Phishing Attacks Employ Old but Effective Password Stealer

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.

_od001team_090316

The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.

_od003team_090316

This enabled us to see how the back-end of the panel works. The Zip file contains five files:

od004team_090316

The three files of interest are config.php, index.php, and install.php.

Config.php contains the password for the MySQL server they will set up.

od005team_090316

Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:

od006team_090316

We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009.

We also found this warning at the end of the code:

od007team_090316

Surely they would have remembered to delete this file!

_od008team_090316

The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.

od009team_090316

It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”

od010team_090316

This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.

_od014team_090316

The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.

The PWS targets the following applications:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
  • Safari
  • Yahoo Messenger
  • MSN Messenger
  • Pidgin
  • FileZilla
  • Internet Download Manager
  • JDownloader
  • Trillian

The following screen of the original Hackhound Stealer shows options for building the malware:

od015team_090316

This screen of the ISR Stealer builder was used by the actors behind the campaign.

od017team_090319

ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02.

od020team_090320

An encrypted URL.

od021team_090320

A decrypted URL.

We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January.

The following spear-phishing emails were sent to entice targets to download and execute the PWS:

 od013team_090316

od011team_090316

The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.”

_od016team_090316

One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames:

  • (RFQ__1045667machine-oil valves).exe
  • ButterflyCheckVALVES.exe
  • BALL VALVE BIDDING.exe
  • RFQ BALL VALVE.exe
  • Ball Valves with BSPP conection.exe

These names lead us to believe that industrial espionage might be a motive of the actors.

od018team_090320

We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions.

od019team_090320

We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels.

Prevention

Intel Security detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns.

 

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee.