Proofpoint researchers have observed a number of email campaigns with attached password-protected malicious documents. These documents are primarily used to distribute malware including Cerber ransomware and the Ursnif banking Trojan, with document passwords included in the body of the email.
The use of password-protected documents makes them difficult to execute in automated sandbox environments, circumventing a variety of anti-malware products. At the same time, including the password in the email makes it easy for recipients to open the document while password protection adds a sense of legitimacy. Recently, Proofpoint observed a phishing campaign using this technique designed to harvest credit card account numbers and personal information from account holders.
Breakdown
- The email sample that Proofpoint analysed was personalised with the recipient’s name and what appear to be the starting digits of their credit card account number. The starting digits for credit cards are standardised, though, so this just adds to the apparent legitimacy of the carefully crafted emails without requiring actual knowledge of the recipient’s’ card number. The emails also use stolen branding and social engineering to create a sense of urgency encouraging the recipient to update security information for their “new chip card.”
- The email includes an HTML attachment that is protected by a password included in the email. The HTML attachment is also XOR-encoded, again making dynamic analysis more difficult.
- While the password-protected Microsoft Word documents Proofpoint normally see in malware campaigns make use of Word’s built-in functionality to add passwords, this is an HTML attachment, so instead uses JavaScript to implement the password protection. The script pah.js decrypts the XOR-encoded HTML when the user enters the password provided in the body of the email.
- If the user enters the password correctly, they will be presented with a fairly typical credit card phishing template, complete with stolen branding.
- The form will submit the credentials in the same manner as we see in typical credential phishing, via HTTP POST…Click HERE to read full article.
