Cybercrime group Evil Corp (a.k.a. TA505 or Dudear) is back in action after a short hiatus, with a technique in its arsenal not previously used by the group to distribute malware.
Microsoft on Thursday said that it observed emails from the cybercriminal gang utilizing HTML redirectors. Microsoft is unclear whether these HTML redirectors are URLs in the body of the email itself or if they are embedded into an attachment to the email. Regardless, once they are clicked on, they automatically download a malicious Excel file. Next, if the victim “enables editing” in the Excel file, the final payload is dropped.
“This is the first time that Dudear is observed using HTML redirectors,” according to a tweet by the Microsoft Security Intelligence research team, which also released indicators of compromise (IoCs) for the attack. “The attackers use HTML files in different languages. Notably, they also use an IP trace-back service to track the IP addresses of machines that download the malicious Excel file.”
While this is the first time Evil Corp has used this tactic, HTML redirectors, or code that uses meta refresh tags to redirect users to another website, have long been used by other threat actors. Redirector URLs in general are commonly inserted into emails for phishing attacks. For instance, if certain malicious URLs are blocked by web browser phishing filters, attackers would use a redirector URL to bypass these filters and redirect the victim to their phishing landing page.
“In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site,” according to PhishLabs. “This means that everyone who receives an email with the redirector link and clicks on it will still end up at a phishing site.”
The technique is handy because it can enable attackers to avoid the use of emails or attachments containing known malicious content, and also means that they can directly download malicious files on the victims’ systems, Roger Grimes, data drive defense evangelist at KnowBe4, told Threatpost.
“A lot of times if you have an anti-malware scanner, it scans for malicious code and may or may not download the redirect,” Grimes said. “Redirects also pull the malware right away. This shows [the attackers are] constantly moving, trying to stay ahead of the anti-forensics.”
Previously, Evil Corp would distribute malware without HTML redirects, merely using malicious attachments or malicious URLs – which are more easily detected by defensive tools – in emails.
The final payload is the GraceWire trojan, an infostealer. Evil Corp has distributed GraceWire in previous campaigns, however, the group is best-known for deploying the banking trojan Dridex (also known as Bugat and Cridex), sent via phishing emails.
Further details about the extent and victims in the campaign were not revealed. Threatpost has reached out to Microsoft for more insight.
The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. In contrast, past Dudear email campaigns carried the malware as attachment or used malicious URLs. pic.twitter.com/mcRyEBUmQH
— Microsoft Security Intelligence (@MsftSecIntel) January 30, 2020
Evil Corp is a hacking group that has allegedly stolen millions of dollars from victims using the Dridex banking trojan and, previously, the Zeus malware.
Evil Corp’s previous schemes involved capturing banking credentials, and causing banks to make unauthorized electronic funds transfers from unknowing victims’ bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas. Multiple companies were targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.
Evil Corp has been on a hiatus since December, when feds started cracking down on the group: U.S. authorities offered up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” Separately, the U.S. Treasury Department on Thursday issued sanctions against Evil Corp, “as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.”