Tales from the Trenches: DocuSign® DELoader Phishing Attack

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

The following details the indicators of the email messages and activity of the malicious payload.

PhishMe® customers should note that these threat indicators have already been activated within PhishMe Intelligence™ and delivered to PhishMe Triage™ for identification and response automation.

Emails analyzed by the Phishing Defense Team were sent from dse@docusgn.com or

dse@docus.com and included subject lines below:

  • “Completed: [domain_name] – Wire Transfer Instructions for [recipient_name] Document Ready for Signature”
  • “Completed [domain_name] – Accounting Invoice [number] Document Ready for Signature”

When clicking on the malicious link, a download of a Microsoft Word document containing a hostile macro element is initiated from any of the following malicious URLs.

hxxp://boatingflagpole[.]com/file.php?document=[recipient_email]

hxxp://partnersprojectinc[.]com/file.php?document=[recipient_email]

hxxp://lifeimpactbydesign[.]org/file.php=[recipient_email]

hxxp://andsihowdint.ru/file[.]php?document=[recipient_email]

hxxp://zariyamatrimony[.]com/file.php?document=[recipient_email]

hxxp://tenten.co/blog/files/invoices.php?document=[recipient_email]

hxxp://hbc-advisors.com/file.php?document=[recipient_email]

hxxp://godisimnot.com/file.php?document=[recipient_email]

hxxp://rewthenreti.ru/file.php?document=[recipient_email]

hxxp://hudsonhughes.com/file.php?document=[recipient_email]

The macros are used to download a sample of the Chanitor malware. Once executed, Chanitor makes a

command and control callback to report the new infection. The following Chanitor payload locations were observed during analysis:

hxxp://codybraithwaite[.]com/wp-content/themes/sketch/1

hxxp://eventienozze[.]com/wp-content/themes/twentysixteen/1

hxxp://heiligerlee[.]eu/tmp/1

hxxp://adanaokiser[.]com/wp-content/plugins/nextcellent-gallery-nextgen-legacy/admin/1

hxxp://arabianred[.]com/wp-content/themes/twentysixteen/inc/1

hxxp://websitepepper[.]com/crm/cache/modules/Configurator/1

hxxp://codybraithwaite[.]com/wp-content/themes/sketch/2

hxxp://eventienozze[.]com/wp-content/themes/twentysixteen/2

hxxp://heiligerlee[.]eu/tmp/2

hxxp://adanaokiser[.]com/wp-content/plugins/nextcellent-gallery-nextgen-legacy/admin/2

hxxp://arabianred[.]com/wp-content/themes/twentysixteen/inc/2

hxxp://websitepepper[.]com/crm/cache/modules/Configurator/2

hxxp://codybraithwaite[.]com/wp-content/themes/sketch/a1

hxxp://eventienozze[.]com/wp-content/themes/twentysixteen/a1

hxxp://heiligerlee[.]eu/tmp/a1

hxxp://adanaokiser[.]com/wp-content/plugins/nextcellent-gallery-nextgen-legacy/admin/a1

hxxp://arabianred[.]com/wp-content/themes/twentysixteen/inc/a1

hxxp://websitepepper[.]com/crm/cache/modules/Configurator/a1

The following Chanitor command and control locations were observed during analysis.

hxxp://geheppauld[.]com/ls5/forum.php

hxxp://civerusemuch[.]ru/ls5/forum.php

hxxp://noaninghedled[.]ru/ls5/forum.php

Chanitor then proceeds to download and execute both a Pony information stealer module as well as a DELoader executable. The Pony module is used to collect stored password and credential information for exfiltration via HTTP POST to a command and control host.

The following Pony command and control locations were observed during analysis.

hxxp://geheppauld[.]com/mlu/forum.php

hxxp://civerusemuch[.]ru/mlu/forum.php

hxxp://noaninghedled[.]ru/mlu/forum.php

hxxp://geheppauld[.]com/d1/about.php

hxxp://civerusemuch[.]ru/d1/about.php

hxxp://noaninghedled.ru/d1/about.php

The DELoader malware then performs extensive checks to determine whether it is running in a

virtualized or analysis environment before contacting its command and control hosts. Once

contact has been established, these hosts will provide additional files, update instructions, and

configuration data used to guide the financial crimes and botnet trojan’s activity on infected machines.

The following DELoader command and control locations were observed during analysis.

hxxp://wadidncise[.]com/bdk/gate.php

hxxp://anddawassrab[.]ru/bdk/gate.php

hxxp://daletrefhert[.]ru/bdk/gate.php

hxxp://eventsinbutbi[.]com/bdk/gate.php

hxxp://forttehowke[.]ru/bdk/gate.php

hxxp://hanjusrancal[.]com/bdk/gate.php

hxxp://hapwassparly[.]ru/bdk/gate.php

hxxp://hathenketjohn[.]com/bdk/gate.php

hxxp://hesdirohim[.]ru/bdk/gate.php

hxxp://kinrinhiked[.]ru/bdk/gate.php

hxxp://lactalhedttin[.]bit/bdk/gate.php

hxxp://muchronnotold[.]ru/bdk/gate.php

hxxp://onewithbohert[.]ru/bdk/gate.php

hxxp://parrephetit[.]com/bdk/gate.php

hxxp://rectincasof[.]com/bdk/gate.php

hxxp://rewtorshosin[.]ru/bdk/gate.php

hxxp://rigakeddo[.]com/bdk/gate.php

hxxp://riranughone[.]com/bdk/gate.php

hxxp://tancoatthen[.]ru/bdk/gate.php

hxxp://tofhadjustling[.]ru/bdk/gate.php

hxxp://toldhapsinspar[.]com/bdk/gate.php

hxxp://tothecktitres[.]com/bdk/gate.php

hxxp://ughrytitter[.]ru/bdk/gate.php

hxxp://wadidncise[.]com/bdk/gate.php

hxxp://wilnakinhar[.]ru/bdk/gate.php

hxxp://witjowronme[.]ru/bdk/gate.php

hxxp://parrephetit[.]com/bdk/gate.php

Recommendation:

PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Simulator™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template will be available by end of day.

Fig 1 – PhishMe Triage actively filters threats using PhishMe Intelligence rules

Fig 2 – PhishMe Intelligence delivers Active Threat Reports for greater detail

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B
In the Shadow of WannaCry, Jaff Ransomware Arrives Using Familiar Phishing Techniques

Leave a Reply