Hook, line, and sinker.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Jonathan Tanner: Phishing emails are a very common way to distribute malware. So the phishing emails, you know, pretending to be a purchase order and then the attachment is not actually, you know, the purchase order. And in this case, it's not even a file type that you would really expect for a purchase order. It's a 7-Zip file, which contains an ISO file, which is like a disk image. But they sort of don't count on people looking that closely into the attachments.
Dave Bittner: That's Jonathan Tanner, senior security researcher at Barracuda. The research we're discussing today is titled "Stealthy Phishing Attack Uses Advanced Info Stealer for Data Exfiltration." [ Music ] Right. Right. And as the research points out, there are some of those telltale grammar errors in the email as well.
Jonathan Tanner: That's correct. Yeah.
Dave Bittner: Yeah. Well, let's dig into those payloads then because that's really where things get interesting here. As you said, this is a 7-Zip file, but there's many layers that you outlined here in the research as to what goes on here. Can you walk us through that?
Jonathan Tanner: Yes. So the 7-Zip, which is also -- zip files are commonly used as well, but basic protections sometimes will block outright certain file types. So the 7-Zip itself is kind of an evasion as well because it's a lesser-used and lesser-known archive format that is still widely enough supported. So they chose the 7-Zip file. And then inside is, as I mentioned, an ISO file, which is a disk image often used for, like, CDs or DVDs. But that in itself is just another sort of archive container. So then once that is executed -- and there's -- another aspect of these is, you know, when you open it up on Windows, it'll pop up things trying to help you open these files pretty easily. So, you know, you click on the file, then it's like, "Oh, okay, do you want to open the ISO file inside?" Then it'll open that up, and then it takes you to an HTA file, which is -- it's HTML, but it's designed to run more in Microsoft Word. And it offers a lot more capabilities as far as interacting with the host operating system because most browsers these days are sandboxed from being able to access as much on the host. So the HTA file allows them to, you know, write in, you know, sort of a pretty easy language that they can understand, but then execute it in a more privileged software space.
Dave Bittner: I see. And so once that HTA file gets executed, where do we go next?
Jonathan Tanner: So then that downloads a JavaScript file, which is heavily obfuscated, very common. I mean, I don't think I've ever seen a non-obfuscated JavaScript file from, you know, as far as malware goes. And then that will download a PowerShell script because even JavaScript doesn't always have the same privileges to the host operating system. But PowerShell can do pretty much anything in the user space that's executing it that the user can do. So then the PowerShell script will go and download a zip file, and that contains the Python software itself, as well as the Python script that is the malware payload. Because Windows doesn't have Python installed by default, so they have to package up the Python software to actually run the script. And that itself is also obfuscated and needs to be decoded, and then it's finally run.
Dave Bittner: And so to the user, is all of this happening behind the scenes, or are they seeing anything that would indicate that something has gone awry?
Jonathan Tanner: I'm not actually 100% sure on that. I think at most, the PowerShell would quickly pop up like a MS-DOS prompt or a terminal prompt. But it's possible that it just runs behind the scenes as well. And I mean, if it is popping up a prompt, it's going to be very quick, just the amount of time it takes to execute that file. And then once it gets to the Python file, unless they have something specifically, you know, a UI set up, which they wouldn't, that's all going to run behind the scenes.
Dave Bittner: One of the things that caught my eye in the research here is -- you note that the Python file sleeps for three seconds. Walk me through that. Why does it choose to do that?
Jonathan Tanner: I think the sleeping for three seconds is to allow the process to finish running before killing it. Because it says after the three seconds, it then kills the Python process. And then if it's still running and then deletes all the files. So that is probably to ensure that if something hangs within the software, it's not going to set off any alarms on the user side that oh, no, things are slowing down or I got some errors. So they want to ensure that everything cleans itself up afterwards and there isn't as many traces of the actual execution.
Dave Bittner: I see. And so what is it that they're after here once they get into the system?
Jonathan Tanner: They're actually after quite a bit, which was part of the interesting details. Like, info stealers most commonly are after passwords -- saved passwords from your browsers, which this does go after. And then there's a subtype of info stealer called a Banker, which will go after any sort of banking information. And then they will dig a little deeper and they'll look for, like, crypto wallets. So this is also going after that information as well. But what kind of is more unique about this sample is it is also going through the user's file system looking for PDF files. And then it'll actually exfiltrate those as well and send those off. It zips them up and then sends them to a specific email address. Each type of information is also sent to a different email address at the same domain. So they're kind of keeping track of what type of information is being sent by segregating.
Dave Bittner: Staying organized on their end.
Jonathan Tanner: Yeah, exactly.
Dave Bittner: Yeah. We'll be right back. [ Music ] Any sense for why they're going after seemingly random PDF files, or is it just, "While we're in here, let's grab everything we can?"
