Graphical Lures In The Age of Cybercrime.

Posted on 2021-11-23 by Dmitry Melikov

How does fishing work in real life? The fisherman chooses a suitable place for fishing, he chooses the right tools; a fishing rod or nets, and he also needs to choose the right bait. When everything is ready, he can expect a good degree of success.

In fact, fishing in cyberspace is not that different from fishing in real life. A threat actor needs to choose the right tools. Depending on the purpose, they can use different tools; such as bankers to steal money or espionage tools to steal data. A threat actor may also use third-party tools such as Cobalt Strike or Metasploit, at their discretion to suit their needs.

It is just as important for a threat actor to choose the right lure. Why? The fact of the matter is that the first step in many cybercrime incidents still require a minimum amount of user interaction. If the document provided by the macros is provided, then the attacker must coerce the victim to enable the macros to proceed. This assumes the attacker leverages malicious documents rather than other means of achieving remote code execution. 

In this blog, we will look at some of the visual honeypots that cybercriminals use, as well as observe different varieties of decoys used for mass phishing or targeted attacks.

Hancitor

The Hancitor downloader has been known since 2013. Using a macro, it loads and runs various payloads. These are usually banking trojans and bots. Periodically, attackers will change the visual bait to bypass and delay detection efforts. A real world example of this occurred in the last month and happens at fairly regular intervals.

Picture 1: Old visual lure for Hancitor.
Picture 2: New visual lure for Hancitor.

It is evident that considerable effort goes into making the new bait look modern and sleek. Increasing perceived credibility and the chances that targets will follow instructions.

Qbot aka QakBot

This bot exists and has been successfully distributed for quite some time, dating back to 2007. Like other campaigns, visual lures change regularly and we will look at a few that have been and/or are currently in use.

Picture 3: Old visual lure for Qbot.

Picture 4:  More recent visual lure for Qbot.

 

Picture 5:  Another visual lure variant of Qbot.

 

Picture 6:  Recent visual lure for Qbot.

IcedID 

Banking trojan used by the threat actor TA551. They have been observed active in the wild since 2017, likely prior. In some cases, it is distributed along with a password to decrypt the document. Visual lures also change quite often. Interestingly, it bears similarity to Qbot lures, possibly indicating a connection between the campaigns. 

Picture 7: IcedID visual lure.
Picture 8: Another IcedID visual lure.
Picture 9:  New IcedID visual lure (Also seen with Qbot campaigns). 

Agent Tesla

The group of cybercriminals behind the spread of this remote access trojan uses an interesting method in choosing a visual lure. In some versions, they deliberately blur the fake document so the user is more likely to click on the content enable button to "view" the document.

Picture 10:  Visual lure: Agent Tesla downloader.
Picture 11: Another visual lure: Agent Tesla downloader.


Picture 12: Updated visual lure: Agent Tesla downloader.
Picture 13: Recent visual lure: Agent Tesla downloader.

Dridex

Dridex is created and used by the TA 550 group. This is a data stealing program that spreads through phishing emails. Threat Actors are constantly using various lures to carry out malicious campaigns.

Picture 14: Dridex visual lure.

   

 Picture 15: Dridex visual lure. (Variant)

Very often the documents of dridex pretend to be documents from transport companies.

Image 16: Dridex visual lure. (Variant) 

Emotet

Some time ago, Emotet was the most popular banking trojan for stealing data. Recently however, attackers were able to leverage it to install other malware families as well as ransomware. Most of the malware downloaded by Emotet, normally distributed via phishing emails, leverage Emotet's infrastructure for higher infection rates. In January 2021, international law enforcement authorities shut down a large amount of servers controlled by the actors, causing the campaign to go dormant until its November resurgence.

Image 17: Emotet visual lure: This bait was used with the return of Emotet.
Image 18: Another Emotet visual lure.

Image 19: Emotet visual lure. (Variant)

         

Targeted attacks.

What we have discussed above is the distribution of phishing emails sent out on a huge scale every day. Such campaigns can be carried out regularly or in limited intervals. Targeted attacks are carried out with a careful choice of target and bait. In such cases, it is not easy to attribute a group to a particular campaign, the following are examples of such cases.

Some time ago we found an interesting document that loaded Сobalt Strike. They had a very interesting visual lure, which has not yet been encountered in large quantities as with large campaigns.

Some visual decoys are written in the language of the victim so that the likelihood of opening the file and activating macros is heightened. The following sample, tailored for a French target, is a prime example. 

     

 

The following is another document used in the targeted attack whose payload was also Cobalt Strike.

Image 23: A very simple example of targeted lure. (Not campaign related)
SHA256 - 5d3220db34868fc98137b7dfb3a6ee47db386f145b534fb4a13ef5e0b5df9268

   

Image 24: Another lure used in a specific locale targeted attack.
SHA256 - d063c3938bb3ce3a0fe0c5492b7a8fe072524db87606b071152958e795501f7f

  

Image 25:  A lure used in a targeted attack. (Not campaign related)
SHA256 - 0dde111712db81b5a70d9cf35f5e1fcd5d585c62f678a5db66d2a166ef3a3399

        

Image 26: A decoy used in a targeted attack.
  SHA56 - 20fe5a152878e31a0bab6102a8c265f8e4e0309a4cbd1d03cba00ddb22bc1633

                        

APT Actors

The tools used by APT actors are very often fundamentally different from those used for phishing. The fact is that APT campaigns are focused on striking covertly with specific goals in mind. Very often, documents used in APT campaigns mimic or leverage internal government documents, reports and bulletins.

Often, malicious payloads are embedded within documents primed for target emails rather than retrieved as seen in other campaigns. We'll look at a few examples.

 

Image 30: Additional maldoc used in the APT campaign.
SHA256 - cad6611f90ce66e74418e47e45203e5771e61c57f49e27e8278a03165de741fe

It would be quite daunting to comprehensively cover the lures in the wild within this blog. However, we have a great collection of such lures within the Malware Lures Gallery.

Conclusion.

Visual lures used in malicious documents are aimed at making users open the document and enable the execution of macros. Another goal is to hide malicious activity and create the impression of a legitimate document that the user is likely to interact with. 

These simple rules will help mitigate the risk of falling prey to threat actors.

  1. Always update your operating system and Office.
  2. Never click “Enable Content”.
  3. Never open suspicious documents.
  4. Never use pirated software.
  5. Take care of the cybersecurity of your enterprise.

You can familiarize yourself with the InQuest DFI Platform and SaaS Email Security Solution

References:

Hancitor
https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure
https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Qbot
https://inquest.net/blog/2021/10/19/advanced-qbot-downloader
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbots

IceID
https://inquest.net/blog/2021/07/19/icedid-070721
https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

Agent Tesla
https://inquest.net/blog/2021/11/02/adults-only-malware-lures
https://inquest.net/blog/2021/06/28/magnificence-agent-tesla

Targeted Attacks.
https://inquest.net/blog/2021/05/26/pschain
https://inquest.net/blog/2021/05/11/dive-cobalt-strike

APT Attacks.
https://www.sentinelone.com/labs/a-deep-dive-into-zebrocys-dropper-docs/

How Effective Is Your Email Security Stack?

Did you know, 75% of an organization's malware is delivered via email?* How well do your defenses stand up to today's emerging malware? Discover how effectively your email provider's security performs with our Email Attack Simulation. You'll receive daily reports on threats that bypassed your defenses as well as recommendations for closing the gap. Free of charge for 30 days.

Get My Email Attack Simulation

in-the-wild threat-hunting