AI tools as campaign infrastructure
Aug. 2, 2024
What you'll learn in this notification
- 380,000 phishing emails observed from mid to late March 2023 impersonating internal HR teams.
- The emails encouraging actions relating to training and compliance and contained links to a credential phishing page.
- Every email contained an html but was a PDF containing a malicious link.
- The campaign abused multiple web services including Replit to stage a redirect and IPFS to host the credential phishing page.
Mimecast Threat Research has observed threat actors distributing malicious PDF files masquerading as HTML email attachments. Multiple campaigns were observed using the same PDF attachment masquerading as an HTML file named “Contract_document.html” 18th and 27th March 2024.
The attachments have a .html attachment, but have a PDF MIME type which if opened in a modern web browser will still be rendered as a PDF. The attachments observed were sent via multiple malspam campaigns with similar themes targeting numerous organisations and contained malicious URLs. The total volume observed reached just under 380,000 emails across 18th, 20th, and 27th March.
Each campaign generally attempted to impersonate internal HR teams distributing updates on employee performance appraisals, annual leave policies or mandatory training. In some cases, with expressions of urgency or expenses paid trips abroad. A similar theme was observed as each contained specific elements relating to the targeted recipients including the organisations name and recipients email address.
The first example uses the lure of staff appraisals and is encouraging recipients to click to view who has received an award.
In the second example, an annual leave policy was used as a theme and threatens the recipient with financial penalties if they fail to comply with the request.
The third example uses staff allocated training as a theme with the additional lure of expenses paid travel abroad.
These campaigns all followed similar themes that are common across most industry targeted phishing campaigns. Using a combination of the fear and curiosity to encourage recipients to click the links. Each campaign displayed a false link pretending to be to an internal destination, however hovering over the link in example 3 we can see the actual URL redirects to a “replit.app” host.
Replit is another tool that threat actors have been abusing to stage resources and redirect victims through. The chart below displays the number of malicious emails detected containing a Replit URL like the examples shown above.
Attack pattern
Summary of methodologies used by the threat actor for this attack:
- Mailgun was used to distribute the emails on mass for this campaign. The account appeared to belong to a legitimate business meaning the treat actor likely compromised it for their own use.
- Phishing link - Replit was used to stage redirect to forward clickers to malicious file hosted in IPFS.
- Phishing attachment - Threat actor attached a file to the emails also containing a malicious link to a Replit site.
- The attachment included in the emails was a PDF file type but had a .html extension. The file would open by default in a web browser, most modern browsers like Chrome will still render the file as a PDF.
- A Replit free trial was probably used to create and host the redirect page.
- IPFS was used to host credential phishing file that was redirected to from the Replit site.
- The emails observed used a consistent them for luring recipients to click on malicious links.
- Internal HR teams were impersonated using a carrot and stick approach as a call to action.
- IPFS used to stage the malicious file displaying the web page used for credential capture.
Targets
Global, all industries
IOCs
- Pc232-12.mailgun.net [143.55.232.12]
- Contract_document.html
- The author section of the PDF contained a common string “Son of God”
- Hexdump of file
-
Email body
- hxxps://owa-5ghdhjd897d67hgdbndbnm-bn8272vbnsjbskjs-892672vhbxbhtys5665.replit[.]app/#recipient_email@domain.com
-
Attachment
- hxxps://afcc3a49-0553-4865-a79d-1ee5dfa1465f-00-1jjmbzmgsvm64.picard.replit[.]dev/#recipient_email@domain.com
-
Phishing Page
- hxxps://cloudflare-ipfs[.]com/ipfs/bafybeihuqzllo4qdhw7gluyr7fdgwtijfb7jkpzxdlcon6neqmgw2grkfy/owa-index-server.html#recipient_email@domain.com
-
Interplanetary File System (IPFS)
- The effective URL after Replit redirect was to a file stored in IPFS accessed through the Cloudflare IPFS gateway:hxxps://cloudflare-ipfs[.]com/ipfsbafybeihuqzllo4qdhw7gluyr7fdgwtijfb7jkpzxdlcon6neqmgw2grkfy
- Cloudflare IPFS is just one of the gateways available to access the file and the string of characters at the end of the IPFS path represents the Content ID (CID) for the file. IPFS allows access though any available gateway if you have the CID.
- hxxps://storry[.]tv/ipfs/bafybeihuqzllo4qdhw7gluyr7fdgwtijfb7jkpzxdlcon6neqmgw2grkfy
- hxxps://nftstorage[.]link/ipfs/bafybeihuqzllo4qdhw7gluyr7fdgwtijfb7jkpzxdlcon6neqmgw2grkfy
- hxxps://hardbin[.]com/ipfs/bafybeihuqzllo4qdhw7gluyr7fdgwtijfb7jkpzxdlcon6neqmgw2grkfy
- Each of these URLs will still access the same file stored in IPFS. Meaning a threat actor can cycle through gateways to create another URL is blocked.
- The author section of the PDF contained a common string “Son of God”
- Hexdump of file
TTPs
T1608.005 - Stage Capabilities: Link Target
T1586.002 - Compromise Accounts: Email Accounts
T1566.002 - Phishing: Spearphishing Link
T1566.001 - Phishing: Spearphishing Attachment
T1036.008 - Masquerading: Masquerade File Type
