Phishing

Top Phishing Campaigns in July 2024: SharePoint Abuse, DeerStealer, and More

July saw a new influx of phishing and malware campaigns. The analyst team at ANY.RUN sandbox is closely monitoring all developments in the threat landscape and sharing their analysis on X. Here are some of the campaigns they identified this month.

SharePoint Phishing Campaign

The entire attack chain of the SharePoint campaign

On July 11, ANY.RUN sandbox detected a surge in a phishing campaign that exploited SharePoint. In just 24 hours, over 500 instances of SharePoint phishing were uploaded to the service.

The legitimate SharePoint service used in the campaign allowed it to evade detection from security systems and appear credible to users who were not expecting an attack.

The Attack Followed This Pattern:

The campaign started with a phishing email containing a link.
The link directed users to a PDF file stored on SharePoint, which contained another link.
After clicking the link, users were prompted to solve a CAPTCHA, making it harder for security systems to identify and block the campaign.
Finally, users were taken to a fake Microsoft login page, where they were prompted to enter their credentials.

See the sandbox analysis of this attack.

Analysis of the phishing campaign in ANY.RUN

Due to the high volume of such attacks, ANY.RUN introduced two new tags “possible-phishing” and “sharepoint” to alert users of potential danger.

A warning message has also been added to sandbox sessions, cautioning users: “Be careful! Do not enter your login details.”

Sign up for a free ANY.RUN account with your business email. Analyze the latest cyber threats in an interactive cloud sandbox.

Strela Stealer Distributed via WebDAV

Details of the Strela Stealer distribution campaign

Another campaign observed by ANY.RUN involved the distribution of the Strela Stealer malware through obfuscated batch files.

Here is how it unfolded:

The campaign started with an obfuscated batch file that triggered a PowerShell script, initiating the net and rundll32 processes.
The Strela stealer employed net.exe to mount a command-and-control (C2) server containing a ‘davwwwroot’ folder and collected a 64-bit DLL file from it using WebDAV.
Approximately one thousand DLL files with Strela stealer were found on hxxp://45[.]9.74[.]32[:]8888.

During execution, the malware exploits WordPad. The C2 servers for Strela were located on the same host as the payload.

See analysis in the ANY.RUN sandbox.

Static analysis of the obfuscated batch file in ANY.RUN

The obfuscated BAT file can be easily deobfuscated. The script consists of symbols stored in separate variables. To reassemble the commands, one needs to change the variables back to their assigned symbols. A deobfuscated version of the script has been made available in ANY.RUN’s public repository.

To find more details related to this campaign, we can use Threat Intelligence Lookup, a threat portal that lets us search for malware and phishing using over 40 types of indicators and artifacts and their combinations.

Strela malware campaign details in TI Lookup

To do this, we can use the unique folder name used by this malware with the parameter commandLine, and submit the following query: commandLine:”davwwwroot*dll”.

The platform instantly provides us with 100 sandbox sessions (tasks) where this artifact was found, as well as files and events.

Request a trial of Threat Intelligence Lookup to see how it can contribute to your organization’s security.

DeerStealer Malware Disguised as Google Authenticator

DeerStealer distribution campaign breakdown

One of the most recent campaigns discovered by ANY.RUN involved the distribution of a signed DeerStealer malware. Notably, the campaign disguised the malware as Google Authenticator and hosted it on Github.

Here the details:

The infection chain began with a fake website, a copy of the official Google Authenticator download page.
After clicking the “Download” button, a fake Google Authenticator file would be downloaded from Github. The file was signed on 2024-07-17 by Reedcode Ltd Certificate with serial number [5459 67FF 5732 8859 C677 4F85 3F6B 7F18].
Once executed on the system, the stealer would begin exfiltration of stolen data.

See Analysis

Exfiltration occurs via HTTP POST requests transmitting PKZIP archives containing stolen user data XORed with the 0x0c key. Stolen logs are sent to a Telegram chat created by an account with the username “fedor_emeliyanenko_bog.”

DeerStealer employs encryption for API function names, makes API calls through wrapping, and obfuscates its code.

Suricate rule used for detecting DeerStealer C2 activity

Since attackers are constantly changing their infrastructure, some samples may no longer be operational. To ensure detection, use Suricata IDS in ANY.RUN, we recommend using the FakeNet feature alongside a MITM proxy. This will help address the issue and improve detection capabilities.

Expose Phishing and Malware with ANY.RUN Sandbox

The ANY.RUN sandbox lets you conduct in-depth investigations into malware and phishing campaigns using fully interactive Windows and Linux VMs. Upload your file or URL to the service and perform all the user interactions needed to uncover the full picture of the infection.

The service is also equipped with automatic detection capabilities, identifying threats in under 40 seconds and providing a conclusive verdict and report on the sample’s threat level and malicious activities.

Request a 14-day free trial of ANY.RUN to try everything the service has to offer!

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.