Investigation into a spearphishing campaign targeting company supported by Orpheus Cyber
Setting the scene
On October 29th, several employees from a company supported by Orpheus Cyber were targeted by attempted spearphishing emails impersonating our CEO. In a bizarre formulation, the email asked employees to “peg” their current tasks and send our phone number for a briefing on an “urgent task”. Attackers often use odd language or typos in these emails on purpose, to reduce the number of responses to only the most gullible. While the sender had been able to bypass SPF and DMARC protections by changing their Google Account name to the CEO’s full name, they ultimately used their Gmail account to send the emails, which raised our suspicions. Following internal reports, we decided to investigate the origin of the emails, and attempt to build a profile of the observed tactics, techniques and procedures (TTPs) and Indicators of Compromise (IOCs) in order to attribute this attempt and learn more about the threat actor. This blog post will refer to MITRE ATT&CK Techniques in order to keep track of the different techniques employed.
Figure 1: One of the emails received by an employee company supported by Orpheus Cyber
The emails provided an initial baseline of observations from which we were able to pivot in order to find further information pertaining to the account from which the emails originated from. The nature of the email and automated targeting of employees suggests that this was a spearphishing attempt in order to obtain phone numbers or conduct further social engineering), with targeting determined through automated email collection through Linkedin or other public sources listing the company’s employees.
This provides us with the following TTPs:
• Spearphishing: T1566
• Phishing for information: T1598
• Gather Victim Identity Information: T1589
Sock puppets and operational security
Using information found in the emails, we searched for online references to the “johnbrian893”. Following a simple search on Google, we were able to find an Instagram account using the same username. The account contains pictures of an old man and his purported grandchildren in addition to various motivational messages. While the account’s posts would indicate to innocuous viewers that the account is indeed authentic, examining the account’s tagged pictures reveals an intriguing photograph tagging the account.
Figure 2: Picture tagging johnbrian893
By investigating the account tagging johnbrian893, we were able to ascertain from several posts’ geo-tagging that the account is likely to be located in Lagos, Nigeria. This provides a first indication of our actor’s potential location. The account who tagged him also has a description revealing his activities as buying gift cards and being “open for business”, which may indicate ties with the actor behind johnbrian893.
Figure 3: Post located in Lagos, Nigeria by the account who tagged johnbrian893
We then looked to find further information pertaining to the email account by navigating to Gmail’s account reset page. By going through various account recovery options, we could ascertain the account’s phone number format and device names.
Figure 4: The account’s recovery page
Figure 5: The account’s associated device names
The phone number format consisted of four digits followed by three digits followed by a further four digits. Further research revealed that this format is used for mobile numbers registered in Lagos Nigeria, providing further indication that the actor behind the email may belong to known scammer and Business Email Compromise (BEC) groups operating in Nigeria. The actor’s devices, two models of Infinix smartphones, are relatively cheap smartphones (approximately worth $125) popular in India, Pakistan and Nigeria, hence reinforcing the possibility that this group originates from Nigeria. The presence of several account recovery options indicates that operators of the group use multi-factor authentication to protect their accounts, which demonstrates moderate operational security (OpSec) associated to the scammers’ operations, in addition to the use of social media personas in order to lend credibility to their spearphishing attempt.
Using GHunt, an OSINT tool leveraging Google ID’s to find further details on the account. The tool revealed that the actor behind the account had changed the account’s name back to “Brian John” shortly after sending emails to employees. This further indicates willingness from the threat actor to preserve operational security and erase evidence of impersonating the CEO, possibly pivoting to target further organisations.
