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudwebstorage[.]com2023/04/09 14:13:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptdatahub[.]com2023/04/10 10:07:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datainfosecure[.]com2023/04/10 10:16:20NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
servershieldme[.]com2023/04/11 07:32:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
scandefinform[.]com2023/04/12 10:18:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
guardittech[.]com2023/04/12 13:36:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinfohub[.]com2023/04/14 12:23:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsinfohub[.]com2023/04/14 16:24:45NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dbasechecker[.]com2023/04/20 08:31:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dbasecheck[.]com2023/04/20 08:31:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gaterecord[.]com2023/04/25 14:17:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directsgate[.]com2023/04/25 14:17:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinformationsolutions[.]com2023/04/25 15:33:03NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagedatadirect[.]com2023/04/25 15:33:05NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
informationdoorwaycertificate[.]com2023/04/25 17:50:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datagatewaydoc[.]com2023/04/25 17:50:37NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
panelittechweb[.]com2023/04/27 12:19:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
panelitsolution[.]com2023/04/27 12:19:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdocument[.]com2023/04/27 14:18:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdocumentgatewayhub[.]com2023/04/27 14:18:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
docview[.]cloud2023/05/03 06:33:44Hostinger UABC=US, O=Let’s Encrypt, CN=R3 
protectitbase[.]com2023/05/03 09:07:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webcatalogpro[.]com2023/05/04 09:47:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoformdata[.]com2023/05/04 13:13:56NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keydatastorageunit[.]com2023/05/10 09:20:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docanalizergate[.]com2023/05/10 15:23:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
docanalizerhub[.]com2023/05/10 15:23:21NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
hubdatapage[.]com2023/05/10 16:07:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
skyinformdata[.]com2023/05/11 11:10:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsaccessdata[.]com2023/05/11 12:35:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datacryptosafe[.]com2023/05/11 16:46:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudsetupprofi[.]com2023/05/12 15:35:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
setupprofi[.]com2023/05/12 15:35:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
analyzedatainfo[.]com2023/05/15 15:30:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infocryptodata[.]com2023/05/15 16:41:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datadocsview[.]com2023/05/16 13:23:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatedocsview[.]com2023/05/16 13:23:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
hubinfodocs[.]com2023/05/16 13:27:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
proffsolution[.]com2023/05/16 14:20:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
proffitsolution[.]com2023/05/16 14:20:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
defproresults[.]com2023/05/16 14:20:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
greatnotifyinfo[.]com2023/05/16 14:55:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topnotifydata[.]com2023/05/16 14:55:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topinformdata[.]com2023/05/16 14:55:58NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
defoffresult[.]com2023/05/16 15:23:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudinfodata[.]com2023/05/16 15:23:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webpartdata[.]com2023/05/16 15:23:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infostoragegate[.]com2023/05/17 14:41:37NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardenstoragedoorway[.]com2023/05/17 15:17:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
myposcheck[.]com2023/05/25 08:52:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
poscheckdatacenter[.]com2023/05/25 08:52:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
checkdatapos[.]com2023/05/25 08:52:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docdatares[.]com2023/05/26 13:42:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datawebhub[.]com2023/05/26 16:28:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudithub[.]com2023/05/26 16:28:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secitweb[.]com2023/05/26 16:28:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentitsolution[.]com2023/05/29 13:21:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperinformation[.]com2023/05/29 13:21:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webprodata[.]com2023/05/29 14:28:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
clouditprofi[.]com2023/05/29 14:28:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptoinfostorage[.]com2023/05/29 14:34:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootinformationgateway[.]com2023/05/29 14:34:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewaydocumentdata[.]com2023/06/01 14:49:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewayitservices[.]com2023/06/01 14:49:17NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewerdata[.]com2023/06/01 14:59:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewergate[.]com2023/06/01 14:59:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webitresourse[.]com2023/06/02 19:35:46NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
homedocsdata[.]com2023/06/05 16:05:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
homedocsview[.]com2023/06/05 16:06:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webdataproceed[.]com2023/06/08 17:29:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directkeeperstorage[.]com2023/06/12 15:47:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewaykeeperinformation[.]com2023/06/12 15:48:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatestorage[.]com2023/06/12 16:46:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentinformationsolution[.]com2023/06/12 16:46:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getclouddoc[.]com2023/06/14 10:56:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
statusfiles[.]com2023/06/16 09:49:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webstaticdata[.]com2023/06/16 09:49:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudwebfile[.]com2023/06/16 09:49:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
statuswebcert[.]com2023/06/16 10:29:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
