How phishing can lead to a shipment of headaches

As if cybersecurity defense was not already a full-time job, now agency employees have to stay vigilant against a new phishing attempt so sophisticated it is escaping even many email detection services and might even fool well-trained IT and cybersecurity professionals.

New work from a file security technology company has uncovered a malicious macro that delivers a Dridex trojan payload hiding in Microsoft Excel spreadsheets. According to the technology company, Votiro, the macro is delivered using phishing emails made to look as though they originate from UPS, FedEx and DHL. Every email message received by end users contains header information with server names that appear to have originated with the shipping companies.

The Excel spreadsheet includes a macro that launches the Microsoft PowerShell task automation and configuration management framework in hidden mode. A payload is then downloaded from geronaga.com -- a website registered with a Chinese website domain service. According to Votiro, the IP address on the website actually pointed to a server in Russia.

Upon opening the file, which is a multi-threat document, users are inadvertently allowing a macro to be automatically executed. A tool called Evil Clippy enables the hacker to hide the macro, preventing it from being analyzed or even viewed. (For background, Evil Clippy is a cross-platform assistant for creating malicious Microsoft Office documents, first described in 2019 during a BlackHat Asia talk in Singapore.)

After the file has been opened, it’s common for the unsuspecting user to either enable editing or to click on a standard-looking “View & Pay the Invoice” link in the spreadsheet. A PowerShell command is then executed that downloads the payload and launches the attack. The technique can evade typical email protection software. Advanced tactics make it appear as though separate messages are coming from the shipping companies, further camouflaging the attack as genuine.

This is a sophisticated approach that can ensnare even those aware of phishing emails. It was missed by email protection services because the relatively new macro was not included in existing signature databases. According to VirusTotal, a company that analyzes files and URLs for malicious content, several email protection services would still miss the UPS and FedEx email, which means the attack may still find its way into employee inboxes.

Because the hackers were able to inject the shipping companies’ server addresses into the message headers, this phishing attack can appear legitimate even to a well-trained eye. Further, because the emails look legitimate, it increases the likelihood that recipients of such an email could compromise their systems by opening the attached spreadsheet document.

Here are a few of the ways these phishing emails have found their way into organizations:

As recently as April, a seemingly authentic email appearing to have come from UPS was sent to organizations via the Italian telecom company Telecom Italia. The return path on the message header pointed to a UPS server in Matawan, N.J., further concealing its malicious origins. The email included both message and logo from UPS and links leading to the ups.com URL. As described earlier, the email included an Excel spreadsheet that could exploit the user’s computer by surreptitiously launching a macro to execute a PowerShell code. A second phishing email, also including a spreadsheet attachment with an auto-execution macro, was received only two days later.

At the end of April, another authentic-seeming email was sent, this time ostensibly from FedEx.com, but traceable back to Guangdong, China. The return path on the message header pointed to a server owned by FedEx in Collierville, Tenn. As with the UPS phishing attack, this email provided a message and logos from FedEx, with links pointing back to the company. As with the UPS email, this message contained server names that made it appear as though it came directly from FedEx.

While the DHL phishing email carried less branding than the other two, the sender appeared legitimate, presenting a firstname.lastname@dhl.com email address as the originating party. Interestingly, a LinkedIn profile exists for an individual whose name is one letter off from that used in the spoofed DHL email address; the profile lists the person as a DHL employee, with very few additional details. This profile may not necessarily have been created by the attackers, but it adds another layer to the appearance of legitimacy. Even a sophisticated user who might take the added precaution of looking up the name of the sender might not notice that the name on the profile was not exactly the same as the purported originator of the email.

As we said at the outset, this new phishing attack is evading even many email fraud detection services. There is not much agencies can do at present to preempt these hackers’ efforts, except to provide regular information advising employees to scrutinize any bills from shipping services and to forward any such messages to the attention of the IT department.

Keep in mind that spam represents 45% of all email sent. That equates to over 14.5 billion spam emails sent daily.  With 94% of malware being delivered by email, IT managers must continue to change the game and take advantage of next-generation security software to protect employees from the most sophisticated adversaries.

With the amount of data coming in through email these days, one important best practice is to break and inspect each email and attachment to keep the user community safe and to eliminate user error.  Having the ability to streamline incoming and exchanged data as it enters the agency should be among agencies’ top priorities for cyber hygiene in 2020.