A

You're listening to the Cyberwire Network powered by N2K.

B

Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering. Learn more@doppel.com that's D O P E L dot com.

C

I would definitely just make sure that we teach the end users, you know, we have to ensure that we keep them up to date on such attacks because I think it's so easy when you're in a rush to just kind of looking at these things saying, oh shoot, I'm some of the court, I gotta verify this. You know, and it's kind of scary because like that's the scare tactic behind this all is how can I get the users to kind of panic and just interact with these things. And I think we as security researchers and analysts have to just say what is our best way to try and to train the end users to not all of a sudden be panicked.

B

That's thomas elkins, a soc l3 analyst from bluevoyant. The research we're discussing today is titled unpacking augmented marauders multi pronged caspianero campaigns.

C

Here at Blue Point we have a lot of clients that we ingest their data for on their security side of things. So we will see any kind of potential incidents that come in from, from our clients. And one of the incidents that we observed was a phishing email that just was pretty plain in regards to the content of it, whereas this, it was in Spanish indicating that the user had to click on a link contained within a PDF file to, to confirm their, I guess their appointment to the, how would you say, judiciary system within Spain. And it was to entice them to, you know, obviously confirm that they're going to be showing up because they were summoned to court. And from there it's, it's where we saw the user download a zip archive and they executed the contents of the zip archive, which was an HTA file. And honestly that's where the attack ended from their standpoint. But we as researchers obviously want to get the full scope of what's going to happen. So I took it to the next level and started to investigate what happens if the HT file succeeds. And that's where I started seeing a whole bunch of VBA coding being launched on my own personal machine, which is when I started investigating the network traffic contained within the requests. And that's when I saw the back end of their servers providing a whole bunch of different VBA scripts that would be executed on the client side. And that's basically how we observed that the attack was beginning from that aspect.

B

Well, let's jump into some of the reasons that this campaign is particularly notable in the research. You describe this as a multi pronged campaign. What did you uncover that signaled this activity was broader than some of the things you've been tracking before?

C

Originally, when we tracked it, we thought this might have been potentially just hitting Spain. But as we dug more into the IOCs, we observed other companies had also seen that this was not just attacking Spain, it was targeting multiple countries in Latin America, including Brazil and Mexico. So we were, we were like, okay, well this is clearly not just going to be contained to one specific country, that they're clearly targeting Spanish based users, Spanish speaking users. So, and this is not something that this has been done before. This is not like a novel aspect in terms of targeting Spanish users. What made it novel was the techniques they were using to automate their attack for them essentially.

B

Well, let's dig into that aspect of it. What were some of these things that really caught your eye?

C

Yeah, so what we saw when I was going through the payloads was how it was, what's the word I'm trying to think of right now, it would basically find a way to replicate itself without requiring the attacker to have to keep sending the same phishing email. And what that means is one of the Caspian arrows, Banking Trojan, specifically when it contacted its C2, it contains the ability to execute commands contained from the C2. So if the C2 responds with a PowerShell script, the banking Trojan will be able to execute that PowerShell script in memory. And when we analyze the PowerShell scripts, one of them was this self replication where it would basically get, it would get a hold of the user's email Outlook account and it was using that by using PowerShell objects. And then once it got the contact list from their emails, it would craft a new email. And the email that was craft was hosted at one of its own, you know, controlled infrastructure from the attacker. And that email would essentially replicate the same process that we saw initially. And one of the issues that we have as researchers is how do we figure out where the source of this actually began? Because what we're seeing right now is most Likely the user that was impacted initially was probably, you know, they probably received a phishing email from someone they actually trusted that was in their own contact list, which was also impacted by this campaign. And that's one of the novel things that we saw was, okay, well this is not just a typical phishing campaign, this is a self autonomous campaign where it's just going to keep spreading and finding the original source is going to be almost impossible at this point.

B

Yeah. One of the things that caught my eye was the fact that that phishing attachment in the, I guess the initial email was password protected. How does that help the attackers bypass defenses?