nextgenexp[.]com2023/06/16 10:29:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
informationkeeper[.]com2023/06/16 14:48:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentgatekeeper[.]com2023/06/16 14:48:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptogatesolution[.]com2023/06/16 15:32:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatewaystorage[.]com2023/06/16 15:32:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewstorage[.]com2023/06/22 12:34:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoconnectstorage[.]com2023/06/22 12:34:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infolookstorage[.]com2023/06/22 13:53:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
judicialliquidators[.]com2023/06/25 11:28:05NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safetyagencyservice[.]com2023/06/25 11:28:08NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dynamiclnk[.]com2023/06/27 13:20:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
temphoster[.]com2023/06/27 13:20:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documententranceintelligence[.]com2023/06/27 17:13:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentgateprotector[.]com2023/06/27 17:13:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
readinfodata[.]com2023/06/28 16:09:46NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
readdatainform[.]com2023/06/28 16:09:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webcryptoinfo[.]com2023/06/29 12:41:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinfodata[.]com2023/06/29 12:41:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdatastorage[.]com2023/07/03 17:40:16NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keepinformationroot[.]com2023/07/03 17:40:21NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keyservicebar[.]com2023/07/05 13:25:41PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
bitespacedev[.]com2023/07/05 13:25:43PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
cryptodocumentinformation[.]com2023/07/05 15:04:46PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
directdocumentinfo[.]com2023/07/05 15:04:48PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
techpenopen[.]com2023/07/05 15:49:13NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
loginformationbreakthrough[.]com2023/07/06 16:01:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
alldocssolution[.]com2023/07/06 16:01:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentkeepersolutionsystems[.]com2023/07/06 18:45:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docholdersolution[.]com2023/07/06 18:45:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infodocitsolution[.]com2023/07/07 11:00:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
securebrowssolution[.]com2023/07/07 11:00:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secbrowsingate[.]com2023/07/07 11:18:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secbrowsingsystems[.]com2023/07/07 11:18:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docguardmaterial[.]com2023/07/10 11:38:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dockeeperweb[.]com2023/07/10 11:38:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsecgate[.]com2023/07/11 13:27:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentsecsolution[.]com2023/07/11 13:28:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptogatehomes[.]com2023/07/11 17:51:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topcryptoprotect[.]com2023/07/12 13:03:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safedocumentgatesolution[.]com2023/07/12 13:17:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safedocitsolution[.]com2023/07/12 13:17:23NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docscontentview[.]com2023/07/12 15:05:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docscontentgate[.]com2023/07/12 15:05:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
openprojectgate[.]com2023/07/12 15:30:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infowardendoc[.]com2023/07/12 15:30:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardensecbreakthrough[.]com2023/07/12 15:41:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
lawsystemjudgement[.]com2023/07/12 15:41:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
explorewebdata[.]com2023/07/13 08:12:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
doorwayseclaw[.]com2023/07/13 13:22:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entryloginpoint[.]com2023/07/13 13:22:22NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardenlawsec[.]com2023/07/13 14:12:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entrygatebreak[.]com2023/07/13 14:12:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
digitalworkdata[.]com2023/07/13 15:00:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
digitalhubdata[.]com2023/07/13 15:00:45NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
craftfilelink[.]com2023/07/13 15:31:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
createtempdoc[.]com2023/07/13 15:31:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
provideexplorer[.]com2023/07/13 16:25:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
reviewopenfile[.]com2023/07/13 16:25:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govsafebreakthrough[.]com2023/07/13 16:26:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govlawentrance[.]com2023/07/13 16:26:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagekeepdirect[.]com2023/07/13 17:36:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageguarddirect[.]com2023/07/13 17:36:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagekeeperexpress[.]com2023/07/14 13:27:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
onestorageprotectordirect[.]com2023/07/14 13:27:27NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
lawwardensafety[.]com2023/07/14 13:41:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entrancequick[.]com2023/07/14 13:41:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
seclawdoorway[.]com2023/07/14 15:28:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardengovermentlaw[.]com2023/07/14 15:28:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getvaluepast[.]com2023/07/14 16:14:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
transferlinkdata[.]com2023/07/14 16:14:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
remcemson[.]com2023/07/26 11:25:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
osixmals[.]com2023/07/26 11:25:56NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entranceto[.]com2023/07/28 12:26:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govermentsecintro[.]com2023/07/28 12:26:17NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
itbugreportbeta[.]com2023/07/28 13:06:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
theitbugreportbeta[.]com2023/07/28 13:06:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
sockintrodoorway[.]com2023/07/28 13:21:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
