Executive Summary
This report highlights a sophisticated malware campaign targeting businesses through email phishing. The attackers are leveraging trusted brand names and professional collaboration offers as a cover to distribute malicious attachments. The email subject lines and contents are carefully crafted to appear as legitimate business opportunities, including promotions, partnership proposals, and marketing collaborations.
Key characteristics of the campaign include:
- Email Payload: The malware is hidden within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.
- Delivery Method: The phishing emails are sent from spoofed or compromised email addresses, making them seem credible. Recipients are lured into downloading the attached files, believing they are legitimate business offers.
- Malware Behavior: Once the attachment is opened, the malware installs itself on the victim's system. This malware is typically designed to steal sensitive data, including login credentials, financial information, and intellectual property, or to provide remote access to the attacker.
- Target Audience: Businesses and individuals in marketing, sales, and executive positions are the primary targets, given their propensity to engage in brand promotions and partnerships.
Overview:
Cloudsek's threat researcher team has uncovered a malware campaign in which threat actors impersonate popular brands and their professional collaboration offers as a disguise to distribute malicious attachments. In the email below, the threat actor presents a brand collaboration proposal from, including a compensation structure based on subscriber count.
At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password.
When the YouTube victim clicked the URL in the email, they were directed to a Drive page. Further inspection revealed the Drive owner’s email, “[email protected],” and a creation date of 08/15/2024 for the OneDrive account.
Malicious payload is embedded within two compressed files. This tactic is used to evade detection by common security filters and antivirus solutions. Once the archive is extracted, the malware is deployed, potentially compromising the recipient’s system. i.e. Media Assets Complete Collection.rar > Contracts and Agreement Archive Collection.rar (password protected”). On extracting we could see four files, wherein Digital Agreement Terms and Payments Comprehensive Evaluation.exe is a malicious payload.
Modus Operandi:
Attack Initialization:
- YouTube Parser: Attackers use a parser to collect bulk email addresses from YouTube channels, targeting creators and organizations.
- Automation: Tools like Browser Automation are employed to send bulk phishing emails using SMTP servers (e.g., Murena/Onet.eu).
Phishing Stage:
- Spoofed Emails: Emails are crafted to appear as brand collaboration requests.
- Malicious Attachment: Victims are sent a password-protected zip file, hosted on cloud services like OneDrive.
Malware Delivery:
- Download: Victims download the zip file, believing it to be legitimate.
- Execution: Once extracted, the file deploys a malicious script (webcams.pif) using AutoIt3 automation to execute malware.
System Infection:
- Malware Execution: The payload (e.g., an EXE file) infects the victim’s machine.
- Data Exfiltration: Stolen data like browser credentials, cookies, clip board data is transmitted to a Command and Control (C2) server.
Analysis and Attribution:
Our investigation began by analysing a sample, where it was flagged as malicious by 15 antivirus vendors on VirusTotal. Further analysis revealed that the sample drops a file named webcam.pif (AutoIt3.exe). The hash of this file, d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd, matched prior research conducted by the Qualys team, linking it to a campaign associated with the Lumma Stealer.
Key Imports and Their Potential Malicious Use
- Clipboard-related Functions (Suspicious - T1115 | Clipboard Data)some text
- CloseClipboard / OpenClipboard / EmptyClipboard / SetClipboardDatasome text
- These functions are used to manipulate the clipboard.
- Malicious Use: Malware often uses clipboard functions to steal or replace data that users copy/paste (e.g., passwords, cryptocurrency wallet addresses).
- MITRE ATT&CK T1115: Clipboard data is often a target for information-stealing malware that can access and alter clipboard contents.
- CloseClipboard / OpenClipboard / EmptyClipboard / SetClipboardDatasome text
- File and Process Functions (Potentially Malicious)some text
- WriteFilesome text
- Used to write data to a file.
- Malicious Use: Could be used by malware to write malicious payloads, drop files onto the system, or log stolen data.
- GetCurrentProcess / OpenProcesssome text
- These functions are related to retrieving and interacting with processes.
- Malicious Use: Common in malware for process injection, where the malicious code is injected into a legitimate process to evade detection.
- MITRE ATT&CK T1055: Process Injection is a technique used by malware to run its code in the address space of another process, allowing it to hide and evade security mechanisms.
- WriteFilesome text
- File System Functionsome text
- SHGetSpecialFolderLocationsome text
- This function is used to retrieve the path of special folders like Desktop or Documents.
- Malicious Use: Malware could use this to locate user-specific directories to either drop malicious files or steal user data.
- SHGetSpecialFolderLocationsome text
Command & Control:
The malware communicates with Command and Control (C2) servers to exfiltrate stolen data. Initially, it attempts to make a DNS request to "ukCmCsVdaZGZaOh.ukCmCsVdaZGZaOh," though these servers are currently unreachable. Subsequently, the malware connects to the IP address 89.105.223.80 on port 27105 and resolves the URL http://vm95039.vps.client-server.site:27105/.
