The top motivation behind cybercrime is financial enrichment and the financial services industry is an attractive target for cybercriminals. In early 2022, HP Wolf Security detected a targeted malware campaign against an employee of an African bank. The campaign caught our attention because of its targeted nature and how the threat actor attempted to deliver malware using HTML smuggling, a technique for sneaking malicious email attachments past gateway security controls. In this article, we describe the campaign, sharing how the attacker registered fake banking domains to build a credible lure, and explain how HTML smuggling works.
In early 2022, an employee of a West African bank received an email purporting to be from a recruiter from another African bank with information about job opportunities there. The domain used to send the email was typosquatted and does not belong to the legitimate mimicked organization. A WHOIS request reveals the domain was registered in December 2021 and visiting the website returned an HTTP 404 “Not found” response. To make the lure more credible, the threat actor also included a reply-to address of another supposed employee of the recruiting bank.
Searching for other typosquatted domains relating to the mimicked organization revealed two more (Appendix 1) that may be related to the same malware campaign. The second domain displayed a web page about the bank’s employment application process, which was likely copied from the legitimate website.
Figure 1 – Typosquatted bank website describing the job application process.
There is no malware hosted on the page itself, and no input form that could be used to elicit login credentials or sensitive information from visitors.
The third domain showed the mimicked bank’s homepage, which was also likely copied from the legitimate website, but again we found no malware or signs that the site was being used for phishing.
Purpose of the Typosquatted Domains
On typosquatted domains 2 and 3 we found had DNS TXT records for Sender Policy Framework (SPF) set up, suggesting that they were likely used for sending malicious emails. If the websites were used for phishing or hosting malware, spending time to configure these records would not serve any purpose. Visiting the websites increases the recipient’s trust in the email lure because they are shown content copied from the legitimate bank, ultimately making them more likely to act upon the email.
We weren’t able to link all three domains together conclusively, however, domain 2 references the bank’s job application process – the lure used in the malware campaign – and follows a very similar naming convention to domain 1, so we think the same threat actor probably registered that infrastructure.
Common Fraud Methods Related to Banks
|Phishing||Phishing is one of the most common scams targeting bank customers. The attacker creates a website that imitates a bank’s legitimate login portal and sends the link to potential victims via email or SMS. If someone enters their login credentials into the form, the attacker can use them to log into the account. An effective way to defeat simple attacks like this is to enforce multi-factor authentication. To circumvent this, the attacker would have to capture the second factor from the victim and log into the banking portal when the phishing takes place.|
|Fake bank/Investment scam||In the fake bank or investment scam the attacker builds a website imitating a legitimate bank or investment platform. The website is used to attract victims to register an account, often promising strong returns through investments. When the victim logs into the website they are shown a fund management tool. The attacker convinces the victim to transfer money using the tool, supposedly into their account. The money is transferred via third-party providers, instead of normal bank transfers that are subject to stricter anti-fraud controls. The victim is shown a balance in their fake account, which increases as expected with a good return. However, the money was in fact transferred to fraudster’s account and is usually lost for good from the victim.|
|Malware distribution||Malware is sometimes distributed via fake bank websites or emails pretending to be from banks. This is not exclusively Windows malware. The rise in popularity of smartphone banking apps means that malware is often distributed as apps targeting smartphone operating systems. Users should verify they are using the official mobile banking application and in the case of emails and websites, make sure they have accessed to correct domain of their bank.|
In this campaign, the threat actor sent an HTML attachment Fiche de dossiers.htm to the recipient. Opening the file in a text editor reveals the source code of the page (Figure 2).
Figure 2 – Source code of HTML attachment Fiche de dossiers.htm.
Figure 3 – Web browser download prompt offering to save the ISO file to the file system.
In Windows 10, double clicking the ISO file causes it to be mounted as disc media, which opens a new File Explorer window that shows its contents.
Figure 4 – Contents of ISO file Dossier Bad.iso.
