How does fishing work in real life? The fisherman chooses a suitable place for fishing, he chooses the right tools; a fishing rod or nets, and he also needs to choose the right bait. When everything is ready, he can expect a good degree of success.
In fact, fishing in cyberspace is not that different from fishing in real life. A threat actor needs to choose the right tools. Depending on the purpose, they can use different tools; such as bankers to steal money or espionage tools to steal data. A threat actor may also use third-party tools such as Cobalt Strike or Metasploit, at their discretion to suit their needs.
It is just as important for a threat actor to choose the right lure. Why? The fact of the matter is that the first step in many cybercrime incidents still require a minimum amount of user interaction. If the document provided by the macros is provided, then the attacker must coerce the victim to enable the macros to proceed. This assumes the attacker leverages malicious documents rather than other means of achieving remote code execution.
In this blog, we will look at some of the visual honeypots that cybercriminals use, as well as observe different varieties of decoys used for mass phishing or targeted attacks.
The Hancitor downloader has been known since 2013. Using a macro, it loads and runs various payloads. These are usually banking trojans and bots. Periodically, attackers will change the visual bait to bypass and delay detection efforts. A real world example of this occurred in the last month and happens at fairly regular intervals.
It is evident that considerable effort goes into making the new bait look modern and sleek. Increasing perceived credibility and the chances that targets will follow instructions.
Qbot aka QakBot
This bot exists and has been successfully distributed for quite some time, dating back to 2007. Like other campaigns, visual lures change regularly and we will look at a few that have been and/or are currently in use.
Banking trojan used by the threat actor TA551. They have been observed active in the wild since 2017, likely prior. In some cases, it is distributed along with a password to decrypt the document. Visual lures also change quite often. Interestingly, it bears similarity to Qbot lures, possibly indicating a connection between the campaigns.
The group of cybercriminals behind the spread of this remote access trojan uses an interesting method in choosing a visual lure. In some versions, they deliberately blur the fake document so the user is more likely to click on the content enable button to "view" the document.
Dridex is created and used by the TA 550 group. This is a data stealing program that spreads through phishing emails. Threat Actors are constantly using various lures to carry out malicious campaigns.
Very often the documents of dridex pretend to be documents from transport companies.
Some time ago, Emotet was the most popular banking trojan for stealing data. Recently however, attackers were able to leverage it to install other malware families as well as ransomware. Most of the malware downloaded by Emotet, normally distributed via phishing emails, leverage Emotet's infrastructure for higher infection rates. In January 2021, international law enforcement authorities shut down a large amount of servers controlled by the actors, causing the campaign to go dormant until its November resurgence.
What we have discussed above is the distribution of phishing emails sent out on a huge scale every day. Such campaigns can be carried out regularly or in limited intervals. Targeted attacks are carried out with a careful choice of target and bait. In such cases, it is not easy to attribute a group to a particular campaign, the following are examples of such cases.
Some time ago we found an interesting document that loaded Сobalt Strike. They had a very interesting visual lure, which has not yet been encountered in large quantities as with large campaigns.
Some visual decoys are written in the language of the victim so that the likelihood of opening the file and activating macros is heightened. The following sample, tailored for a French target, is a prime example.
The following is another document used in the targeted attack whose payload was also Cobalt Strike.
The tools used by APT actors are very often fundamentally different from those used for phishing. The fact is that APT campaigns are focused on striking covertly with specific goals in mind. Very often, documents used in APT campaigns mimic or leverage internal government documents, reports and bulletins.
Often, malicious payloads are embedded within documents primed for target emails rather than retrieved as seen in other campaigns. We'll look at a few examples.
It would be quite daunting to comprehensively cover the lures in the wild within this blog. However, we have a great collection of such lures within the Malware Lures Gallery.
Visual lures used in malicious documents are aimed at making users open the document and enable the execution of macros. Another goal is to hide malicious activity and create the impression of a legitimate document that the user is likely to interact with.
These simple rules will help mitigate the risk of falling prey to threat actors.
- Always update your operating system and Office.
- Never click “Enable Content”.
- Never open suspicious documents.
- Never use pirated software.
- Take care of the cybersecurity of your enterprise.
You can familiarize yourself with the InQuest DFI Platform and SaaS Email Security Solution