maxintrosec[.]com2023/07/28 13:21:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
doorgovcommunity[.]com2023/07/28 15:11:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
tarentrycommunity[.]com2023/07/28 15:11:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webfigmadesignershop[.]com2023/07/28 16:09:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
webfigmadesigner[.]com2023/07/28 16:09:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
logincontrolway[.]com2023/07/28 16:35:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
vertransmitcontrol[.]com2023/07/28 16:35:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
everyinit[.]com2023/08/09 13:56:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
aliceplants[.]com2023/08/09 17:22:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
countingtall[.]com2023/08/09 17:22:30NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
silenceprotocol[.]com2023/08/10 12:32:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
mintwithapples[.]com2023/08/10 12:32:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
winterholds[.]com2023/08/10 12:53:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
ziplinetransfer[.]com2023/08/10 16:47:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
translatesplit[.]com2023/08/10 16:47:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getfigmacreator[.]com2023/08/11 13:13:20NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
postrequestin[.]com2023/08/11 13:13:23NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
tarifjane[.]com2023/08/17 14:05:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
configlayers[.]com2023/08/17 14:05:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
winterhascometo[.]com2023/08/17 16:21:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
inyourheadexp[.]com2023/08/17 16:21:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
glorybuses[.]com2023/08/18 15:27:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
janeairintroduction[.]com2023/08/18 15:27:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
vikingonairplane[.]com2023/08/18 16:19:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
marungame[.]com2023/08/18 16:19:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
victorinwounder[.]com2023/08/21 16:14:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
paneindestination[.]com2023/08/21 16:15:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
trastamarafamily[.]com2023/08/22 11:20:22NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
territoryedit[.]com2023/08/22 11:20:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
vectorto[.]com2023/08/24 09:40:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
johnysadventure[.]com2023/08/24 09:40:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
paternenabler[.]com2023/08/25 14:40:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
fastnamegenerator[.]com2023/08/25 14:40:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
literallyandme[.]com2023/08/28 13:21:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
andysalesproject[.]com2023/08/28 13:21:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
pandawithrainbow[.]com2023/08/28 17:08:58NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
natalyincity[.]com2023/08/29 15:25:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
machinerelise[.]com2023/09/01 16:29:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
industrialcorptruncate[.]com2023/09/01 16:30:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
constructionholdingnewlife[.]com2023/09/07 14:00:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
adventuresrebornpanda[.]com2023/09/07 14:00:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
cryingpand[.]com2023/09/13 13:10:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
industrialwatership[.]com2023/09/13 13:10:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
olohaisland[.]com2023/09/13 14:25:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
voodoomagician[.]com2023/09/13 14:25:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
newestchairs[.]com2023/09/14 11:24:47NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
cpuisocutter[.]com2023/09/14 12:37:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
incorpcpu[.]com2023/09/14 12:37:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gulperfish[.]com2023/09/14 14:00:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
leviathanfish[.]com2023/09/14 14:00:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
truncationcorp[.]com2023/09/14 14:05:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
gzipinteraction[.]com2023/09/14 14:05:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
ghostshowing[.]com2023/09/14 16:10:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
hallowenwitch[.]com2023/09/14 16:10:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
certificatentrance[.]com2023/09/19 08:18:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apiwebdata[.]com2023/10/02 14:59:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apidatahook[.]com2023/10/04 15:45:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apireflection[.]com2023/10/04 15:45:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
protectionoffice[.]tech2023/10/05 11:33:46Hostinger UABC=US, O=Let’s Encrypt, CN=R3 
lazyprotype[.]com2023/10/11 11:52:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
angelicfish[.]com2023/10/13 17:57:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
globalyfish[.]com2023/10/13 17:57:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
medicprognosis[.]com2023/10/16 14:36:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
medicoutpatient[.]com2023/10/16 14:36:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
krakfish[.]com2023/10/17 17:09:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
stingrayfish[.]com2023/10/17 17:09:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
incorpreview[.]com2023/10/17 18:27:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
truncatetrim[.]com2023/10/17 18:27:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
corporatesinvitation[.]com2023/10/18 14:48:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
triminget[.]com2023/10/18 17:31:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
firewitches[.]com2023/10/19 10:40:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
solartemplar[.]com2023/10/19 10:40:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
encryptionrenewal[.]com2023/10/20 13:36:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
sslkeycert[.]com2023/10/20 13:36:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
barbarictruths[.]com2023/10/23 07:37:30NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
castlefranks[.]com2023/10/23 07:37:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
comintroduction[.]com2023/10/24 14:01:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
corpviewer[.]com2023/10/31 13:10:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 

