Financial spear-phishing campaigns pushing RATs

On 12 May, the FBI Cyber Division issued a TLP:WHITE Private Industry Notification regarding a spear-phishing campaign. The campaign distributed emails that masqueraded as financial institutions, pushing fake Windows apps containing remote access Trojans (RATs). The most recent attack targeted an American renewable energy company, impersonating a US-based financial institution. The phishing email referenced a fictitious loan, instructing the target organization's employees to download a Windows application in order to complete the loan process and receive $62 million.

The email appeared to be from a UK-based financial institution and confirmed that the US firm’s loan had been accessed, with instructions to process it using the fake Windows application. The email contained two PDF files: one used the name and likeness of the UK’s National Crime Agency (NCA), and the other appeared to contain SWIFT information. A URL for downloading the application was provided, along with a username and password to access it.

The attackers registered a domain (secureportal[.]online) to distribute the fake Windows applications. At least four firms were impersonated via this domain: Cumberland Private UK, Truist, FNB America, and MayBank.

Cyjax analysts investigated the indicators of compromise disclosed by the FBI, uncovering additional files and phishing pages related to this ongoing campaign, which has been active since at least 2017. The attackers have posed as various financial institutions globally, including those from Panama, West Africa, Malaysia, and China, delivering backdoored Windows applications similar to the one described in the FBI PIN.

The investigation into the hosting services and name servers used by the initial domain (secureportal[.]online) revealed multiple other sites, all masquerading as investment banks. These domains were created around the same time, using similar servers:

• 2017-05-03: thebnymellon[.]com, IP: 66.85.156.85, Name Servers: AS19318 IS-AS-0, Host: AS20454 SECURED SERVERS
• 2017-06-27: bbtcorpo[.]com, IP: 66.85.156.85, Name Servers: AS19318 IS-AS-1, Host: AS20454 SECURED SERVERS
• 2018-04-24: bceaoportal[.]com, IP: 108.170.31.123, Name Servers: AS19318 IS-AS-1, Host: AS20454 SECURED SERVERS
• 2018-05-01: esecurebanking[.]online, IP: 108.170.31.123, Name Servers: AS19318 IS-AS-1, Host: AS20454 SECURED SERVERS
• 2019-01-24: scotia-itrade[.]online, IP: 66.85.156.85, Name Servers: AS19318 IS-AS-1, Host: AS20454 SECURED SERVERS
• 2019-03-19: secureportal[.]online, IP: 108.170.31.123, Name Servers: AS19318 IS-AS-2, Host: AS20454 SECURED SERVERS
• 2019-05-31: scotia-itrade[.]com, IP: 66.85.156.85, Name Servers: AS19318 IS-AS-6, Host: AS20454 SECURED SERVERS
• 2019-08-07: multibankpa[.]com, IP: 66.85.156.86, Name Servers: AS19318 IS-AS-6, Host: AS20454 SECURED SERVERS
• 2020-02-21: securebankapp[.]com, IP: 66.85.156.85, Name Servers: AS19318 IS-AS-4, Host: AS20454 SECURED SERVERS
• 2020-02-25: trfincorporation[.]online, IP: 108.170.61.187, Name Servers: AS19318 IS-AS-6, Host: AS20454 SECURED SERVERS
• 2020-09-02: chasetrustus[.]com, IP: 108.170.52.156, Name Servers: AS19318 IS-AS-6, Host: AS20454 SECURED SERVERS
• 2020-12-04: cponlineuk[.]com, IP: 192.119.92.32, Name Servers: AS19318 IS-AS-6, Host: AS54290 HOSTWINDS
• 2020-12-07: securemailbox[.]online, IP: 66.85.156.86, Name Servers: AS19318 IS-AS-3, Host: AS20454 SECURED SERVERS
• 2021-01-10: cpbkuk[.]com, IP: 192.119.92.32, Name Servers: AS19318 IS-AS-6, Host: AS54290 HOSTWINDS

Fig. 1 – Campaign infrastructure connected to this campaign.

The analysis uncovered fake login pages posing as various financial institutions, including Cumberland Private Wealth, Truist, First National Bank of America, MayBank Private Malaysia, Central Bank of West African States (BCEAO), Chase Trust, and more.

The attackers send emails containing a URL and login credentials for a fake website. When the credentials are used, the victim downloads an installer that unpacks a ZIP file, delivering a backdoored application. If executed, the application provides remote access to the device.

Fig. 2 – Fake login pages with identical forms but alternative logos used by the threat actors.

Further investigation into the malicious campaign’s infrastructure revealed the use of multiple techniques by the attackers, including leveraging fake applications as decoys. This tactic has been employed by other cybercriminal groups, such as the Lazarus Group, which used similar strategies in its Operation AppleJeus to steal cryptocurrency in 2020.

Fig. 3 – Fake Windows application impersonating Scotiabank Panama.

