Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
1. Exchange Information
Looking at the following information, an email was sent by Arthur Griffin (agriffin@bpakcaging.xyz) to Julianne Westcott (julianne.westcott@hotmail.com):
From:Arthur Griffin <agriffin@bpakcaging.xyz>Date:Fri, 13 Jan 2023 09:25:26 +0000Subject:Collection for Quick Logistics LLC - Jan 2023Message-Id:<4uiwqc5wd1qx.HPk2p-JE_jYbkWIRB-SmuA2@tracking.bpakcaging.xyz>Reply-To:Arthur Griffin <agriffin@bpakcaging.xyz>Sender:agriffin@bpakcaging.xyzTo:Julianne Westcott <julianne.westcott@hotmail.com>
2. Security Headers
Both SPF and DMARC were marked as passed which shows that there is an unlikely event of email spoofing. The email also passed the DKIM check where two signatures were detected -- bpakcaging.xyz and elasticemail.com. The latter seems to be the MTA (Mail Transfer Agent) used by the attacker.
Authentication-Results:spf=pass (sender IP is 15.235.99.80) smtp.mailfrom=bpakcaging.xyz; dkim=pass (signature was verified) header.d=bpakcaging.xyz;dmarc=bestguesspass action=none header.from=bpakcaging.xyz;compauth=pass reason=109Received-SPF:Pass (protection.outlook.com: domain of bpakcaging.xyz designates 15.235.99.80 as permitted sender) receiver=protection.outlook.com; client-ip=15.235.99.80; helo=pa80.mxout.mta1.net; pr=CDKIM-Signature:v=1; a=rsa-sha256; d=bpakcaging.xyz; s=api; c=relaxed/simple; t=1673601926; h=from:date:subject:reply-to:to:list-unsubscribe:mime-version; bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=; b=dCB9MhhsZqg4h2P9dg5zMjLj7HVS9vt0fXuqEzH8cj6ft+YBJxvZHkF8uc+CeOas6CoICaPu13Q oL/xVebg3aO8bmlooJWTAZx7mmrh/1ZQBVHm3wvGVI9Xn55nhWzRGoqVOAAPPM6+MEHFwZDIjKDAs RpDurrnykQeCXCp127k=DKIM-Signature:v=1; a=rsa-sha256; d=elasticemail.com; s=api; c=relaxed/simple; t=1673601926; h=from:date:subject:reply-to:to:list-unsubscribe; bh=DORzQK4K9VXO5g47mYpyX7cPagIyvAX1RLfbY0szvCc=; b=jcC3z+U5lVQUJEYRyQ76Z+xaJMrXN2YdjyM8pUl7hgXesQaY7rqSORNRWynpDQ3/CBSllw31eDq WmoqpFqj2uVy5RXK73lkBEHs5ju1eH/4svHpZLS9+wU/tO5dfZVUImvY32iinpJCtoiMLjdpKYMA/ d5BBGqluALtqy9fZQzM=
3. Email Body
It states that there is an encrypted attachment that could be opened with the password, Invoice2023!.
<html><head><metahttp-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></=head><bodystyle=3D"font-size: 13px;font-family:Helvetica;"><br><p>Hi Julianne,</p><p>I hope you are well.</p><p>I just wanted to drop you a quick note to remind you in respect of docum=ent #39586972 is due for payment on January 20, 2023.</p><p>I would be grateful if you could confirm everything is on track for paym=ent.</p><p>For additional information, kindly see the attached document.<br><br>You may use this code to view the encrypted file: <strong>Invoice2023!</str=ong></p><p>Best regards,<br><strong>Arthur Griffin</strong><br>Collections Officer<br>B Packaging Inc.<br><br>
4. Email Attachment
A zip file, Invoice.zip, was attached to the email.
Based on the PowerShell logs investigation, we have seen the full impact of the attack:
The threat actor was able to read and exfiltrate two potentially sensitive files.
The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.