Star Blizzard HubSpot campaign domains:

  • djs53104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djr6t104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djrzf704[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djskzh04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djslws04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djs36c04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
  • djt47x04[.]eu1[.]hubspotlinksfree[.]com – used in September 2023
  • djvcl404[.]eu1[.]hubspotlinksfree[.]com – used in October 2023
  • d5b74r04[.]na1[.]hubspotlinksfree[.]com – used in October 2023
  • djvxqp04[.]eu1[.]hubspotlinksfree[.]com – used in October 2023

Star Blizzard MailerLite campaign domain:

  • ydjjja[.]clicks[.]mlsend[.]com – used in September 2023

References

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Star Blizzard increases sophistication and evasion in ongoing attacks appeared first on Microsoft Security Blog.

]]>
Social engineering attacks lure Indian users to install Android banking trojans http://approjects.co.za/?big=en-us/security/blog/2023/11/20/social-engineering-attacks-lure-indian-users-to-install-android-banking-trojans/ Tue, 21 Nov 2023 04:30:00 +0000 Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages and malicious applications designed to impersonate legitimate organizations and steal users’ information for financial fraud scams.

The post Social engineering attacks lure Indian users to install Android banking trojans appeared first on Microsoft Security Blog.

]]>
Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages designed to steal users’ information for financial fraud. Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities. Once installed, these fraudulent apps exfiltrate various types of sensitive information from users, which can include personal information, banking details, payment card information, account credentials, and more.

While not a new threat, mobile malware infections pose a significant threat to mobile users, such as unauthorized access to personal information, financial loss due to fraudulent transactions, loss of privacy, device performance issues due to malware consuming system resources, and data theft or corruption. In the past, we observed similar banking trojan campaigns sending malicious links leading users to download malicious apps, as detailed in our blog Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices.

The current active campaigns have pivoted to sharing malicious APK files directly to mobile users located in India. Our investigation focused on two malicious applications that falsely present themselves as official banking apps. Spoofing and impersonating legitimate banks, financial institutions, and other official services is a common social engineering tactic for information-stealing malware. Importantly, legitimate banks themselves are not affected by these attacks directly, and the existence of these attacks is not related to legitimate banks’ own authentic mobile banking apps and security posture. That said, cybercriminals often target customers of large financial institutions by masquerading as a legitimate entity. This threat highlights the need for customers to install applications only from official app stores, and to be wary of false lures as we see in these instances.

