Sacked or hacked? Unmasking employment termination scams

Table of contents

Overview

Social engineering to system compromise

Phishing delivery mechanism

Malware deployment: Obfuscated payload and remote control

Detecting and mitigating this activity

Indicators of compromise

Related products

Cloudflare Email Security

Remote Browser Isolation

Overview

In this article, we will outline a novel phishing campaign prevented within our client’s environment. Stay tuned to learn how the attack was orchestrated, the methods used to deliver the malware, and the steps we took to identify and mitigate the threat. Later, you will see insights into the detection techniques and protective measures that were crucial in uncovering and defending against this attack.

Social engineering to system compromise

This campaign demonstrates how attackers are combining social engineering with technical obfuscation to outsmart traditional security defences. The attacker exploits human emotions, specifically the fear and uncertainty of employment termination. This manipulation prompts people to act impulsively, where they are more likely to engage with the content. All the while, the attacker employs obfuscation techniques to subvert security tools and controls. This blended approach, utilising both social engineering tactics and technical exploitation, significantly increases the chance of a successful campaign.

Phishing delivery mechanism

Users receive an email impersonating an official legal notice regarding employment termination. As shown below, the email uses urgent and formal language to trick users into clicking an embedded link.

Rather than sending the malware via an attachment, targets are directed to click the link (regex for malicious link: ^(http|https):\/\/inboxsender\.gxsearch\.club\/redir\d{1,2}\/serial\.php$), resulting in the target’s browser loading a fraudulent website impersonating a Microsoft service. The page, displayed below, states that the purported employment termination document cannot be accessed on the current device, and thus instructs the target to open the document on a Windows device. The goal is to lure users into opening the document on a Windows host, which will result in the execution of a malicious embedded Visual basic script (.vbs).

The impact here is twofold: the attacker first aims to bypass security controls by making the target retrieve the file through indirect means rather than sending it by email. Simultaneously, they leverage Microsoft branding with a plausible message, “This file cannot be opened on this device,” to manipulate the target into downloading the malware loader.

Malware deployment: Obfuscated payload and remote control

This leads users to download a RAR archive, which contains a malicious Visual basic script named “Processo Trabalhista.vbs” (i.e., “Labor Lawsuit.vbs”). This script employs command obfuscation, a tactic commonly used by attackers to evade detection by security tools. The obfuscation makes the malicious payload less likely to be flagged by traditional scanning techniques.

The VBScript initiates a connection to a remote server to download a Base64 encoded text file (file4.txt), which it saves locally on the system. After saving the file, the script decodes its contents. Once decoded, the script executes the file, now in the form of an obfuscated VBScript file, leading to further system compromise.

Obfuscated “Processo Trabalhista.vbs” (initial execution):

Deobfuscated “ProcessoTrabalhista.vbs” (initial execution):

The malicious obfuscated VBScript in file4.txt downloads a ZIP file from the URL (regex for malicious URL: ^(http|https):\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}\/download\/download\.phpx$), saves it and unzips it to the environment path %PROGRAMDATA%. The ZIP file contains the files avutil.dll, wima.exe, vamg.exe and notably, VCRUNTIME140.dll, which is an instance of the Ponteiro malware family.

The VBScript creates registry keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to run wima.exe and vamg.exe at startup. The .exe files likely sideload the Ponteiro DLL file, then start both programs. Finally the malware makes a request to a URL that matches the following regex pattern: ^(http|https):\/\/roncluv\.com\/br[1-9]\/\w+\.php)$. This request returns a page instructing the victim to run on a Windows machine if not already using Windows, as shown in Item 2.

Deobfuscated file4.txt VBScript (next stage execution):

Detecting and mitigating this activity

The campaign followed a high-volume model, resulting in these emails being added to RBLs (Real-Time Blackhole Lists). They hit enough honeypots, detection of non-compliant servers and spam-traps globally to trigger an automatic reputation-based blocking mechanism.

The key characteristics of the email included:

• Minimal text content

• A single, embedded link

While these were straightforward phishing attempts, they were flagged due to our machine learning models, directory path signature matching, and IP reputation services. This incident has prompted a review of brand impersonations within our detection environment, expanding coverage to include additional brands and entities vulnerable to impersonation.

To protect against similar phishing attacks, users and organisations should stay vigilant and apply the following practices:

• Be cautious of links in unexpected emails: hover over links to verify the email or go directly to the official site.

• Practices and procedures: these circumstances are likely to be outlined in an employee handbook or you may want to speak to your manager.

• Regular phishing simulations: help employees get familiar with real-world tactics and understand what to look out for. Did you know Email Security integrates with KnowBe4?

Indicators of compromise

Malicious domains:

• inboxsender[.]gxsearch[.]club

• roncluv[.]com

Example malicious links:

• https://inboxsender[.]gxsearch[.]club/redir19/serial.php

• https://roncluv[.]com/br3/ywgeidf8wehc874h.php

• http://102[.]133[.]144[.]251/download/download.phpx

Regular expressions to identity malicious links:

• ^(http|https):\/\/inboxsender\.gxsearch\.club\/redir\d{1,2}\/serial\.php$

• ^(http|https):\/\/roncluv\.com\/br[1-9]\/\w+\.php$

• ^(http|https):\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}\/download\/download\.phpx$

Malicious email sender addresses:

• ivamserra@mundivox[.]com[.]br

• joaoleite@irani[.]com[.]br

• postmaster@agra[.]wog[.]gr

• info@uppsalahotelapartments[.]se

Malware:

The following benign files were included in arquivos.zip, likely for use in sideloading the malicious DLL VCRUNTIME140.dll:

About Cloudforce One

Cloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that detect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political gain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with publishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions. We identify and defend against attacks with unique insight that no one else has.

The foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which encompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the Internet, giving us unparalleled visibility into global events – including the most interesting attacks on the Internet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the point of launch, and turn intelligence into tactical success.