Inside there is a Visual Basic Script (VBS) file called Fish de candidature.vbs which is executed when double-clicked. One way to prevent the accidental execution of malicious VBS scripts is to change the default application of .vbs files to a text editor. This way a direct execution can be prevented. If we now open this file in an editor, we see the following code (Figure 5).
Figure 5 – VBS code containing variable and data definitions.
The script contains variables, such as a registry key or a path to PowerShell.exe, and some encoded data. When the script is executed, it creates a new Registry key and stores a long hexadecimal string in it. Then PowerShell is executed and passing an encoded command. The corresponding code sequences can be seen in Figure 6.
Figure 6 – Visual Basic Script code containing PowerShell execution.
The PowerShell script uses C# type definitions to call Windows API functions. First the script locates a memory area with NtAllocateVirtualMemory. Then the previously stored hexadecimal string is read from the Registry and a new byte array is created. The array is copied with RtlMoveMemory into the newly assigned memory area. The copied byte array is shellcode which is executed via an API call to CallWindowProcW. For this purpose, only the memory address of the shellcode is passed to the function as the first argument (WNDPROC), which is used as the callback address causing malware to run.
Figure 7 – PowerShell code using C# type definitions to execute malicious code.
Analyzing the shellcode with a debugger reveals a simple decryption function at the very beginning of the code. The code is then decrypted using an XOR operation, which is located directly after the decryption function, and then executed.
Figure 8 – Shellcode decryption function.
The decrypted code is GuLoader. This malware is a loader that downloads and executes other malware families from the web. In this campaign GuLoader was configured to download and run RemcosRAT malware. For this purpose, there are two URLs in GuLoader’s configuration that lead to the RemcosRAT payload. One payload URL leads to OneDrive and the other to Dropbox. We have analyzed other malware campaigns involving GuLoader have also used file sharing services to host malware payloads. Since the payload is also encrypted, it can be challenging for service providers to detect and remove them.
Remcos is a commercial Windows remote access tool (RAT) that gives the operator significant control over the infected system. Its capabilities include running remote commands, downloading and uploading files, taking screenshots, recording keystrokes and recording the user’s webcam and microphone. While we don’t know for certain what the attacker would have used their access for, but here are some possibilities:
- Long term persistent access with the objective of making fraudulent transactions, for example through the SWIFT payment system. This would require the threat actor to deploy tools to understand the network, move laterally, monitor internal procedures and take advantage of them. The attacker might take advantage of the employee’s position in the bank since they would have access to their corporate email account.
- Move laterally with the goal of compromising domain controllers to deploy ransomware. They might also steal sensitive/protected data that could be used to extort the target.
- Sell their access to another threat actor.
HP Wolf Security detected a targeted malware campaign on the banking sector in Africa. The attacker sent emails from typosquatted domains of a legitimate bank luring them to apply for a job by opening a malicious attachment. If the user opens the HTML file, they are prompted to download an ISO file, which in turn contains a Visual Basic script that leads to a malware infection when executed. This technique is called HTML smuggling and is dangerous because it enables attackers to smuggle malicious files past email gateway security.
The downloader used in the described campaign is GuLoader, which is executed using PowerShell via code stored the Registry and is otherwise only run in memory. Detecting such a chain of infection is not easy, as the malware is only located in memory and the Registry. However, one simple way of breaking the infection chain is changing the default application for script files from Windows Script Host to something else, for example, Notepad. Organizations should also make sure they have visibility over their network to monitor and block unusual process behavior at an early stage. Beyond this, it is important for employees to critically question emails, especially those that appeal to a sense of urgency, curiosity and authority – characteristics that are commonly exploited by attackers.
Indicators of Compromise
The files of the following hashes can also be found MalwareBazaar.
Encrypted GuLoader shellcode:
RemcosRAT Payload URLs:
Encrypted RemcosRAT payload:
The following domains were typosquatted by the threat actor to impersonate a credible and legitimate organization and do not represent a vulnerability affecting the organization.
|Typosquatted domain 1||afbd-bad[.]org|
|Typosquatted domain 2||afdb-bad[.]org|
|Typosquatted domain 3||afdb-za[.]org|