In this blog, we shed light on the ongoing mobile banking trojan campaigns impacting various sectors by analyzing the attacks of two fraudulent apps targeting Indian banking customers. We also detail some of the additional capabilities of malicious apps observed in similar campaigns and provide recommendations and detections to defend against such threats. As our mobile threat research continuously monitors malware campaigns in the effort to combat attackers’ tactics, tools, and procedures (TTPs), we notified the organizations being impersonated by these fake app campaigns. Microsoft is also reporting on this activity to bring increased awareness to the threat landscape as mobile banking trojans and credential phishing fraud continues to persist, prompting an urgent call for robust and proactive defense strategies.

Case 1: Fake banking app targeting account information

We discovered a recent WhatsApp phishing campaign through our telemetry that led to banking trojan activity. In this campaign, the attacker shares a malicious APK file through WhatsApp with a message asking users to enter sensitive information in the app. The widely circulated fake banking message states “Your [redacted] BANK Account will be Blocked Today please update your PANCARD immediately open [redacted]-Bank.apk for update your PANCARD. Thank You.” and includes a APK file named [redacted]-BANK[.]apk. 

Screenshot of a fake WhatsApp phishing message asking users to update KYC using a APK file.
Figure 1. A fake WhatsApp message sent to user to update KYC using shared APK file.

Upon investigation, we discovered that the APK file was malicious and interacting with it installs a fraudulent application on the victim device. The installed app impersonates a legitimate bank located in India and disguises itself as the bank’s official Know Your Customer (KYC) application to trick users into submitting their sensitive information, despite this particular banking organization not being affiliated with an official KYC-related app. This information is then sent to a command and control (C2) server, as well as to the attacker’s hard-coded phone number used in SMS functionality.

Diagram of the attack flow depicting how an attacker sends an SMS or social media message and a malicious APK file to users that users download and install onto devices. The APK file then installs a fraudulent app impersonating a legitimate banking organization and requests the user's KYC information, bank account details, and credentials, which are submitted and sent to the attacker's C2 server and hard-coded phone number.
Figure 2. The attack flow of this campaign.

What users see

Upon installation, the fake app displays a bank icon posing as a legitimate bank app. Note that the app we analyzed is not an official bank app from the Google Play Store, but a fake app that we’ve observed being distributed through social media platforms.  

The initial screen then proceeds to ask the user to enable SMS-based permissions. Once the user allows the requested permissions, the fake app displays the message “Welcome to [redacted] Bank fast & Secure Online KYC App” and requests users to signin to internet banking by entering their mobile number, ATM pin, and PAN card details.

Four mobile screenshots from left to right: the fake WhatsApp message, an icon in the app tray displaying a legitimate bank icon, the fake app requesting SMS permissions, and the fake app requesting users' to submit their banking, mobile number, ATM pin, and PAN card information.
Figure 3. Once installed on a device, the fake app asks users to allow SMS permissions and to sign-in to internet banking and submit their mobile number, ATM pin, and PAN card to update KYC. 

After clicking the sign-in button, the app displays a verification prompt asking the user to enter the digits on the back of their banking debit card in grid format for authentication—a common security feature used as a form of multifactor authentication (MFA), where banks provide debit cards with 2-digit numbers in the form of a grid on the back of the card. Once the user clicks the authenticate button, the app claims to verify the shared details but fails to retrieve data, instead moving on to the next screen requesting additional user information. This can trick the user into believing that the process is legitimate, while remaining unaware of the malicious activity launching in the background.

Four mobile screenshots from left to right: the fake app appearing to authenticate users' bank information, the fake app requesting users' digits on the back of their debit card, user authenticating those digits, the fake app appearing to verify the information again.
Figure 4. The fake app’s authentication process asks the user to enter the correct digits as presented on their debit card.

Next, the user is asked to enter their account number followed by their account credentials. Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC. The user is instructed to wait 30 minutes and not to delete or uninstall the app. Additionally, the app has the functionality to hide its icon, causing it to disappear from the user’s device home screen while still running in the background.

