{"id":2322,"date":"2024-09-25T17:34:26","date_gmt":"2024-09-25T17:34:26","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2322"},"modified":"2025-07-29T03:35:02","modified_gmt":"2025-07-29T03:35:02","slug":"under-the-hood-of-a-phishing-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/under-the-hood-of-a-phishing-campaign\/","title":{"rendered":"Under the hood of a phishing campaign"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Despite a deep bag of tricks, cyber scammers often fall back on the tried-and-true method of spoofing legitimate emails to trick victims into executing malware. If you\u2019ve ever heard the term \u2018phishing\u2019, that\u2019s what we\u2019re talking about today.

It\u2019s not original, but it is effective.

Check your spam folder now and you\u2019ll have dozens of emails purporting to include tracking numbers from DHL or UPS, the location of hot singles in your area or, as we\u2019ll be looking at today, payment advice from your bank.

All a victim needs to do is click on the links or open the attachments in these emails, and they\u2019ve already lost the battle. Their device is no longer theirs.

Given the prevalence of phishing attacks, today we\u2019re going to unpack one such campaign. Masquerading as payment advice from HSBC, the scammers in this case are dropping the Fareit (aka Pony) Password Stealer. In addition to its \u2018Stealer\u2019 functionality, Fareit can also be used as a Downloader, allowing the attacker to remotely load any other malware on the system. 

A few years ago, Fareit\/Pony<\/a> was used to steal more than $200,000 in bitcoins and more than 700,000 credentials. See? Effective.  

Email Analysis<\/strong>

Before we analyse the malware, let\u2019s take a look at what the potential victim sees \u2013 the email. The campaign\u2019s primary email is said to have been sent from \u201cHSBC BANK Advising Service\u201d by spoofing Mail-id advising.service556421@hsbc.com<\/a> from IP \u2013 198.57.177.246.

So far in this campaign we\u2019ve seen two variants of the HSBC email, one sent from \u2018HSBC BANK Advising Service<\/strong>\u2019 and the other from \u2018HSBC Bank Service<\/strong>\u2019. The Header Info for both is below:

Received: from server.hollandi.com (server.hollandi.com [198.57.177.246])

    for ; Tue, 1 Aug 2017 16:50:44 +1200

Received: from [127.0.0.1] (port=37168 helo=hollandi.com)

    by server.hollandi.com with esmtpa (Exim 4.87)

    (envelope-from ) Tue, 01 Aug 2017 04:34:59 +0000

Content-Type: multipart\/alternative;

Date: Tue, 01 Aug 2017 04:34:57 +0000

From: HSBC BANK Advising Service<\/strong>

To: undisclosed-recipients:;

Subject: \u00a9HSBC Bank Plc… Payment Advice \/ Swift Copy

User-Agent: Roundcube Webmail\/1.1.4

OR<\/strong>

Received: From e-marketing@hsbc.com.hk Wed Jul 26 07:56:07 2017 

Wed, 26 Jul 2017 07:56:07 -0400 

Received: from [198.57.177.246] (helo=server.hollandi.com) 

by mail.victim.example with esmtps (Exim 4.63) 

From: HSBC Bank Service  <\/strong>

 To: undisclosed-recipients:; 

 Subject: Fwd: Wire Transfer

Interestingly, we found the above IP address is being used in multiple simultaneous campaigns \u2013 see the table below:<\/p>\n\n\n\n

Date<\/strong><\/td>   Subject<\/strong><\/td>  IP<\/strong><\/td><\/tr>
03-08-17<\/td>Re: Bank Details Payment, Invoice<\/td>198.57.177.246 – server.hollandi.com<\/td><\/tr>
03-08-17<\/td>FedEx Shipment 784213218998: Delivery scheduled for tomorrow<\/td><\/tr>
01-08-17<\/td>UPS Exception Notification, Tracking Number 1Z36X67E03938098<\/td><\/tr>
01-08-17<\/td>Re: Bank Details Payment, Invoice<\/td><\/tr>
25-07-17<\/td>Fwd: Wire Transfer<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We ran the IP address through IPVoid and had the below results:  <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Image:<\/strong> IP info & Geo location (using IPvoid.com)<\/em>

Below we see the first email sent to potential victms. Note how all the links lead to the same malicious domain.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image:<\/strong> Bank Account \/ Invoice spoofed mail<\/em>

Here we have the second version of the email. Although the text is different, all links once again lead to the fall of Rome. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>Bank Account \/ Invoice spoofed mail<\/em>

Although the links in the above two emails are slightly different, both of them redirect to: hxxps:\/\/web.opendrive.com\/api\/v1\/download\/file.json\/OTJfMzY2OTAzNV8?inline=0

If successful, the following content is downloaded:

Email One:<\/strong> File – Payment & PI Invoice details.z

SHA256 – 6945c30a23c9fe3f58affaa35bfff40317b7eb11c2557a585d0d7f0b35cf03e9

Email Two:<\/strong> File – Payment Swift Copy.jpeg.ace

SHA-256 – 407e12198559a468f711cd2ea480a046fe93632816602238228503b64d44b089

Inside both files we discovered a PE file:

File Name – Payment & PI Invoice details.scr & Payment Swift Copy.jpeg.scr

SHA 256 – 83fb46296b16ba69d8fe662fa0db65284bcc4cafb32bd3cdeb08ee8ca5d31194

We then ran the files through Virus Total, with the following results: 

Only two antivirus (AV) vendors detected the Zip file (SHA-256 – 407e12198559a468f711cd2ea480a046fe93632816602238228503b64d44b089) as malicious.

The AV vendors fared slightly better (13\/57) with the PE file (SHA 256 – 83fb46296b16ba69d8fe662fa0db65284bcc4cafb32bd3cdeb08ee8ca5d31194) although there was no static detection found.

We also saw that the same file has been submitted with multiple different names.

Screenshots of all three results are below: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>Virustotal source for Zip detection<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>Virustotal source for PE detection<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>Virustotal source for PE detection + Internal Info<\/em>

Malware Analysis<\/strong>

As shown below, the malicious file comes with an LNK shortcut ICON, whose original name is \u201cCulpably1.exe\u201d. It is a Microsoft Visual Basic file.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>PE file Internal info<\/em>

The malicious file gets copied to the C:\\Users\\\\AppData\\Roaming\\subfolder as \u201cfilename.scr\u201d and the original copy is deleted. Also, the 14439072.bat file is dropped in %temp%.

Additionally, \u201cfilename.vbe\u201d is created in startup, so that the malware executes whenever the system starts up. The command which executes this file is:

 objShell.ShellExecute “C:\\Users\\worker\\AppData\\Roaming\\subfolder\\filename.” & “scr”<\/p>\n\n\n\n

\"\"<\/p>\n\n\n\n

Next, we ran the malware through cuckoo \u2013 an automated analysis engine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image: <\/strong>Fareit Behavior – Cuckoo analysis<\/em><\/p>\n\n\n\n

This show us the full functionality: it steals private information from local Internet browsers and collects information to fingerprint the system and read cookies\/browser history. <\/p>\n\n\n\n

Network Activities<\/strong><\/p>\n\n\n\n

Like any malware, a connection must be established in order to receive further instructions and configuration. In this case, it is trying to connect to the CnC server:<\/p>\n\n\n\n

hxxp:\/\/alliedharvast.com\/ramos\/panelnew\/gate.php

\"\" 

Image: <\/strong>Fareit Behavior and CnC connection seen during Cuckoo analysis<\/em>

Finally, it also calls out to:

hxxp:\/\/pornhouse.mobi\/main.php?dir=\/\/Virgin%20Babes%20First%20Sex&start=1&sort=1

\"\"

Image: <\/strong>Network Activity via Wireshark<\/em>

Conclusion<\/strong>

At a passing glance, these emails can look legitimate. Before opening them, however, take a minute to verify the sender\u2019s address. Also, most banks these days will never ask you to send them details via email and, finally, if in doubt you can always call the institution and check. 

A few minutes diligence can save you from having your personal details fall in the hands of attackers who won\u2019t hesitate to milk you dry. 

Another good tip is to configure your email server to block or remove emails that contains file attachments and\/or URLs commonly used to spread threats such as .vbs, .bat, .exe, .pif and .scr files.<\/p>\n","protected":false},"excerpt":{"rendered":"

Despite a deep bag of tricks, cyber scammers often fall back on the tried-and-true method of spoofing legitimate emails to trick victims into executing malware. If you’ve ever heard the term ‘phishing’, that’s what we’re talking about today. It’s not original, but it is effective. Check your spam folder now and you’ll have dozens of […]<\/p>\n","protected":false},"author":1,"featured_media":2343,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2322","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2322"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2322\/revisions"}],"predecessor-version":[{"id":4246,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2322\/revisions\/4246"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2343"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}