SharePoint Phishing Campaign
The entire attack chain of the SharePoint campaign
The legitimate SharePoint service used in the campaign allowed it to evade detection from security systems and appear credible to users who were not expecting an attack.
The Attack Followed This Pattern:
-
The campaign started with a phishing email containing a link.
-
The link directed users to a PDF file stored on SharePoint, which contained another link.
-
After clicking the link, users were prompted to solve a CAPTCHA, making it harder for security systems to identify and block the campaign.
-
Finally, users were taken to a fake Microsoft login page, where they were prompted to enter their credentials.
A warning message has also been added to sandbox sessions, cautioning users: “Be careful! Do not enter your login details.”
Strela Stealer Distributed via WebDAV
Details of the Strela Stealer distribution campaign
Here is how it unfolded:
-
The campaign started with an obfuscated batch file that triggered a PowerShell script, initiating the net and rundll32 processes.
-
The Strela stealer employed net.exe to mount a command-and-control (C2) server containing a ‘davwwwroot’ folder and collected a 64-bit DLL file from it using WebDAV.
-
Approximately one thousand DLL files with Strela stealer were found on hxxp://45[.]9.74[.]32[:]8888.
During execution, the malware exploits WordPad. The C2 servers for Strela were located on the same host as the payload.
Strela malware campaign details in TI Lookup
To do this, we can use the unique folder name used by this malware with the parameter commandLine, and submit the following query: commandLine:”davwwwroot*dll”.
The platform instantly provides us with 100 sandbox sessions (tasks) where this artifact was found, as well as files and events.
DeerStealer Malware Disguised as Google Authenticator
DeerStealer distribution campaign breakdown
Here the details:
-
The infection chain began with a fake website, a copy of the official Google Authenticator download page.
-
After clicking the “Download” button, a fake Google Authenticator file would be downloaded from Github. The file was signed on 2024-07-17 by Reedcode Ltd Certificate with serial number [5459 67FF 5732 8859 C677 4F85 3F6B 7F18].
-
Once executed on the system, the stealer would begin exfiltration of stolen data.
See Analysis
Exfiltration occurs via HTTP POST requests transmitting PKZIP archives containing stolen user data XORed with the 0x0c key. Stolen logs are sent to a Telegram chat created by an account with the username “fedor_emeliyanenko_bog.”
DeerStealer employs encryption for API function names, makes API calls through wrapping, and obfuscates its code.
Suricate rule used for detecting DeerStealer C2 activity
Expose Phishing and Malware with ANY.RUN Sandbox
The service is also equipped with automatic detection capabilities, identifying threats in under 40 seconds and providing a conclusive verdict and report on the sample’s threat level and malicious activities.