Four mobile screenshots from left to right: the fake app requesting users' account numbers followed by their credentials, the fake app displays a phony note that the entered information is being verified, the fake app's icon disappears from the user's app tray.
Figure 5. The fraudulent app steals the user’s account number and credentials and hides its icon from the home screen.

Technical analysis

To start our investigation and as part of our proactive research, we located and analyzed the following sample:

SHA-2566812a82edcb49131a990acd88ed5f6d73da9f536b60ee751184f27265ea769ee 
Package namedjhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication

We first examined the app’s AndroidManifest file, which lists the permissions and components (such as activities, services, receivers, and providers) that can run in the background without requiring user interaction. We discovered that the malware requests two runtime permissions (also known as dangerous permissions) from users: 

Permissions Description 
Receive_SMS Intercept SMSs received on the victim’s device 
Send_SMS Allows an application to send SMS 

The below image displays the requested Receive_SMS and Send_SMS permissions, the activities, receivers, and providers used in the application, and the launcher activity, which loads the application’s first screen. 

Screenshot of code displaying the AndroidManifest.xml file, noting the package name, permissions used, main activity class, and components used.
Figure 6. AndroidManifest.xml file

Source code review

Main activity

The main activity, djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication[.]M1a2i3n4A5c6t7i8v9i0t0y987654321, executes once the app is launched and shows as the first screen of the application. The OnCreate() method of this class requests permissions for Send_SMS and Receive_SMS and displays a form to complete the KYC application with text fields for a user’s mobile number, ATM pin, and PAN card. Once the user’s details are entered successfully, the collected data is added to a JSON object and sent to the attacker’s C2 at: https://biogenetic-flake.000webhostapp[.]com/add.php

The app displays a note saying “Data added successfully”. If the details are not entered successfully, the form fields will be empty, and an error note will be displayed.

Screenshot of code displaying the launcher activity page, noting the requested permissions, requested information in the launcher activity, the data text fields for mobile number, ATM pin, and PAN card, the filled data sent to the attacker's C2 and the submitted details added to the attacker's C2.
Figure 7. Launcher activity page, asking the user to sign-in with their mobile number, ATM pin, and PAN card.  

Additionally, the malware collects data and sends it to the attacker’s phone number specified in the code using SMS. 

Screenshot of code displaying how collected information is also sent to the attacker's mobile number.
Figure 8. Collected data sent to the attacker’s mobile number as a SMS. 

Stealing SMS messages and account information

The malware collects incoming SMS messages from the victim’s device using the newly granted Receive_SMS permission. These incoming messages may contain one-time passwords (OTPs) that can be used to bypass MFA and steal money from the victim’s bank account. Using the Send_SMS permission, the victim’s messages are then sent to the attacker’s C2 server (https[:]//biogenetic-flake[.]000webhostapp[.]com/save_sms[.]php?phone=) and to the attacker’s hardcoded phone number via SMS.

Screenshot of code stealing incoming SMS to send to the attacker's C2 and mobile number.
Figure 9. Steals incoming SMS to send to the attacker’s C2 and mobile number via SMS.

The user’s bank account information is also targeted for exfiltration—once the user submits their requested account number and account credentials, the malware collects the data and similarly sends it to the attacker’s C2 server and hard-coded phone number. 

Screenshot of code collecting the user's account number to be sent to the attacker's C2 and mobile number.
Figure 10. Collecting the user’s account number to send to the attacker.
Screenshot of code collecting the user's account credentials to be sent to the attacker's C2 and mobile number.
Figure 11. Collecting the user’s account credentials to send to the attacker. 

Hiding app icon

Finally, the app has the functionality to hide its icon from the home screen and run in the background. 

