If it Looks Like a Phish, Acts Like a Phish, it Could Be Malware

Most of us are familiar with the common idiom “If it looks like a duck, swims like a duck, quacks like a duck, then it is probably a duck.” Despite criminals’ constant efforts to change their techniques and tactics, this idiom usually holds true for online crime. Phishers have characteristic techniques in just the same way that malware writers and distributors employ specific tactics. These two don’t often overlap.
However, when they do, it makes for a spectacularly effective attack.

This week, PhishMe’s analysts uncovered spam emails distributed by the Cutwail spamming botnet using a new JP Morgan Chase spam template in conjunction with hostile URLs to distribute two samples of the Dyre Trojan and a copy of the Kegotip information stealer malware. This was done with a two-step attack method that first presents victims with a fake login form. At first glance, this webpage resembles a credential phishing page put together by criminals to trick victims into entering their JPMorgan Chase sign in credentials.

However, a much more insidious attack was taking place as victims visited this page. Loading this page in a Web browser triggers online exploit resources to push a copy of the Upatre malware downloader and execute it on a victim’s machine. This malware was in turn used to obtain the Kegotip malware and one copy of Dyre. If a victim were to enter credentials into the fake sign-in page, he or she would then be presented with the opportunity to download a “Java update” which resulted in an infection involving a second, distinct sample of the Dyre Trojan.

In an interesting twist, the fake sign in does not actually submit victim’s credentials to any drop point or collection resource, passing instead a single email address hard-coded into the webpage as the log in value. Following the competed infection trajectory, seven files were left behind within the infected environment. These files included one compiled Java class, two copies of the Dyre Trojan, one “.db” file associated with the Dyre Trojan, one dropped Upatre executable, one empty .exe file believed to have temporarily contained the original Upatre executable binary, and one Kegotip executable.

Earlier this week, we discussed how 2014 has seen an evolution in the sophistication of the modern cybercriminal. This malware, posing as a phish, is no exception. The ability to catch these types of instances early, makes threat intelligence a must-have.

Update:

After some additional thought on this topic, we were reminded of the Verizon Breach Report, which stated that while only 8% of your employees will enter credentials on a phishing page, 18% percent would visit the page, thinking they would be smart enough to know whether it was real or not when they got there.

In this case, the employee would still be infected by the malware by simply visiting the page.

Four Ways Phishing Has Evolved in 2014
An IRS Rebate That Isn't Worth It: Phishing Tactics Repeat Themselves

Leave a Reply