David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

New Threat Actor Leveraged Open-Source Tool for Ongoing Credential Harvesting Attack

A new threat actor leveraged an open-source tool as part of an ongoing credential harvesting attack campaign.

Researchers at Palo Alto Networks’ Unit 42 discovered the operation on 24 June 2018. The instance they observed involved a spear-phishing email with “Project Offer” as its subject line. Under that ruse, the message contained a malicious Microsoft Word attachment that, when opened, caused a display box to open.

This item asked the recipient to enter their credentials. It also displayed the message “Connecting to <redacted>. 0utl00k[.]net,” with attackers substituting in the domain name of the targeted organization for the <redacted> subdomain.

In total, Unit 42 found three documents that use the 0utl00k[.]net domain for harvesting credentials. One of the documents surfaced in June 2018, whereas the other two date back to September 2017 and November 2017. This observation suggests that the attack campaign has been ongoing for one year

Unit 42 attributed this attack campaign to Dark Hydrus. A new threat actor, Dark Hydrus is known for targeting government agencies in the Middle East. One of its first offensives involved sending a password-protected RAR archive attachment named “credential.rar” in attack emails written in Arabic to at least one Middle Eastern government agency.

The archive contained a malicious .iqy file, a type of document which Excel is programmed to open. Dark Hydrus abused this functionality to run PowerShell scripts and gain backdoor access to an infected system.

Dark Hydrus didn’t do anything new in launching a work-themed phishing campaign. But it did set itself apart in how it crafted its malicious documents.

Unlike other groups, the threat actor used an open-source tool available on GitHub. The utility, which is called “Phishery,” is a credential harvester that comes with a Microsoft Word document template URL injector. Dark Hydrus leveraged the program to create two of its malicious Word documents by injecting a remote template URL. Through Phishery, the attackers also hosted a command-and-control (C&C) server to collect the harvested credentials.

Robert Falcone, a cyber threat intelligence analyst with Unit 42, explained how tools like Phishery lowers the difficulty of threat groups spawning new attack campaigns:

This group shows a preference in using open-source tools rather than recreating the wheel. The use of open source tools minimizes the development efforts required to carry out their operations, but also makes this threat blend into other groups using similar tools.

We want to also stress that in our previous blog we saw the group had developed their own custom PowerShell payload, so they can develop tools if required. The best protection is to focus on user-education to help prevent attacks like not opening attachments and technology-based protections that can better help prevent successful attacks.

User education is not a single event. It’s an ongoing process. To deliver this type of security awareness training consistently, organizations should consider investing in a solution through which they can continually conduct automated phishing simulations with their workforce. Whatever solution they choose, organizations should go with a product that also yields valuable reports on how they can improve staff education.