Cyjax analysts recently uncovered an Office 365 credential-harvesting campaign that masquerades as “A Message from Your CEO”. The delivery system leveraged in these attacks uses multiple techniques to bypass secure email gateways (SEG), one of which has surfaced again in a BazarLoader infection chain.
This technique is effective because Basecamp and Google Cloud hosting are often used for business operations and are regarded as safe by default by most detection systems. Cloud platforms also preserve the anonymity of their users and can be set up in no time at all. They are difficult for human SOC analysts to recognise as a threat because the traffic to and from these services appears legitimate.
The Phish
Figure 1. Spam emails called “A Message from Your CEO”
The techniques used to bypass the SEGs include sending a PDF with an embedded URL that links to a Basecamp document; this is publicly available to anyone with the URL.
Figure 2. Fake shared file notification
Another link in the Basecamp document redirects the potential victim to a fake Office 365 login page, which is hosted with Google cloud (storage[.]googleapis[.]com).
Figure 3. Publicly available Basecamp document to host the next step URL
Further investigation into this campaign found the following organisations were referenced:
- Vertex Interventional Physicians (source)
- Neta Scientific Inc (source)
- Ateeca Inc (source)
- Brunkenhoefer Law Firm (source)
- InGenesis, Inc (source)
- XTREME Production Resources (source)
- PR Industrial (source)
- Momentum Spine & Joint (source)
- Direct Ortho Care
- Quest Records (source)
This Office 365 phishing campaign leverages multiple trusted services that enable it to bypass security checks. As illustrated above, the main service exploited in this way is Basecamp: an online collaboration cloud service that enables users to share files with one another. Google cloud services are also abused to host fake login phishing pages instead of a registered domain.
Figure 4. Fake Office 365 login page to harvest credentials
A Bazar(Backdoor) connection
Security researchers recently found that the BazarBackdoor has also begun leveraging Basecamp in its infection chains. BazarBackdoor is operated by the WizardSpider group which developed both Trickbot – one of the most infamous banking Trojans and now used as a distribution network for other malware – and the Ryuk ransomware – a serious threat to businesses all over the world, that has made its operators millions in ransom payments.
Phishing emails arrive from marketing services, such as SendGrid, that contain a URL to Basecamp. Instead of a link to a credential harvesting page, the user will receive the BazarLoader that eventually injects the BazarBackdoor into running processes. The code samples delivered via Basecamp are signed with SSL certificates to masquerade as legitimate software, designed to bypass detection systems. As a result, many samples of the Bazar malware go fully undetected (FUD) and have 0/70 hits on VirusTotal when they are first submitted.
IOCs:
hxxps://public.3.basecamp.com/p/wDdhDmo1sX5HUpk3E6R6oFhP
hxxps://admiin.page.link/efyd
hxxps://storage.googleapis.com/aenfeebles-703551073/index.html
bomohsmtp.com
LINK TO DOWNLOAD BAZALOADER EXE:
hxxps://public.3.basecamp[.]com/p/6WvTkPssC6sxWf7qM1jMhLiY/upload/download/Review_Report15-10.exe
BAZARLOADER EXE:
SHA256 hash: ed40a50e33fe55c38c9016d6a81fe28e3574998fc2661fdc68a85bd4e61bbe97
Sources:
- https://pastebin.com/6A7ru8sy
- https://twitter.com/malwrhunterteam/status/1317023636893671424?s=20
- https://twitter.com/ffforward/status/1316789103233466369
- https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon