The threat landscape is always renewed and updated, with malicious softwares classified into several categories when the most common ones are Stealers or Ransomwares.
In this research, we came across an email sent to victims working in the advertising domain, containing a message prompting action and introducing them to a business cooperation worth significant amounts of money.
All the victim had to do is answer a few “questions” found in the attachment file.
The delivery method is a phishing email that includes a link to an attachment, intended to be unzipped and opened on the victim’s system.
We found evidence that the email message was actually part of a large-scale campaign trying to attack online advertising, SEO and brand growth specialists, with the purpose of stealing their Facebook advertising accounts.
Infection chain
The attacker created fake Linkedln accounts (AKA “Sock Puppets” or “Burner Accounts”), all of which shared nearly identical bios, email addresses and phone numbers.
The mail addresses were on newly registered domains (created between August and September 2023), trying to imitate names of famous and large internet fashion retailers such as Furla, O-bag and Pavers.
All of the accounts had similar roles as “Recruitment Specialist” and were linked by common biographies, WhatsApp numbers and email domains.
The fake accounts contacted legitimate Linkedln professionals in the areas of marketing, SEO and advertising, and asked them to contact the company’s marketing managers.
Checking the phone numbers and domains the attackers used, all of them were identified as VOIPs from the USA and the UK.
A similar recruitment operation was conducted on Upwork, a freelancer marketplace, in an attempt to reach more potential victims.
After the initial contact was established on social media, the discussion switched to emails promising a supposedly lucrative offer for business cooperation.
Other emails sent as part of this campaign explicitly mentioned large amounts of money as part of luring into the scheme.
The email domains observed throughout the investigation were all created on Squarespace (a website builder) in August - September 2023. The majority of them did not have DNS entries (meaning there is no website) and those who had, displayed generic “Coming Soon” pages.
All emails were written in good business English and contained a link to a Google document with questions to be answered by the candidates in a very short time frame as part of increasing the urgency, a very well-known technique by adversaries.
The Google Document, stripped of Metadata and styled with brand assets - logos, fonts, links to the brand website (meaning there are different versions for each retailer brand the attacker tried to impersonate) contained a link to a password protected ZIP file hosted on DropBox, which the victim was supposed to download and unzip.
The file was password protected to prevent scanning by malware detectors on DropBox.
Code Analysis
The unzipped file contained a list of media assets jpg and mp4 files) and a 1.47GB size of
.scr file - in fact a Windows executable (.exe file) which would run when double clicked by an unsuspecting victim.
Whenrunning “binwalk” onit(atoolforsearching agivenbinary imageforembedded files and executable code), wefound the code which was written inPython named Iibb1.py.
Extracting the Python file from the executable allowed us to analyze the source code. The file was unknown to VT, however Five vendors identified it as malicious (hash 1cc4759938e647675a55173f96cb7833f6daef641a7da8aa68debc74eaae9795) - either a Python Trojan or a Python Stealer.
The code performs various tasks related to collecting information from several browsers. Additionally it interacts with Facebook’s Ads Manager to gather data related to ad accounts. The code operates by the following stages :
1. It imports several Python libraries for tasks such as file operations, cryptography and making HTTP requests.
Thanks for reading! Subscribe for free to receive new posts and support my work.
2. It retrieves information about the computer’s hostname, username and OS version (probably for additional info to check if there are exploitable CVEs due to the
non-upgraded version of the OS).
3. It takes a snapshot of the screen
4. It makes an HTTP request to https://ipinfo[.]com to obtain information about the computer’s IP address, location and country.
5. It creates a timestamp and generates a unique name for a file.
6. It defines functions to check if specific web browsers are running and to find user profiles for these very own browsers.
The specific browsers it tries to look for are Chrome, Edge, Brave, Opera, Chromium, Firefox and CocCoc - a Vietnamese browser.
7. It defines functions to copy browser data files, such as cookies and login data from user profiles, to a destination folder and then deletes the original files (essentially kicking the user out of their account).
8. It defines functions to decrypt and extract login data (usernames, passwords and cookie information ) from Firefox profiles.
9. It defines functions to interact with Facebook Ads Manager, such as obtaining access tokens and retrieving data related to ad accounts.
10. It writes the collected data, including login information and cookie data, to human readable text files.
11. It uses a Telegram bot with hard-coded credentials to exfiltrate the data from the local machine to the malware operator
12. It appears to keep track of a counter for some purpose, possibly related to the number of times the script has run on the particular machine.
Further analysis of the code reveals messages in Vietnamese, which can hint at the origin of the malware.
The headers used for the Facebook call provide both more evidence of Vietnamese involvement and a version of Chrome (112) which was the main version in April 2023, so it is likely the malware was written during that period.
The main() section of the code revealed inisindeedaStealer, tryingtoobtain data stored locally inthe browsers and using a Telegram bot for exfiltration.
Attribution
We believe the developers of the malware and its operators are Vietnamese, based on the following:
Messages written to the logs:
HTTP call headers:
Special handling for CocCoc (Vietnamese browser):
We were able to access the Telegram Bot used by the attackers. Using the “getUpdates” API returned a list of files as uploaded from victims’ machines, including test runs by the malware operator on their own machine (showing the presentation as a victim would see it), providing valuable insights into their identity.
In the picture: The screenshot from the attacker’s machine included text in Vietnamese.
Calling the Telegram bot’s “getChatAdministrators” API revealed the Telegram username “iamRioooo”, and the Ianguage_code “vi” (Vietnamese)
In the picture: the suspects’ Telegram account
Based on a browser profile grabbed by the malware from the supposed attacker’s computer, we came across the name “Tien Oinh Van” (apparently a very popular name in Vietnam), and a personal email address “dinhvantien20102000@gmaiI[.]com” - also, not distinct enough to allow for identification.
Based on the user names and passwords grabbed by the malware from the supposed attacker’s computer, we were able to determine with a high degree of confidence the attacker’s real identity, and that he is, or was, a student at the Dong Nai Institute of Technology.
Use of AI
Throughout our research we were very impressed with the level of written English communication by the attacker. In fact, his phishing emails and recruitment messages were so articulate we suspected we were looking at a team of attackers, one of whom is a native English speaker.
This mystery was solved when one of the screenshots from the attacker’s computer showed ChatGPT open on his screen in an attempt to generate recruitment emails for Facebook Advertising Specialists.
We have long been warned that generative AI services could be used by fraudsters for malicious purposes, such as crafting high quality phishing emails, but this is the first time we have encountered such an example in real life.
For additional defense, we have created relevant YARA rules -
