Cyber Hunter Blog

The growth of phishing attacks in both frequency and sophistication continue to be a high threat with tradecraft showcasing deceptive, spear, and fraudulent techniques in one campaign. These cyber criminals have adapted to recognize user behavior luring those in organizations that must conduct specific services in their daily operations.

In mid-May, DocuSign, an electronic signature technology company, notified its customers that a core network had been compromised resulting in exploitation of user email addresses. The result allowed bad actors to send fraudulent DocuSign branded emails to users. DocuSign users are business professionals that conduct online approvals of a purchase, closings of a sale, or digitally signing an agreement. The malicious email customers received contained a subject line of “Completed: docusign.com—Wire Transfer Instructions for [recipient-name] Document Ready for Signature.” This type of phishing campaign using DocuSign as a cover requesting wire transfer of funds, dramatically increased the likelihood users would click on the embedded malicious link.

Each email contained a link that, when clicked, downloads a malicious Word document file to the victim’s computer. Reported analysis of the Word document found that it contained a malicious macro that executes Hancitor, a commonly seen malware dropper.  If macros are enabled on a victim’s computer, Hancitor downloads and installs EvilPony and Zloader, data stealing malware.  The infected system will subsequently call out to command and control sites operated by the cyber criminals.

In related activity, ActiveCanopy Cyber Operations Center has seen at least two phishing campaigns against client networks utilizing the DocuSign phishing method.  Some of the indicators of compromise were masked Docusign links to some of the following domains.

IOCs:

• api[.]mixpanel[.]com

• bam[.]nr-data[.]net

• bamstexch[.]net

• d3hmp0045zy3cs[.]cloudfront[.]net

• docucdn-a[.]akamaihd[.]net

• js-agent[.]newrelic[.]com

• spelldocs[.]net

ActiveCanopy analysis has determined that upon connecting to the above domains, malicious Javascript will be downloaded.  For example, Trojan:JS/Agent.FA is a malicious Javascript embedded in a Web page associated with the phishing domain (spelldocs[.]net). The Javascript is designed to circumvent pop-up blocking by security applications, including pop-up blockers from Google Toolbar, Internet Explorer, and other security applications. The malicious pop-up could allow site redirection, which could lead to possible downloading and executing of other malicious files.  Also, other methods seen, when accessing these malicious sites, are threat displays depicting fake alerts that falsely imply to the user that the computer is infected by malware or has system errors. The fake alerts proclaim in order to fix the “problem”, the use needs to call a technical support number and that the user may be charged for the support. Another level of sophistication that is demonstrated within these phishing emails to deceive the recipients include security verbiage of “Please note: Docusign has stepped up security in regards to the ongoing cyber attacks and hacks. Thank you.”

This type of activity highlights the daily need for employees to remain vigilante and understand the indicators of a possible fraudulent email. Training and continuous security awareness will greatly reduce infiltration of nefarious actors into your business operations.  As this phishing campaign demonstrated, these criminals understand whom to target within businesses that have the likelihood of processing sensitive digital data. Businesses need to condition employees to question suspicious emails that could have made it past corporate network filters, as each deceived employee represents an opportunity to capture credentials, intercept communications, exfiltrate data, and more.