C

Yeah, so a lot of times when you get password protected archives, even with simple passwords like 1234, the email scanning features, they can't bypass the zip archive passwords because they don't, I can't speak for sure, but I'm pretty sure that a lot of these email based programs, they can't, you know, try, they can't brute force the archives because I feel like that would probably be against the users, against the user's will. So a lot of times they, these emails, they can't scan the PDF, they can't scan the archives or they can't scan what the contents of the PDF is because the password protected. And without being able to view that, the contents will stay encrypted until the user enters the password and then all of a sudden the contents are now decrypted and essentially after that, then it can do that. So allowing that password protected email, it's going to bypass a lot of security. Scanning features from email, from email accounts or email providers, should I say not email accounts.

B

I see. Well, you've mentioned some of these items, but I think it would be helpful for our listeners to kind of walk through the infection chain step by step and the technical execution here. So once the victim interacts with the attachment, what happens next?

C

So the user, after they supply the password, the PDF populates the contents and the contents is that court summons notification. And when there's a link saying confirm your appointment, it's in Spanish. And once they click that link, their browser opens up a new tab and there's like a random message, which is weird. I saw the message, I fortunately don't have a screenshot of it, but it's like a rainbowed message saying something like that, waiting. And then also a zip archive is shown at the top right where you get that little downloads notification on your browser. Uh, and the notification, the zip archive itself is very autonomous. It has like some kind of UID automation from the back end of the servers of their servers. And it provides the date as well to kind of give this illusion of, okay, well, this might be, you know, some kind of official attachment or something that's required to help confirm my, you know, my appearance at the court. So contained within the zip archive is a. HTA file and that contains a script that tells whatever Windows binaries associated MSHT in this regard will execute that script tag and the contents contained within that script tag. And that's when I was using my own programming on the backend. I was using man in the middle proxy to capture the response of the server once MSHTA executes that script. And what we saw was three different VBA scripts being executed. The first one was to execute another one. So it was an interesting chain of events where you don't start seeing the actual, I guess, what they actually want to do until you probably get to the third script specifically. And then that's when we start seeing a whole bunch of obfuscated code contained within the VBA script. And this is purposely to hinder immediate execution and memory. So that way if you have some EDR tool in the background trying to scan any open processes and if it catches MSHTA running and it scans to see what the contents are, it won't see it right away because all that content is already obfuscated. And each of their primary scripts contained a customer decoding routine for their strings. So that way if you're a security researcher and you happen to pull their script off their server, you're not going to be able to reverse it right away because a lot of their content is obfuscated behind their custom decoding routines to make it harder for you to analyze it as a researcher and for EDR tools to immediately flag what is going on in the background. But, but once we started decoding these strings, that's when we really started to see the nature of the scripts. And the first part of the script is to determine if it's running in a sandbox. And this is pretty typical of a lot of malware nowadays. They want to identify if they're running in a sandbox, see if they can just stop running in case they detect it. It's in the sandbox. And then once it determines that, it has a pre configured list of known sandbox names, usernames and sandboxes. And I think that's something that they probably pull off of GitHub, a whole bunch of different resources to kind of give you an idea of like what are the most basic known sandbox names and their device names. And once those checks pass, then that's when it starts to identify if there's any running processes that are associated to this already running campaign. So it's going to check to see if MSGA is already running. It's going to check a specific folder path within C users public with a random laptop dash. I don't remember the full name of the path, but. But that's their default path for their infection. So it's checking to see if that folder path already exists and if it does again, the chain will break and then they cancel the attack. And then if all have been here before. Exactly, exactly. So they want to make sure this is a fresh situation. And if all those checks pass, then that's when it begins to download its actual payloads. And again, what caught our attention, and this seems to be very typical of Latin American based kind of malware, is the usage of autoit scripts. Not saying it's always going to be Latin American, but for whatever reason, a lot of these attacks seem to be using AutoIt to kind of protect the contents of their actual payloads. What happens is it drops a whole bunch of autoit based binaries. So you have the compiler and you have the actual AutoIT executable as well as their decompiled autoit scripts, which is also interesting. I actually haven't seen that before. I haven't seen them dropping an actual compiler on the back end because usually the script is already compiled. So that makes it easier for us as researchers because now we don't have to use additional tooling to decompile their scripts. They already gave us the raw script, which was very nice of them to do, honestly. So we were able to analyze those auto with scripts without having to, like I said, decompile them ourselves. And that's when we realized that they're using containing the scripts are their actual raw payloads that they want executed in memory. And that's another thing they can do too. Instead of storing their encrypted scripts on the actual machine, they can execute in memory, which makes it harder for a lot of EDR hooking tools to be able to figure out what's happening in memory as well. And once. Yeah, exactly. Yeah.

