On 12 May, the FBI Cyber Division issued a TLP:WHITE Private Industry Notification. This concerned a spear-phishing campaign distributing messages that masqueraded as financial institutions to push fake Windows apps containing remote access Trojans (RATs). The most recent attack impersonated a US-based financial institution to target an American renewable energy company. The spear-phishing email referenced a fictitious loan and instructed the target organisation’s employees to download a Windows application so as to complete the loan process to receive $62 million. 
The email appeared to have arrived from a UK-based financial institution and confirmed that the US firm’s loan had been accessed and could be processed using the fake Windows application. The email contained two PDF files, one of which used the names and likeness of the UK’s National Crime Agency (NCA) and the other appeared to contain SWIFT information. The email had a URL from which to download the application; it also contained the username and password to access it.
The threat actors had registered a domain (secureportal[.]online) through which they can share the links to the fake Windows applications. At least four firms were impersonated on this one domain: Cumberland Private UK, Truist, FNB America, and MayBank. [2, 3, 4]
Cyjax analysts investigated the indicators of compromise disclosed by the FBI and uncovered additional files and phishing pages connected to this ongoing campaign that has been running since at least 2017. The attackers have masqueraded as various financial institutions from around the world – not just from the US and UK – this includes organisations from Panama, West Africa, Malaysia, and China. They have posed as investment banks to deliver a similar backdoored Windows application that was described in the FBI PIN.
We analysed the hosting services and name servers used by the initial domain (secureportal[.]online) shared publicly by the FBI for patterns. This revealed multiple other sites using the same servers, created in the same time frame, masquerading as investment banks:
|Creation Date||Domain||IP||Name Servers||Host|
|2017-05-03||thebnymellon[.]com||18.104.22.168||AS19318 IS-AS-0||AS20454 SECURED SERVERS|
|2017-06-27||bbtcorpo[.]com||22.214.171.124||AS19318 IS-AS-1||AS20454 SECURED SERVERS|
|2018-04-24||bceaoportal[.]com||126.96.36.199||AS19318 IS-AS-1||AS20454 SECURED SERVERS|
|2018-05-01||esecurebanking[.]online||188.8.131.52||AS19318 IS-AS-1||AS20454 SECURED SERVERS|
|2019-01-24||scotia-itrade[.]online||184.108.40.206||AS19318 IS-AS-1||AS20454 SECURED SERVERS|
|2019-03-19||secureportal[.]online||220.127.116.11||AS19318 IS-AS-2||AS20454 SECURED SERVERS|
|2019-05-31||scotia-itrade[.]com||18.104.22.168||AS19318 IS-AS-6||AS20454 SECURED SERVERS|
|2019-08-07||multibankpa[.]com||22.214.171.124||AS19318 IS-AS-6||AS20454 SECURED SERVERS|
|2020-02-21||securebankapp[.]com||126.96.36.199||AS19318 IS-AS-4||AS20454 SECURED SERVERS|
|2020-02-25||trfincorporation[.]online||188.8.131.52||AS19318 IS-AS-6||AS20454 SECURED SERVERS|
|2020-09-02||chasetrustus[.]com||184.108.40.206||AS19318 IS-AS-6||AS20454 SECURED SERVERS|
|2020-12-04||cponlineuk[.]com||220.127.116.11||AS19318 IS-AS-6||AS54290 HOSTWINDS|
|2020-12-07||securemailbox[.]online||18.104.22.168||AS19318 IS-AS-3||AS20454 SECURED SERVERS|
|2021-01-10||cpbkuk[.]com||22.214.171.124||AS19318 IS-AS-6||AS54290 HOSTWINDS|
|2021-03-26||psbcn[.]com||126.96.36.199||AS19318 IS-AS-6||AS54290 HOSTWINDS|
|2021-05-18||securebankapp[.]online||188.8.131.52||AS19318 IS-AS-6||AS20454 SECURED SERVERS|
Fig. 1 – Campaign infrastructure connected to this campaign.
Fig. 2 – Fake login pages with identical forms but alternative logos used by the threat actors.
This investigation uncovered additional fake login pages posing as other investment banks, including Cumberland Private Wealth, Truist, First National Bank of America, MayBank Private Malaysia, Central Bank of West African States (BCEAO), Chase Trust, and the Postal Savings Bank of China, BNY Mellon, Scotiabank Panama, Multibank Panama, BB&T, and MetroBank.
Pivoting from these additional domains and IP addresses revealed other fake Windows applications that had been used by the attackers to deliver a backdoor. As summarised in the initial advisory, the attackers send an email to the target containing a URL and login credentials for a fake website. When these credentials are used to enter the site, the victim downloads an installer which unpacks a ZIP file. This delivers the backdoored application which, if executed by the user, provides remote access to the device.
Fig. 3 – Fake Windows application impersonating Scotiabank Panama.
Fig. 4 – Infection chain diagram depicted by Cyjax analysts
Further analysis of the malicious campaign infrastructure exposed several patterns:
- All the domains hosted with either Secured Servers (AS20454) or Host Winds (AS54290) and Interserver Name Servers (AS19318)
- The attackers either used the “.com” TLD or “.online” gTLD to create lookalike domains to impersonate the investment banks
- The Windows applications appear to have been built with an open-source project on GitHub called Squirrel (available here)
- The Windows applications are large files, at around 42MB in size, with very low detection ratings on VirusTotal
- The Windows applications likely inherited RAT functionality from TeamViewer, a legitimate remote admin tool often used by threat actors
Fig. 5 – Graph of the campaign infrastructure using VirusTotal
Interestingly, the same servers used by the attackers also hosted several domains impersonating the FBI, Europol, HM Revenue & Customs, the Bank of England, US Federal Reserve, US Treasury, and the World Bank. It is currently unclear if these domains are connected to the same campaign: we found no emails, login pages, or samples using them. However, it remains a significant finding because it is of a piece with these threat actors’ TTPs – the FBI disclosed the threat actors masqueraded as the UK National Crime Agency in one of the PDFs attached to an email.
This highly targeted campaign has yet to be attributed to a known APT or cybercriminal group. Its success rate is currently unknown, but the campaign combines multiple techniques corresponding to somewhat sophisticated cybercriminals, making it a serious threat. Using the information harvested from backdoored systems, the attackers can access their victims’ accounts and various other sensitive data to further compromise the target networks or steal more funds.
Using fake applications as decoys while performing malicious activity in the background is a common tactic: it has been employed by cybercriminals and state-backed financially motivated threat actors, such as the Lazarus group. The North Korean APT used its AppleJeus malware to target hundreds of organisations in over 30 countries during 2020. It used backdoored applications that provided initial access to its victims’ networks to steal cryptocurrency from their virtual wallets. The earliest versions appeared in 2018. In this campaign, the initial infection vectors included spear-phishing via emails, malicious links sent via social media, and other social engineering techniques. [5, 6]
|EXE||0754d1de2deeca3062d62489a0c15255ab3eb2411d513ec7126f01eb98dbf85a||BB&T SecureBank Application.exe|