The attackers send an email to the target containing a URL and login credentials for a fake website. When these credentials are used, the victim downloads an installer which unpacks a ZIP file. This delivers the backdoored application, which, if executed, provides remote access to the device.

Fig. 4 – Infection chain diagram depicted by Cyjax analysts.

Further analysis of the malicious campaign infrastructure exposed several patterns:

• All the domains hosted with either Secured Servers (AS20454) or Host Winds (AS54290) and Interserver Name Servers (AS19318)
• The attackers either used the “.com” TLD or “.online” gTLD to create lookalike domains to impersonate the investment banks
• The Windows applications appear to have been built with an open-source project on GitHub called Squirrel (available here)
• The Windows applications are large files, at around 42MB in size, with very low detection ratings on VirusTotal
• The Windows applications likely inherited RAT functionality from TeamViewer, a legitimate remote admin tool often used by threat actors

Fig. 5 – Graph of the campaign infrastructure using VirusTotal.

Interestingly, the same servers used by the attackers also hosted several domains impersonating the FBI, Europol, HM Revenue & Customs, the Bank of England, US Federal Reserve, US Treasury, and the World Bank. It is currently unclear if these domains are connected to the same campaign: no emails, login pages, or samples were found using them. However, it remains a significant finding because it is consistent with the threat actors' TTPs – the FBI disclosed that the threat actors masqueraded as the UK National Crime Agency in one of the PDFs attached to an email.

This highly targeted campaign has yet to be attributed to a known APT or cybercriminal group. Its success rate is currently unknown, but the campaign combines multiple techniques corresponding to somewhat sophisticated cybercriminals, making it a serious threat. Using the information harvested from backdoored systems, the attackers can access their victims' accounts and various other sensitive data to further compromise the target networks or steal more funds.

Using fake applications as decoys while performing malicious activity in the background is a common tactic: it has been employed by cybercriminals and state-backed financially motivated threat actors, such as the Lazarus group. The North Korean APT used its AppleJeus malware to target hundreds of organisations in over 30 countries during 2020. It used backdoored applications that provided initial access to its victims’ networks to steal cryptocurrency from their virtual wallets. The earliest versions appeared in 2018. In this campaign, the initial infection vectors included spear-phishing via emails, malicious links sent via social media, and other social engineering techniques. [5][6]

IOCs

• EXE: e09ae3c1ff5489f300ec9ecfc76ffdab90b6dab07eff1a0edf38285ab1e2b801, Name: TruistFinancialApp.exe
• NuGet (NUPKG): b5ab061ae764c10896d5889ac241d94aa50d2b5713c15e3b23e7c23454296bef, Name: truist-financial-0.1.0-full.nupkg
• EXE: 49b71bf037995e26819d36c11f7ab8cbd8c2ab58155c6ad4786996fd42994213, Name: BNYSecureBankAppInstaller.exe
• NuGet (NUPKG): 97e21c919783cd645f6237064277a8c4b97245915fa3bfd7d8888004a7858b91, Name: bny-securebank-0.1.0-full.nupkg
• EXE: 344540bc935624cbdc21e51478f061a7e98fce0b5c0082e0e14c33e502833a80, Name: BNY%20SECUREBANK%20APPLICATION.EXE
• EXE: f46ae7989893a150a0620206ed8d8bfad17b2b542b9f9e599d683da272ab2ce0, Name: ScotiaSecureBankAppInstaller.exe
• NuGet (NUPKG): da849c361e3e6284ea0ec7a35c3834473682f27755dd1962b520a0d42f423b66, Name: sbp-securebank-0.1.0-full.nupkg
• EXE: 6f6e630ec432e7b559d5d7dcb8ecd88223857cdd3bb863bd597fecde03031a8c, Name: MultibankInstaller.exe
• NuGet (NUPKG): 3cd6061599887ed296ae32e24ae9ccc6433359b0c40ffb882d7cdf0884cd5552, Name: multi-securebank-0.1.0-full.nupkg
• EXE: e9c6f21f59c3d498d8f92a00596b461756e22f19cf42d5e5bd3e9b938fd84323, Name: Multibank Application.exe
• EXE: 0589f1c49f55ccfffbbf40b2a1e516cbee14c42896d5641cc500f978fc7eab99, Name: Setup.exe
• NuGet (NUPKG): 0f784a5e5daeffec55350213ec6f9dba7834935a77913bfb8fb8866122499b5a, Name: bbt-securebank-0.1.0-full.nupkg
• EXE: 0754d1de2deeca3062d62489a0c15255ab3eb2411d513ec7126f01eb98dbf85a, Name: BB&T SecureBank Application.exe
• EXE: 2e4af4ffcbb2e5c49a44596ed423e8c3213884daba74a051a75afed9abbbc047, Name: MetroBankInstaller.exe