The latest cloud hosting service to serve malware

In recent years, there have been many studies related to compromised cloud hosting services. It has been reported that these services are increasingly being abused by hackers and malware authors for their malicious online activities. The services enable bad actors to open an inexpensive hosting account, allowing them to hide malicious content in the cloud-based domains of well-known brands, mixing the bad content among the good to prevent the malware from being blacklisted. In its research, the Zscaler ThreatLabZ team discovered that a popular managed cloud hosting service provider called “Cogeco Peer 1” has been serving phishing attacks and other malware in the wild as far back as February 2018. One of the domains hosted by this service provider, called “flexsel[.]ca,” is distributing a malicious document that installs a crypto-wallet stealer on victims’ machines. Other Cogeco Peer 1 domains are serving various phishing attacks using fake logins for Microsoft, DocuSign, and banking sites.  The below image of hosting IP [64[.]34[.]67[.]205] information shows some of the domains affected by this campaign. Figure 1: Domains affected by the campaign The Whois information related to the hosting IP address is as follows: Figure 2: Whois information on hosting IP address In this blog, we will provide a technical analysis of two types of attacks served by this campaign in August 2018. 1. Multi crypto-wallet stealer payload delivered through malicious document 2. Microsoft and DocuSign phishing attack Multi crypto-wallet stealer payload delivered through malicious document: The crypto-wallet stealers are not new to the information security industry, but we have seen a dramatic increase in their use recently. We found that the domain “http[:]//flexsell[.]ca/,” which is hosted on 64[.]34[.]67[.]205, distributed a malicious document to users during the second week of August 2018. This malicious document downloads and installs a payload with the ability to steal stored crypto-wallets from user machines. Download link: flexsel[.]ca/myresume/resume_ahmadhammouz[.]doc Zscaler spotted and blocked this threat over the past two weeks, as shown below: Figure 3: Unique instances of the malicious document and the final payload downloads as seen by Zscaler Technical details: The document, called “resume_ahmadhammouz[.]doc,” has a malicious macro which is executed when the document is opened. It further downloads and executes a crypto-wallet stealer payload on the victim’s machine. This payload tries to steal stored cryptocurrency wallet information, targeting Bitcoin, Electrum, and Monero cryptocurrency wallets. The obfuscated malicious VB code in the document file is shown below. It initiates an HTTP request to the hardcoded download path of the wallet stealer binary without user intervention. Figure 4: Obfuscated malicious VB code in the document file The below Wireshark image shows the payload download on the victim’s machine.  Figure 5: Wireshark screen capture showing download of malicious payload This malware variant is custom packed. It decrypts and loads an actual wallet stealer file (Borland Delphi compiled) on runtime. Upon execution, the malware collects basic system information, including machine ID, EXE_PATH, Windows, computer (username), screen, layouts, local time, and CPU model. The collected information is sent to a C&C server, which is hardcoded in the file as shown below. Figure 6: Calls to C&C server The encrypted POST communication to the C&C server is shown below.   Figure 7: Post-infection communication to the C&C server The wallet stealer malware searches for the default location of the digital wallet stored on the infected machine, along with browser cookies and login details of popular applications like Pidgin, WinSCP, and Psi+. The following digital wallet files are hunted on a victim’s machine. Figure 8: Digital wallet files types searched for by malware The information stored in digital wallet data files includes: mbhd.yaml – Contains general preferences and configuration information (theme, exchange, etc.) mbhd.checkpoints – A Bitcoin checkpoints file, used when syncing your wallet mbhd.spvchain – A Bitcoin block store, used when syncing your wallet Microsoft and DocuSign Phishing attack: After exploit kits, phishing is the one of the most significant threats to individuals and organizations today. The dynamic nature of the domains that serve phishing pages, along with the easy hosting features provided by cloud services, magnifies these types of internet attacks. The Microsoft and DocuSign phishing pages seen in the wild on August 29, 2018, are shown below. Figure 9: Microsoft and DocuSign phishing pages seen on August 29 The fake Microsoft phishing page image is shown below. Figure 10: Fake Microsoft phishing page The DocuSign phishing attack is a tactic used to persuade computer users to enter their account credentials on a fake DocuSign login page. These stolen credentials are used by the attacker to carry out various malicious activities; as a result, the victim’s machine can be infected by other malware. The following image shows the fake DocuSign login page: Figure 11: Fake DocuSign login page Conclusion: This report covers just one of the active and compromised cloud repositories and the illicit online activities built around it, though these types of attacks have become increasingly common. As individuals and organizations gravitate towards cloud computing, attackers are motivated to host malicious content in the cloud. It is extremely important for cloud hosting service providers to be vigilant in identifying and mitigating attacks on their repositories. Zscaler ThreatLabZ is monitoring such threats and will continue to ensure coverage for Zscaler customers. The Zscaler Cloud Sandbox report for a sample payload from this campaign is shown below. Figure 12: Zscaler Cloud Sandbox report on blocked malicious document in the crypto-wallet stealer campaign IOCs: Hash: 5608ba844d57727cc821f9fe248ec6ea 98a9964e6e630015688232f08ecf7eb7 74bcd4230c67eba5dd5b34d608454bcd 220c7a665e229beaa22445576350d69e 52536bc70cbacb54160422b73584797a 4e8d5bc0daf0468f854bd972d07f6433 b8a812b43ea18133f38d78b987fe0516 4778714ada548df47f88e7be98e06a63 babecd9045dee2a4bac36c3dc3b4435d 755a77050a511bf5fb61e1d4b004edaa 78d5d85a03b2502f6ecb50371c8299ee e3f0aec8720ae140215834a17b64d23f 24f3ae8fdddca93f258aef99f984206c eb7d0f6a68f8447395c9b06f7b561a60 3e6acd8bc6da5c3ef9c135b6bab92199 e0222a5aeab4e4960effdf692c720808 7d33158f1d6a1145cd404751d9645ef5 7b4f0d1f1e85c8e43f4ff2ca11955b41 98a7d159b8af3300744413831035493b 757cbf2cfe780d3c86ebad4fb52041d9 e7d60c8d826a2a9f1829db4b49e7fc09 2b3cff9dbbce4a4d469885e6e9c3e245 975def7af0e548e14c0db8ecf7cf489d b77c7428bd8efd211a31d1ab774fae43 0d8125afd6adca7d22f08038d0cb3fa3 c9bd4b2099d969a4757487ab553abdf8 c7902322f1b07fc43a6f819a30a10aff a4432010c73eeb075fb3eb2eae669388 URLs: adrespotokano[.]info/index[.]php flexsell[.]ca/myresume/resume_ahmadhammouz[.]doc[.]exe[.]png  

*** This is a Security Bloggers Network syndicated blog from Research Blog authored by [email protected]. Read the original post at: