Aug 14, 2020
Recently our SOC team has received a case to investigate regarding Business Email Compromise and we too have received numerous complaints regarding the Email Reply chain attacks. We have been monitoring the Email Reply chain attack and have come to the conclusion that the cyber adversaries are targeting the Business Houses of Nepal including Banking and Financial Institutions (BFI) across the nation.
Email Reply Chain Attack known as “hijacked email reply chain” and “thread hijack spamming” is a new form of cyber attack where cyber criminals hijack legitimate email threads in order to insert a phishing email into an existing email conversation making it hard for the end user to detect.
Every Email Reply Chain attack starts with email account hacking done via techniques such as credential stuffing or password spraying or email account takeover which is done by using a password that has been dumped in a previous data breach.
After the hacker gains the email access, they begin to monitor the email threads and conversation done with the other party. They will wait for the opportunities to send malicious attachment or links to one or more of the participants in an ongoing chain of correspondence.
The main goal of a threat actor is to gain internal access to the targeted organization. The threat actor has been using banking trojans such as Gozi and Ursnif. We have also observed that this threat actor is using malicious attachments which ultimately leverage VBScript and PowerShell via Office Macros in order to deliver payloads such as Emotet, Ursnif and other loader or banking trojan malware.
This technique is efficient due to the trust that has already been established between the recipients. The threat actor neither inserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Rather, the attacker sends their malicious email from the genuine account of one of the participants.
Email reply chain attacks are carefully-crafted with no language errors, even using local language and the credibility gained by inserting a reply to an existing thread means that even the most cautious and well-trained staff are at risk of falling victim to this kind of tactic.
Vairav SOC has received the email sample of “Email Reply Chain attack” send from IT Vendors to Business Houses and Banks and Financial Institution. The email sent from the IT Vendors contains malicious attachment and links which ultimately drops Emotet.
Our team has identified that the involved email account of IT Vendor was previously listed in public data breach. We believe that the threat actor has taken over the email account was by using a password that has been dumped in the previous data breach.
Vairav SOC received another email sample where the email thread was used and sent via a spoofed email address. This is the first kind of Email Reply Chain Attack where the whole email thread has been used to send malicious attachments and even the carbon copy email addresses were used with local language, salutation and official email signature.
Protect your organization
Since the threat actor has the details of previous email threads and conversation, it can be difficult to identify and detect the Email Reply Chain Attack. However, the following recommendations might help an organization to avoid becoming a victim of this type of attack.
Regarding the IOCs, credit goes to our analyst Milan Shrestha.
Hash
doc: 11ad3548130ca9fb621e026a53942fbce3442ed396abee8da53f798ab597434a/
exe: 15ae44667b61cb7e9597406296016eae7aa2791512c329237b197591126ec07b/
C2C URL
hXXp://172[.]104.169.32:8080/
hXXp://191[.]99.160.58/
hXXp://70[.]32.115.157:8080/
hXXp://179[.]60.229.168:443/
hXXp://45[.]161.242.102/
hXXp://186[.]70.127.199:8090/
hXXp://12[.]162.84.2:8080/
hXXp://61[.]92.159.208:8080/
hXXp://177[.]72.13.80/
hXXp://68[.]183.170.114:8080/
hXXp://181[.]120.79.227/
hXXp://170[.]81.48.2/
hXXp://192[.]241.146.84:8080/
hXXp://104[.]131.41.185:8080/
hXXp://187[.]106.41.99/
hXXp://177[.]139.131.143:443/
hXXp://83[.]169.21.32:7080/
hXXp://104[.]131.103.37:8080/
hXXp://181[.]129.96.162:8080/
hXXp://82[.]196.15.205:8080/
hXXp://212[.]71.237.140:8080/
hXXp://217[.]13.106.14:8080/
hXXp://77[.]90.136.129:8080/
hXXp://94[.]176.234.118:443/
hXXp://70[.]32.84.74:8080/
hXXp://114[.]109.179.60/
hXXp://190[.]181.235.46/
hXXp://190[.]163.31.26/
hXXp://190[.]6.193.152:8080/
hXXp://82[.]240.207.95:443/
hXXp://89[.]32.150.160:8080/
hXXp://219[.]92.13.25/
hXXp://137[.]74.106.111:7080/
hXXp://177[.]73.0.98:443/
hXXp://204[.]225.249.100:7080/
hXXp://93[.]151.186.85/
hXXp://189[.]1.185.98:8080/
hXXp://191[.]182.6.118/
hXXp://87[.]106.46.107:8080/
hXXp://77[.]55.211.77:8080/
hXXp://192[.]241.143.52:8080/
hXXp://68[.]183.190.199:8080/
hXXp://2[.]47.112.152/
hXXp://187[.]162.248.237/
hXXp://212[.]231.60.98/
hXXp://178[.]79.163.131:8080/
hXXp://72[.]47.248.48:7080/
hXXp://190[.]96.118.251:443/
hXXp://51[.]255.165.160:8080/
hXXp://181[.]30.69.50/
hXXp://190[.]147.137.153:443/
hXXp://143[.]0.87.101/
hXXp://190[.]17.195.202/
hXXp://5[.]196.35.138:7080/
hXXp://80[.]249.176.206/
hXXp://50[.]28.51.143:8080/
hXXp://149[.]62.173.247:8080/
hXXp://185[.]94.252.13:443/
hXXp://24[.]249.135.121/
hXXp://46[.]28.111.142:7080/
hXXp://186[.]250.52.226:8080/
hXXp://144[.]139.91.187:443/
hXXp://111[.]67.12.221:8080/
hXXp://181[.]167.96.215/
hXXp://104[.]236.161.64:8080/
hXXp://185[.]94.252.27:443/
hXXp://92[.]23.34.86/
hXXp://201[.]213.156.176/
hXXp://202[.]62.39.111/
hXXp://190[.]194.242.254:443/
hXXp://177[.]144.135.2/
hXXp://177[.]74.228.34/
hXXp://217[.]199.160.224:7080/
hXXp://185[.]94.252.12/
hXXp://203[.]25.159.3:8080/
hXXp://71[.]50.31.38/
hXXp://177[.]66.190.130/