Figure 6: Output from GHunt for firstname.lastname@example.org
The following TTPs were observed in this section of the investigation:
• Establish Accounts: Social Media Accounts (T1585.001)
• Establish Accounts: Email Accounts (T1585.002)
Targeting Rationale and previous campaigns
We then proceeded to search for previous instances of phishing campaigns conducted by these actors. We searched for the content of the email sent to employees and found that the exact same content had been reported by other victims, including the University of Arizona , University of Amherst, healthcare non-profit Manifest Medex, and multiple Twitter users working at technology start-ups. These previous campaigns were dated in April and May 2020, indicating that the group may have only recently started to use the same phishing emails after a hiatus over the summer. Targeted sectors hence include technology, education and healthcare.
Figure 7: Twitter user reporting a similar phishing message
Amongst the results in our search, we also found that the phishing email’s HTML file was uploaded in February 2020 to Hybrid Analysis, a malware analysis sandbox powered by user-submitted malware samples.
Figure 8: Screenshot of the HTML document submitted to Hybrid Analysis
The Hybrid Analysis report includes links to two IP addresses contacted by a legitimate Internet Explorer executable whose connection to the phishing email is unclear. The executable contacts two malicious IP addresses, 67[.]24[.]189[.]254 and 96[.]17[.]229[.]36, who are likely to be servers hosting malicious payloads for the threat actors. These IP’s are associated to likely phishing domains download[.]windowsupdate.com and order[.]staplesadvantage.com, which start pointing towards the possible infrastructure used by the threat actors to host malicious payloads or act as Command & Control (C2) infrastructure.
Infrastructure and malware
Using these indicators, we were able to further research known malware samples that have communicated with these domains in order to understand what type of malicious payload the scammers were likely to ask employees to download in order for them to execute our “urgent task”. We were able to find known malware samples communicating with these hosts through VirusTotal, which revealed that they indeed communicated with known malware samples in the time window where the Hybrid Analysis report was generated. Malware samples communicating with the hosts have only been seen from August 2019 onwards, indicating that this campaign has been going on for now more than a year.
Figure 9: VT search of one of the IP addresses reveals malicious files communicating with the host
Figure 10: More malicious payloads communicating with one of the hosts
These malicious payloads include attachments like executables and Word Documents, indicating that these actors may have send malicious attachments in their phishing emails in the past. These malicious samples include mostly commodity malware, with banking trojans such as Razy, password stealers like Nivdort, and even several strains of ransomware such as Sodinokibi. While it is difficult to ascertain that these are indeed the malware distributed by the same threat actors that attempted to target the company supported by Orpheus Cyber, this nevertheless indicates that these domains have been used as C2 infrastructure in the past, even if by different threat actors. The nature of the associated domains, such as download[.]windowsupdate.com indicates that these domains may be hotly disputed by threat actors looking to host their phishing operations.
The TTPs observed in this section include:
• Web Service C2 (T1102)
Building a profile
Throughout this investigation, we have been able to piece together different pieces of information that enables us to build the attackers’ threat profile. While their sock puppets and account recovery information suggest that the specific profile originates from actors operating in Lagos, Nigeria, their attention to operational security (OpSec) and use of TTPs such as automated targeting, social media personas and social engineering indicates that this may be an experienced scamming group which may have been actively targeting organisations such April 2020 using the specific phishing lure we observed. Further evidence may indicate that this group has been deploying malware since at least August 2019, although they are likely to have been using different C2 infrastructure prior to this date due to the sock puppet’s earliest posts dating back from November 2018. The diversity of targeted organisations, including companies in the education, technology and healthcare countries may indicate that this attempt was only one amongst a multitude of repeated to attempts to compromise smaller companies who may be vulnerable to such social engineering attacks.
Being proactive in responding to and investigating such spearphishing attempts may allow organisations like our clients to better respond and mitigate against such threats in addition to providing insight into the TTP’s and targeting rationale if these groups.
How can you protect against these emails?
1. Educate employees on indicators to look out for. Names and email addresses that don’t match, unusual language or requests and anything with links or the request for personal information.
2. Don’t click on links or open attachments. With phone compromises on the rise, don’t provide a phone number.
3. Use threat intelligence to stay aware on new methods and the threat profile of your business.