1. HTTP Traffic
Looking at the servers associated with the domain, bpakcaging.xyz:
$tshark-rcapture.pcapng-Y'http.response_for.uri contains "bpakcaging.xyz" and http'-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.(server)")) then ({key: "server", value: .value}) else empty end) | .server'|sort|uniq-c|sort-nr929Apache/2.4.13SimpleHTTP/0.6Python/3.10.7
an Apache and Python one were identified. The latter, given the count, could be associated with the file server where the executables found during the log analysis were downloaded from:
$tshark-rcapture.pcapng-Y'http.server contains "Python" and http'-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri'http://files.bpakcaging.xyz/updatehttp://files.bpakcaging.xyz/sb.exehttp://files.bpakcaging.xyz/sq3.exe
All requests to the Apache server could be traced to http://cdn.bpakcaging.xyz:8080:
$tshark-rcapture.pcapng-Y'http.server contains "Apache" and http'-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.(res.*uri)")) then ({key: "uri", value: .value}) else empty end) | .uri'|sort|uniq-c|sort-nr886http://cdn.bpakcaging.xyz:8080/b86459bb42http://cdn.bpakcaging.xyz:8080/27fe24891http://cdn.bpakcaging.xyz:8080/8cce49b0
To add, all requests made to /27fe2489 were found to be POST:
$tshark-rcapture.pcapng-Y'http.request.full_uri contains "/27fe2489" and http'-Tjson|jq-r'.[]."_source".layers.http'|greprequest.method|sed-E's/.*".*": "(.*)",/\1/g'|sort|uniq-c|sort-nr42POST
2. Command Executions
Looking at the POST data of a sample packet, it contains what seems to be decimal values:
$tshark-rcapture.pcapng-Y'http.request.full_uri contains "/27fe2489" and http'-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data'|head-n113131013108097116104323232323232323232323232323232131045454545323232323232323232323232323232131067589287105110100111119115921151211151161011095150131013101310
Now, converting the data of all POST requests from decimal to ASCII:
$tshark-rcapture.pcapng-Y'http.request.full_uri contains "/27fe2489" and http'-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.file_data")) then ({key: "data", value: .value}) else empty end) | .data'>c2.data$foriin $(catc2.data); dofor x in $i; do hex=$(printf'%x' $x); echo-ne"\x$hex"; done; done
It shows that a KeePass database was indeed found from the workstation:
Directory: C:\Users\j.westcott\DocumentsMode LastWriteTime Length Name ----------------------------a----1/13/20234:38 PM 2206 protected_data.kdbx
As well as its master password stored in Microsoft Sticky Notes:
Based on the decoded POST data, the attempt for exfiltration was indeed as a subdomain of bpakcaging.xyz:
*** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 03D9A29A67FB4BB50100030002100031C1F2E6BF714350BE58.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 05216AFC5AFF03040001000000042000AF4DE7A467FADFBFEB.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for EB78AE194B03926333E0CC968727A1FF8CC4CD5151FAAC0520.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 00516334C81F95A871AE6F5C6BB97075B74C6016ADAD4C35B3.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for A327BFF48B837B4806080060EA0000000000000710000F22FE.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 38943F8ED485C92DA84BCCE2E2082000C47157BAF0E6A7EF35.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for A00731B6CE6192813F7AC951F0C6460D89A27D91DE15C50920.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 007187B84DD4E121AED3668F75F3761E8AAC3169F81025A5AE.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for 30D657448F4401890A0400020000000004000D0A0D0A3865AE.bpakcaging.xyz *** UnKnown can't find .bpakcaging.xyz: Unspecified error *** No address (A) records available for FAA72AA7E2FC9869F30F566E4F58A19582BDA4C0988D8E9F6C.bpakcaging.xyz[..omitted..]
Looking at the packet capture, the chunked exfiltrated could also be seen:
Cleaning the chunked data and putting it together retrieves the KeePass database file:
$tshark-rcapture.pcapng-Y"ip.dst==167.71.211.113 and dns"-Tfields-edns.qry.name|grep-E'[A-F0-9]+.bpakcaging.xyz$'|cut-d'.'-f1|tr-d'\n'|xxd-p-r>protected_data.kdbx$fileprotected_data.kdbxprotected_data.kdbx:Keepasspassworddatabase2.xKDBX
Finally, opening the KeePass database using the password, %p9^3!lL^Mz47E2GaT^y, reveals information of a company card with an account number, 4024007128269551:
$kpcli--kdb=protected_data.kdbxProvidethemasterpassword:*************************kpcli:/> dir===Groups===protected_data/kpcli:/> cdprotected_datakpcli:/protected_data> dir===Groups===eMail/General/Homebanking/Internet/Network/RecycleBin/Windows/kpcli:/protected_data> cdHomebankingkpcli:/protected_data/Homebanking> dir===Entries===0.CompanyCardkpcli:/protected_data/Homebanking> show0Title:CompanyCardUname:Pass:URL:Notes:StringValues:1) Account Number = 40240071282695512) CVV = 9703) Expiration Date = 3/20284) Name = Quick Logistics LLC