Zenith Live is coming to Europe in October. Join us! Learn More
Zenith Live is coming to Europe in October. Join us!
Learn More

Zero trust security

Make it possible

Your Mission

The latest cloud hosting service to serve malware

By: Dhanalakshmi

The latest cloud hosting service to serve malware

In recent years, there have been many studies related to compromised cloud hosting services.

It has been reported that these services are increasingly being abused by hackers and malware authors for their malicious online activities. The services enable bad actors to open an inexpensive hosting account, allowing them to hide malicious content in the cloud-based domains of well-known brands, mixing the bad content among the good to prevent the malware from being blacklisted.

In its research, the Zscaler ThreatLabZ team discovered that a popular managed cloud hosting service provider called “Cogeco Peer 1” has been serving phishing attacks and other malware in the wild as far back as February 2018. One of the domains hosted by this service provider, called “flexsel[.]ca,” is distributing a malicious document that installs a crypto-wallet stealer on victims’ machines. Other Cogeco Peer 1 domains are serving various phishing attacks using fake logins for Microsoft, DocuSign, and banking sites. 

The below image of hosting IP [64[.]34[.]67[.]205] information shows some of the domains affected by this campaign.

Figure 1: Domains affected by the campaign

The Whois information related to the hosting IP address is as follows:

Figure 2: Whois information on hosting IP address

In this blog, we will provide a technical analysis of two types of attacks served by this campaign in August 2018.

1. Multi crypto-wallet stealer payload delivered through malicious document

2. Microsoft and DocuSign phishing attack

Multi crypto-wallet stealer payload delivered through malicious document:

The crypto-wallet stealers are not new to the information security industry, but we have seen a dramatic increase in their use recently. We found that the domain “http[:]//flexsell[.]ca/,” which is hosted on 64[.]34[.]67[.]205, distributed a malicious document to users during the second week of August 2018. This malicious document downloads and installs a payload with the ability to steal stored crypto-wallets from user machines.

Download link: flexsel[.]ca/myresume/resume_ahmadhammouz[.]doc

Zscaler spotted and blocked this threat over the past two weeks, as shown below:

Figure 3: Unique instances of the malicious document and the final payload downloads as seen by Zscaler

Technical details:

The document, called “resume_ahmadhammouz[.]doc,” has a malicious macro which is executed when the document is opened. It further downloads and executes a crypto-wallet stealer payload on the victim’s machine. This payload tries to steal stored cryptocurrency wallet information, targeting Bitcoin, Electrum, and Monero cryptocurrency wallets.

The obfuscated malicious VB code in the document file is shown below. It initiates an HTTP request to the hardcoded download path of the wallet stealer binary without user intervention.

Figure 4: Obfuscated malicious VB code in the document file

The below Wireshark image shows the payload download on the victim’s machine. 

Figure 5: Wireshark screen capture showing download of malicious payload

This malware variant is custom packed. It decrypts and loads an actual wallet stealer file (Borland Delphi compiled) on runtime. Upon execution, the malware collects basic system information, including machine ID, EXE_PATH, Windows, computer (username), screen, layouts, local time, and CPU model. The collected information is sent to a C&C server, which is hardcoded in the file as shown below.

Figure 6: Calls to C&C server

The encrypted POST communication to the C&C server is shown below.

 

Figure 7: Post-infection communication to the C&C server

The wallet stealer malware searches for the default location of the digital wallet stored on the infected machine, along with browser cookies and login details of popular applications like Pidgin, WinSCP, and Psi+. The following digital wallet files are hunted on a victim’s machine.

Figure 8: Digital wallet files types searched for by malware

The information stored in digital wallet data files includes:

  • mbhd.yaml – Contains general preferences and configuration information (theme, exchange, etc.)
  • mbhd.checkpoints – A Bitcoin checkpoints file, used when syncing your wallet
  • mbhd.spvchain – A Bitcoin block store, used when syncing your wallet

Microsoft and DocuSign Phishing attack:

After exploit kits, phishing is the one of the most significant threats to individuals and organizations today. The dynamic nature of the domains that serve phishing pages, along with the easy hosting features provided by cloud services, magnifies these types of internet attacks.

The Microsoft and DocuSign phishing pages seen in the wild on August 29, 2018, are shown below.

Figure 9: Microsoft and DocuSign phishing pages seen on August 29

The fake Microsoft phishing page image is shown below.

Figure 10: Fake Microsoft phishing page

The DocuSign phishing attack is a tactic used to persuade computer users to enter their account credentials on a fake DocuSign login page. These stolen credentials are used by the attacker to carry out various malicious activities; as a result, the victim’s machine can be infected by other malware.

The following image shows the fake DocuSign login page:

Figure 11: Fake DocuSign login page

Conclusion:

This report covers just one of the active and compromised cloud repositories and the illicit online activities built around it, though these types of attacks have become increasingly common. As individuals and organizations gravitate towards cloud computing, attackers are motivated to host malicious content in the cloud. It is extremely important for cloud hosting service providers to be vigilant in identifying and mitigating attacks on their repositories.

Zscaler ThreatLabZ is monitoring such threats and will continue to ensure coverage for Zscaler customers. The Zscaler Cloud Sandbox report for a sample payload from this campaign is shown below.

Figure 12: Zscaler Cloud Sandbox report on blocked malicious document in the crypto-wallet stealer campaign

IOCs:

Hash:

5608ba844d57727cc821f9fe248ec6ea

98a9964e6e630015688232f08ecf7eb7

74bcd4230c67eba5dd5b34d608454bcd

220c7a665e229beaa22445576350d69e

52536bc70cbacb54160422b73584797a

4e8d5bc0daf0468f854bd972d07f6433

b8a812b43ea18133f38d78b987fe0516

4778714ada548df47f88e7be98e06a63

babecd9045dee2a4bac36c3dc3b4435d

755a77050a511bf5fb61e1d4b004edaa

78d5d85a03b2502f6ecb50371c8299ee

e3f0aec8720ae140215834a17b64d23f

24f3ae8fdddca93f258aef99f984206c

eb7d0f6a68f8447395c9b06f7b561a60

3e6acd8bc6da5c3ef9c135b6bab92199

e0222a5aeab4e4960effdf692c720808

7d33158f1d6a1145cd404751d9645ef5

7b4f0d1f1e85c8e43f4ff2ca11955b41

98a7d159b8af3300744413831035493b

757cbf2cfe780d3c86ebad4fb52041d9

e7d60c8d826a2a9f1829db4b49e7fc09

2b3cff9dbbce4a4d469885e6e9c3e245

975def7af0e548e14c0db8ecf7cf489d

b77c7428bd8efd211a31d1ab774fae43

0d8125afd6adca7d22f08038d0cb3fa3

c9bd4b2099d969a4757487ab553abdf8

c7902322f1b07fc43a6f819a30a10aff

a4432010c73eeb075fb3eb2eae669388

URLs:

adrespotokano[.]info/index[.]php

flexsell[.]ca/myresume/resume_ahmadhammouz[.]doc

162.244.32.180/tyejdsk[.]exe

104.193.252.188/4354r/boxeslimited/536657464[.]png

 




Suggested Blogs