Yesterday, AppRiver identified a phishing campaign claiming to come for a UK winery – Les Caves De Pyrene. The attack began early around 10am UK and continued for four hours, targeting the inboxes of those just heading into work.
Fred Touchette, Manager of Security Research at AppRiver explains: “This attack spoofed a winery just outside of London and thanked the recipient for their recent payment, but stated that an invoice had been overlooked. The email was spoofed to look like it was sent by someone from the winery’s domain. Even the winery itself placed a warning on its site about the attack saying that these emails originated from the address in question. In actuality, however, the address was simply spoofed and had originated from a botnet sent out from all over the world.
“The rest of the email was also well crafted, looking as close to a real correspondence as one can likely get, additionally including footer graphics promoting an actual upcoming event by the winery that had also been spoofed.”
The supposed invoice was an attachment by the name of CWIH8974.doc, a word document, although when opened it appeared to have no content. Underneath the surface, though, a macro runs that calls out to the domain powerstarthosting.com where it downloads and executes the file b4387kfd.exe. The newly downloaded executable then reaches out to 92.48.69.11 to get further instructions and payloads.
Fred explains further how the malware works, “Macros were once a tool of convenience for Microsoft documents such as Word and Excel, but now they are primarily used for Internet evil, so much so that Microsoft has had them disabled by default for years now. The only reason they have not gone away completely is because some companies are still using them despite their very inherit dangers, likely in legacy documents that have continued to be reused repeatedly within an organisation.”
This campaign is very similar to a campaign AppRiver saw a couple of weeks ago where an identical template was being used to push an attachment by the same name for the same objective of stealing personal information from its victims.
Fred confirms, “In this campaign, however, the malicious payload was hosted elsewhere—secure.novatronica.com and had a different name—87t5fv.exe. This attack also used a second theme in order to push its agenda, spoofing another European firm that handles accounting for restaurants in the UK. This time, the attachment was entitled “British Gas.doc” and was a supposed bill from the utility company. The malware reaches out to webdesignoshawa.ca and the IP 184.168.192.41 for its payload.
“The best way to avoid these attacks is to avoid using macros and leave them disabled. If a company must use them, specific user awareness training on how to spot these bad documents and establish procedures for handling possible infections is recommended. While a company is training users for macros awareness, they should also begin a process to eliminate using them too.”
By the time this campaign stopped, AppRiver had blocked over a half a million messages associated with the attack.