B

We'll be right back. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, Goodenough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps for at www.guardsquare.com. The campaign deploys a pair of Banking Trojans, right? You've got Horribat and caspianero. How do these two components divide up the responsibilities during the intrusion?

C

Yeah, definitely. So the Caspian Arrow one the primary focus is to not only obviously see if a user is accessing their banking account and trying to create a splash screen that's fake and having the user input their information, which is your typical Banking Trojan behavior. This also contains additional abilities that the attacker has created from their back end of the service that they set up where the Caspian Arrow Like I said, it's not only a Trojan in the sense that it can capture your input about trying to access banks, it has the ability to execute malicious code, given if that's what the threat actor wanted to set up to begin with. So on the back end the servers that they set up contain additional encrypted code that the Banking Trojan would decode and then execute that content using Shellexecute EXW, which is one of the APIs that the Caspian era Trojan has. And what that allows it to do is if the attacker says okay, I want you to download another payload from my from my remote server, the Banking Trojan can do that. And what it seems like the attackers want in this situation is they wanted to create persistence with the Banking Trojan. Additionally they wanted to do the self propagation aspect, which is what I discussed earlier, where they want to take control, not to control the user's email, but basically infiltrate their email, send out a whole bunch of new wave phishing emails from the impacted user. And that creates that, you know, that trust element. When the impacted user sends the fake emails out to their own contact lists, those users are more likely to say, oh, this must be legitimate, because this is a user that I know. This is not just some Anonymous user from hotmail.com you know, so that's the Caspian Arrow aspect of this attack chain. The other one, the Horrorbot. The Horrorbot is the other. I guess like we said, it's two pronged where they want to basically gain control of the user's email account specifically. And what it does is it sits in the background and waits to see if the user navigates to Gmail, Hotmail, or what's the one Live account. I believe it's Gmail, Yahoo and Live. And it sits to wait to see if the user accesses those. And if it does, the user is redirected to input their password. And what happens is the Horrorbot will get, will take us not. It'll capture the keystrokes of the user as they type in their password. And, and then now the threat actor has access to that user's whatever email account they were using in that specific instance and that again, that allows them to gain direct access to that user's email and impose as that user and most likely, you know, craft additional emails. Maybe in the future, maybe they don't do it right away. Maybe this will be part of another campaign they set up in the future too where they can use, they can access those legitimate users email accounts to spread additional campaigns.

B

I see another one of the interesting aspects here is, help me if I have this right, that during the propagation of the phishing PDFs those are. The PDFs themselves are dynamically generated.

C

Exactly. They come from a remote server. So basically the attacker can just change the format of whatever the PDFs going to be. So if their campaign's going to change from Court summons, they might change it to something else, maybe like a DHL package or something else to entice users to want to interact with it. So they can dynamically change whatever email, whatever the, whatever the PDF document is supposed to contain, they can dynamically change that. And the passwords too are also dynamically changing. Not always going to be the same. The script functionality contains the logic to basically craft a random randomly generated password and that password is sent to the server. So when it generates the PDF files, that password will be used as that new wave of PDFs being sent out to users.