Screenshot of code hiding the app's icon from the home screen and app tray.
Figure 12. Hides app icon from home screen 

Case 2: Fake banking app targeting payment card details

Similar to the first case, the second case involves a fraudulent app that deceives users into providing personal information. Unlike the first case, the banking trojan in the second case is capable of stealing credit card details, putting users at risk of financial fraud. User information targeted by the fraudulent app to be sent to the attacker’s C2 includes:

  • Personal information – Name, email ID, mobile number, date of birth
  • Payment information – Card details (16-digit number, CVV number, card expiration date) 
  • Incoming SMS 

What users see

When the user interacts with the app, it displays a launch screen featuring the app icon and prompting the user to grant SMS-based permissions. Once the requested permissions are enabled, the app displays a form for the user to enter their personal details, including their name, email address, mobile number, and date of birth. The data provided by the user is then sent to C2 server. After this, the app displays a form for the user to enter their credit card details, including the 16-digit card number, CVV number, and card expiration date, which is also sent to the attacker’s C2.

Three mobile screenshots from left to right: A fake app requesting SMS permissions, followed by requesting users' personal details, followed by their card details.
Figure 13. Fake app collects SMS permissions, personal details and card details.

Additional features in some versions

In related campaigns, we observed some versions of the same malicious app include additional features and capabilities, such as capturing:

  • Financial information – Bank details, bank ID, card details
  • Personal information – PAN card, Aadhar number, permanent address, state, country, pin code, income
  • Verifying and stealing one-time passwords (OTPs)

Similar campaigns

Based on our telemetry, we have been observing similar campaigns using the names of legitimate organizations in the banking, government services, and utilities sectors, as app file names to target Indian mobile users. Like the two cases discussed above, these campaigns involve sharing the fraudulent apps through WhatsApp and Telegram, and possibly other social media platforms. Moreover, these campaigns select legitimate and even well-known institutions and services in the region to imitate and lure users into a false sense of security. Spoofing and impersonating legitimate organizations and official services is a common social engineering tactic for information-stealing malware. While these banks and other organizations themselves are not affected by the attack directly, attackers often target customers by imitating legitimate entities.

Conclusion

Mobile banking trojan infections can pose significant risks to users’ personal information, privacy, device integrity, and financial security. As the campaigns discussed in this blog display, these threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets. Being aware of the risks and common tactics used by banking trojans and other mobile malware can help users identify signs of infection and take appropriate action to mitigate the impacts of these threats.

Finding unfamiliar installed apps, increased data usage or battery drain, unauthorized transactions or account settings changes, device crashes, slow performance, unexpected pop-ups, and other unusual app behaviors can indicate a possible banking trojan infection. To help prevent such threats, we recommend the following precautionary measures:

  • Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
  • Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
  • Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications
  • Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
Two mobile screenshots from left to right: Example of the Install unknown apps feature on an Android device, disabling the ability for WhatsApp to install unknown apps.
Figure 14. Example of the Install unknown apps feature on an Android device

Additionally, various Indian banks, governments services, and other organizations are conducting security awareness campaigns on social media using promotional videos to educate users and help combat the ongoing threat presented by these mobile banking trojan campaigns.

Abhishek Pustakala, Harshita Tripathi, and Shivang Desai

Microsoft Threat Intelligence

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus and Microsoft Defender for Endpoint on Android detect these threats as the following malware:

Indicators of compromise

SHA256 Description Threat Name
6812a82edcb49131a990acd88ed5f6d73da9f536b60ee751184f27265ea769eeMalicious APK Trojan:AndroidOS/Banker.U
34cdc6ef199b4c50ee80eb0efce13a63a9a0e6bee9c23610456e913bf78272a8Malicious APK TrojanSpy:AndroidOS/SpyBanker.Y

MITRE ATT&CK techniques

Execution Defense EvasionCredential AccessCollection Exfiltration  Impact
Scheduled Task/Job Obfuscated Files/InformationInput CaptureProtected User Data: SMS Messages Exfiltration Over C2 Channel  SMS Control
Hide Artifacts: Suppress Application Icon    

References

Acknowledgments

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on X (formerly)Twitter at https://twitter.com/MsftSecIntel.

The post Social engineering attacks lure Indian users to install Android banking trojans appeared first on Microsoft Security Blog.

]]>