DNS: ukCmCsVdaZGZaOh.ukCmCsVdaZGZaOh
TCP: 89.105.223.80:27105
Resolve: http://vm95039.vps.client-server.site:27105/
Process Tree:
The Digital Agreement Terms and Payments comprehensive Evaluation.exe initiates the execution directly in temp directory and copies “Larger.bat” and “Webcamps.pif” into the directory. This could be an attempt to create a batch script for automated execution of additional commands, often used by malware for persistence or to trigger further malicious activity.
The obfuscated Larger.bat file checks for antivirus processes, including wrsa.exe (Webroot), opssvc.exe (Quick Heal), and bdservicehost.exe (Bitdefender), among others, by using the tasklist and findstr commands. Malware often performs these checks to identify and potentially disable antivirus programs.
After execution, a legitimate AutoIt scripting interpreter (disguised as "webcams.pif") is downloaded to run a heavily obfuscated script (referred to as “V” in the analyzed sample). This script is assembled by concatenating various "chunks" of data from several other files, which are created through a series of copy-and-merge operations executed from the command prompt.
The purpose of the AutoIt script is to deploy the legitimate RegAsm.exe binary, which serves as a container for injecting malicious .NET code. AutoIt is a development language frequently utilized by malware authors to create and obfuscate malicious software.
The malware drops two files webcams.pif and RegAsm.exe into the folder named "10183” of temp directory.
Hunting Threat Actor Infrastructure:
We conducted a deeper investigation into the threat actor's infrastructure and discovered a malicious compressed RAR file uploaded to OneDrive. Further analysis revealed the owner’s email, “[email protected],” and noted that the RAR file was last updated on 8/15/2024.
Stealer Log Analysis:
Interestingly, we also discovered a stealer log from the threat actor’s email account, exposing details of the entire campaign. This included SMTP email accounts (such as onet.eu and Murena.io), SOCKS5 proxies, Google Cloud APIs, victim emails and cookies, as well as phishing templates.
It appears that a multi-parser tool was used to collect data from YouTube, allowing the threat actor to obtain a large number of email addresses associated with YouTube channels as part of their initial reconnaissance efforts.
Here is a template from the stealer log used to impersonate brands for sending malicious spam emails to users.
Threat actors create templates for fake SMTP or temporary email accounts to send emails with malicious attachments. These templates are designed to impersonate legitimate brands, using familiar logos, formatting, and language to deceive recipients and increase the likelihood that they’ll open the harmful attachment.
Numerous SMTP accounts impersonating public relations and media entities have been created to target YouTube audiences.
From information.txt, we found that the threat actor is using automation tools for sending spear phishing emails and other automation tasks.
We were able to log into the Murena.io SMTP account and found evidence of a large-scale campaign, with the threat actor sending around 500-1,000 spam emails from a single email address, impersonating the Popular Brand. Below is a screenshot of one of the phishing emails sent to victims.
We also discovered a history of previous login sessions, which included details such as session IP, region, login time, and device type.
Detailed information for one of the IP addresses indicates that it belongs to an ISP and may be a compromised user machine frequently exploited by threat actors. 91.94.88.209
The phone number registered on the SMTP mail account is +48537977468, which has a Poland country code. However, it might be a temporary mobile number.
Our researchers noted a username "raez228” in Threat actor’s stealer log.
We found a match for the username "raez228" on a gaming platform called Twitch.tv, which is used for streaming live gaming sessions.
Twitch Profile: https://www.twitch.tv/raez228/about
Diamond Model of Intrusion Analysis:
This diamond model highlights a well-coordinated and resourceful threat actor leveraging advanced tools and techniques to compromise social media accounts and organizations globally.
Adversary
The adversary leverages malware and sophisticated techniques for targeted attacks. Their actions suggest a well-organized group with access to diverse tools and resources.
Infrastructure
The adversary uses a robust infrastructure to support its campaigns, including:
- 340+ SMTP servers (e.g., Murena/Onet.eu) for email-based phishing or spam campaigns.
- 46+ Remote Desktop Protocols (RDPs), likely used for accessing compromised systems or deploying malware.
- 26+ SOCKS5 Proxies, which help anonymize traffic and facilitate stealthy communication with Command and Control (C2) servers.
- Automation tools like Youparser, Browser Automation Studio, and Zennobox to streamline operations such as spear phishing, credential harvesting and scaling attacks.
Capability
The adversary exhibits the following key capabilities:
- Malware deployment: Leveraging malicious software to infiltrate and control target systems.
- Social engineering: Manipulating individuals to gain unauthorized access to accounts or systems.
- Account takeovers: Gaining unauthorized access to victim accounts for exploitation.
- Credential and cookie harvesting: Stealing login information and session cookies for unauthorized account access or lateral movement.
Victims
- Industry: Focus on social media platforms and associated organizations.
- Platforms: YouTube is a primary target, indicating an intent to exploit its user base or platform features.
- Organizations: Entities have been targeted, likely for phishing, fraud, or impersonation purposes.
Geography: The campaign has a global impact, with no specific regional focus.
MITRE ATT&CK Tactics and Techniques:
Indicators of Compromise (IoCs):