Spear Phishing: from ZIP to ISO Attachments

August 7, 2017 by Joe Dela Cruz

As early as May 2017, we’ve seen spear phishing campaigns that use ISO file type as an attachment to emails. That is a good alternative for zip in delivering malware payloads.

These spear phishing campaigns targeted the following industries in particular:

  • Transportation/Delivery
  • Trading Goods
Spear Phishing: from ZIP to ISO Attachments

Below are samples of spam emails with ISO attachments:

This kind of attack will affect users of Windows 8 or later as the operating system automatically mounts the said ISO into a drive once opened as shown below.

This will open an new window which shows an executable payload which can be double-clicked by unaware users:

 

Below are the filenames of the attachment we’ve found used in the wild:

  • PAYMENTSLIP,DOC.iso
  • REQUEST FOR QUOTATION,DOC.iso
  • PAYMENTSLIP%2CDOC.iso
  • QUOTATION,PDF.iso
  • Qt4004233493MPOrder.iso
  • Quotation-0568.iso
  • CASH Denominations.iso
  • INVOICE.iso
  • CASH DENOMINATION.iso
  • REQUEST QUATATION.iso
  • doc02190820170520154353.iso
  • 17072017154624.iso
  • DHL.iso
  • PROFORMA INVOICE.iso
  • Request for Quotation (RFQ) – 14000097020.iso
  • Proforma INV.iso

We also found that the embedded executable payload varies from Fareit, Neurvt to VBKrypt malware.

This lead us to believe that this method is being used by several actors or could be part of a Spam-Service sold on the dark web.

Leads to Threat Actors

We tried to search leads to the threat actors and found one of the Spam emails pointing to a suspicious source: info@lngoilandgasplc.com

Checking the registration information of the said website leads to the following email address:

Admin Email: cmeucke@yahoo.com

Searching the web for the said email and related information points us to the following domain names previously used for Spam emails:

  • TRANSOCCEANOIL.COM
  • SZELLOVER.COM
  • MIDALCCABLE.COM
  • LINUXCOMPANYLTD.COM
  • EMAROAD.COM
  • MORNNICKFIRM.COM

We also managed to correlate the information to a well known RAT “Luminosity” (d25e0c5c1c9295bb09ebc766fc76805dd2b562b3e490dd1995e6e9b91f06a9bd).

This shows that the threat actors are not only changing the infection vector but also shifting to a different malware payload within.