Jonathan Tanner: I think that also has to do kind of with the stealing sensitive data and, you know, banking -- the Banker aspects. And, you know, if you go -- if you log into your online bank account and then download a bank statement, that could have your account number or other sensitive information. And then if you save that as a PDF, it'll just be sitting on your file system. You may not think to delete it later. So I believe they're going after that sort of information. Another thing that would have sensitive information is, you know, tax statements. You know, you fill out your taxes every year, download a PDF for your records. That's going to have your Social Security number, which is, you know, very sensitive data that is traded on dark marketplaces sometimes as well. So they're just basically going after as much information as possible. And, you know, some of it can be used to try to compromise your accounts directly or your bank or steal money. And then some of it can be sold or traded on marketplaces.
Dave Bittner: Is the sense here that they're after kind of a quick hit that they want to get in, grab what they want and then get out without leaving much of a trail behind?
Jonathan Tanner: Yes, definitely. Because there's no sort of residual processes, you know, to stick around and try to steal data later. So the deleting everything especially is trying to not leave a trace on your system, at least file-wise. I'm sure there'll be plenty of indicators, you know, if it touches the registry or executions. But at least not leaving the files that were used in the infection process.
Dave Bittner: Right. And is this the kind of thing that a typical antivirus system would detect, or is it stealthier than that?
Jonathan Tanner: It depends. The thing with typical antivirus is they're all based -- basically, it's called -- like, on signatures, they look for specific strings -- like, it could be in this -- if they're looking for, you know, like Python, it would be more of text because Python is a scripting language. But most, you know, like executable malware, it's like binary encoded strings that they're trying to find. And when they see malware, they'll create new rules to look for, you know, the malware that they've seen. And they try to make it general enough to, you know, to block as many possibilities of what they've seen, but also specific enough that it doesn't block anything that it shouldn't. So the traditional antivirus is very reactive. It requires the analysts to create these rules to detect it. And that is what, you know, most users have. I mean, I'm sure even in a lot of companies, there are more advanced endpoint solutions out there that will, you know, look deeper into files. But that's -- there's not -- I don't know that there's a market for that for end users. And even within business, you know, it's not as widely used as it should be.
Dave Bittner: Do you have any sense for how widespread this is or how extensive an operation this might be?
Jonathan Tanner: So, yeah, so for this particular sample, we've seen 40,000 hits so far. Fifty of our customers have escalated the attack through our feedback.
Dave Bittner: Interesting.
Jonathan Tanner: So it's definitely getting a lot, but that's also for this specific one. They could change things up, you know, to create different file hashes, change up the payload a little bit. And that could result in, you know, something that has to be detected separately, but is the same thing ultimately, which is very common.
Dave Bittner: How would you --
Jonathan Tanner: That's another way that -- oh, sorry.
Dave Bittner: No, go ahead.
Jonathan Tanner: I would say that is another way that, you know, attackers will try to evade antivirus, you know, is trying to vary the, at least the initial payload as much as possible. It may end up downloading the exact same Python script at the end. But a lot of protections, especially on the email end, you know, are maybe looking at the file hash. So if they varied file hash and send it out to fewer customers, it can be a lot stealthier that way.
Dave Bittner: How would you rate the sophistication of this? Or do these folks seem to know what they're doing here?
Jonathan Tanner: Yeah, it definitely is somewhat sophisticated. It's also, you know, going for a very wide range of information, which, you know, can have its pros and cons. I mean, the more data that's getting sent out can also lead to, you know, better chance of it getting detected, say, by an intrusion detection system. But it also exposes a lot more of, you know, a user's sensitive data.
Dave Bittner: Right.
Jonathan Tanner: And I suppose on the business end, they also could be looking for, you know, maybe customer PII or even, you know, confidential documents. That is another thing that could be -- with the exfiltrating the PDFs that could be getting compromised.
Dave Bittner: So what are your recommendations then? How should folks best protect themselves here?
Jonathan Tanner: I mean, obviously, you know, having security solutions is one of the typical recommendations, and it is a good one. But there's also, you know, no security solution is going to be 100% effective at blocking everything. So users, you know, should sort of have some vigilance in their own day-to-day of, like, looking at emails. There were, you know, several indicators on this one that, you know, you mentioned the language and, you know, spelling errors and grammar errors. That's something that is often an indicator that something might be off because that's, you know, not super common in legitimate emails, at least not the same sort that you might see in phishing attacks. Another thing is, you know, suspicious file extensions, paying attention to them. And sort of, you know, every step of the way, it does require, you know, several user interactions to actually get these payloads to run. So each one of those is an opportunity for a user to go, "Hey, should I really be executing this? What is this actually?" And then there's also context. "Is this person sending me this purchase order actually someone that I do business with that I would be expecting a purchase order from?" If not, then that should be a huge red flag right there. [ Music ]
Dave Bittner: Our thanks to Jonathan Tanner from Barracuda for joining us. The research is titled "Stealthy Phishing Attack Uses Advanced Info Stealer for Data Exfiltration." We'll have a link in the show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]
