Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.

Emails in which the sender appears to be from someone you know and trust create some of the greatest threats to enterprise security. If they are familiar with the sender, victims are tricked into trusting a phishing email and are more likely to click on the link or open the attachment. Always verify the sender if things look suspicious. You should never click on links or open attachments from unknown senders. Remember: Things are not always as they seem.

Figure 1 – Example Impersonation Email

These phishing emails were crafted to make it appear as if they originate from an internal source to build rapport and trust with the recipient. However, after investigating the email header, it becomes obvious that the email address is spoofed and that the message actually originates from djaozan(at)plataran[.]com, as shown in Figure 2.

Figure 2 – Email Header of Example Impersonation Email

The link (hxxps://dieterprovoost[.]be/Change-of-Address), provided in the email above, downloads a Word document (Recent money transfer details.doc) that contains a macro. Allowing this macro to run in that Word document will facilitate the download an executable file (fcOihu.exe) from one of the five payload domains (guysfromandromeda[.]com, materialstestingequip[.]com, lctn[.]org, promacksfarm[.]com, fourchamberforge[.]com).

Analysing a memory dump that was captured while the malware was running revealed seven command and control servers supporting the Emotet/Geodo botnet malware. This malware is a banking trojan and botnet malware that shares a history with the same codebase spawning the Cridex and Dridex botnet malware.

One of the most interesting features of this malware is its worm functionality that leads it to generate new phishing emails to propagate additional infections. Once this malware is in place on infected computers, it will obtain email addresses from its command and control hosts that it uses for destinations to which new phishing email is sent to further spread this malware.

Presented as internal communication, these phishing emails attempt to convince users they were sent from a trustworthy source and pose no risk. This is another example of how a holistic phishing defense strategy built upon empowering and preparing users to respond critically to phishing narratives is a critical element in an enterprise’s security posture.

Don’t ever miss another cyber threat – sign up for PhishMe® Threat Alerts today and receive fresh updates on new and emerging phishing and malware threats delivered straight to your inbox, completely free.

Indicators of Compromise (IOCs) 

Infection URL
hxxps://dieterprovoost[.]be/Change-of-Address (188.226.214[.]28)

Malicious Word document
File name: Recent money transfer details.doc
MD5: 6a86ff81f7f3ff557d680f7db6b75e24
SHA256: c8c73c84bcd69be5d4c18e1a965b3a7affbb8fee542b8213c5c7b38b9e9f829f
File size: 139.26KB
Macro Payload URLs

hxxp://guysfromandromeda[.]com/GhQxIP/ (50[.]63.36.169)
hxxp://materialstestingequip[.]com/o/ (46[.]249.205.50)
hxxp://lctn[.]org/NGLCWStUc/ (64[.]8.148.3)
hxxp://promacksfarm[.]com/ZGOxsJmnx/ (66[.]7.200.85)
hxxp://fourchamberforge[.]com/LTWdFuN/ (68[.]66.200.196)

Malicious Geodo executable
File name: fcOihu.exe
MD5: 3397ba78e78d2199a35522fc7af4bc30
SHA256: d9a607641a261c2e8bac1197526c12325a5bf9823b35b94a91809dd922f2c329
File size: 98.3KB

Geodo Command and Control hosts

88[.]198.99.28
188[.]138.124.206
216[.]71.120.100
198[.]89.121.38
148[.]251.33.195
167[.]114.98.61
193[.]46.83.10

Vulture Stealer: What Banload Misses, Chrome Extension Receives
Threat Actors Put a Greek Twist on Ransomware with Sigma

Leave a Reply