B

I see. Now your research connects this campaign to Maverick malware operations, which had previously been documented in some WhatsApp automation attacks. What was the overlap here that helped you establish that connection?

C

That was something I was going to bring up too. So I think it's back in October or September we observed a campaign that was hitting multiple users, specifically in Brazil. And this trojan was being self propagated as you alluded to via WhatsApp. And it contained a similar attack situation where not only did it deploy the Maverick Banking Trojan, the second binary was the self propagation aspect. And that's when we realized that this is probably linked because not many, I mean I haven't seen many other threat actors using the self propagation aspect. And then that's when we started seeing other security companies confirming that that was the same exact behavior that we are observing from this new attack, that it was linked to the previous one from Maverick. And it kind of makes sense where you see these threat actors, they like to evolve where they try one thing and if it doesn't work out, they'll try another thing. And I feel like that's the same thing we saw with this specific attack was back in September we saw the initial wave of WhatsApp and the automation of how to send that to multiple users without relying on the threat actor to have to keep creating new methods to get users to interact with WhatsApp. Why not just automate that process? And we see that again with this specific campaign where they do a similar thing where they get a hold of the user's emails through the PowerShell objects to in order to automate that process as well because it saves them time, they don't have to keep doing it themselves, they can allow the users to keep spreading it.

B

I see. How do you rate the sophistication of this particular threat actor?

C

I would definitely say they're getting more and more sophisticated. I feel like. So I first saw this like not this specific campaign, but I've seen this threat actor before and I think we linked him to something called Coyote as well. In our previous research. We released Something About Maverick 2 in September and another, the author that helped me write this, Josh Green, he works on the Threat intel piece of things and he was able to link this to another malware strand called Coyote, which was another NET based banking Trojan. And initially when I first saw this type of behavior from the threat actor, it was last year and they were targeting Mexican users by pretending to be sat tax documents. And I would definitely say seeing from that then, then it was just like here's a zip archive and an email Tried to execute the content. It's a password protected zip archive, you know, Voila. There was no self propagation aspect. Fast forward to September. We see them using WhatsApp for propagation and now we move forward to. Not only that, we see them using emails for self propagation and I feel like they keep ramping up. How do we find ways to automate this process for us so we don't have to put as much effort into it?

B

Yeah, well, given the information that you all have gathered here, what are your recommendations for the defenders out there who have to protect themselves from these sorts of things?

C

I would definitely just make sure that we teach the end users we had to ensure that we keep them up to date on such attacks because I think it's so easy when you're in a rush to just kind of looking at these things saying, oh shoot, I'm someone to court, I gotta verify this. And it's kind of scary because that's the scare tactic behind this all is how can I get the users to kind of panic and just interact with these things? And I think we as security researchers and analysts have to just say, what is our best way to try and train the end users to not all of a sudden be panicked? We have to step them through and say, okay, let's slow down when you get something like this. Let's analyze what is the goal here from the threat actor standpoint, what are they trying to do? And let's not rely on emotions, let's rely on logic as well. And I think in terms of how do we stop this going forward too, if the user does interact with it, what, what protections can we put in place to ensure that this doesn't continue? Can we block MSHTA from executing remote code? Can we just have a blockage policy in place on Defender, on Sentinel 1, whatever EDR tooling you're using to ensure that, okay, say the user does download the archive, they try to execute the HTA script, let's ensure that MSHTA does not execute the contents. And same thing with just understanding scripts in general. Like can we change the default behavior of how scripts are interacted with on the end user's part too? Can it just try to execute Notepad or open Notepad instead? These are some things you can change from the back end of, you know, group policies and whatnot.

B

Our thanks to Thomas Elkins from BlueVoyant for joining us. The research is titled Unpacking Augmented Marauders Multi Pronged Caspianero Campaigns. We'll have a link in the show notes and that's Research Saturday Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

A

Some Follow the Noise Bloomberg follows the money. Because behind every headline is a bottom line. Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money side to every story. And when you see the money side, you understand what others miss. Get the money side of the story. Subscribe now@bloomberg.com.