Case #01 - Water Dybbuk Group
Analysis of Dybbuk phishing/malware Group related to BEC campaign targeting large companies around the world.
Business Email Compromise (BEC)
Business email compromise (or BEC) is a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information. . The criminals behind BEC send convincing-looking emails that might request unusual payments or contain links to 'dodgy' websites. Some emails may contain viruses disguised as harmless attachments, which are activated when opened. . Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals, and can be even harder to detect. BEC is a threat to all organisations of all sizes and across all sectors, including non-profit organisations and government.1
This attack leveraged an HTML file (which was JavaScript that had been obfuscated) that was attached to an email. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript (JS) and on the PHP code deployed by the attackers from the server side.
Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. The threat actors behind this campaign used a malicious JavaScript attachment (detected by Trend Micro as Trojan.JS.DYBBUK.SMG) that redirects users to a fraudulent Microsoft phishing page. The screenshot below in Figure 1 shows an actual malicious spam used in this attack.
Once the email attachment is opened, the target’s computer will reach out to the command-and-control (C&C) server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. The redirector C&C server can also filter incoming traffic and redirect victims by checking the IP address and user-agent of their target. If criteria does not match the target victim’s, users are either redirected to a normal website (in this case a Google Search result for “covid”) or shown a 404 page. However, this functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page.
The malware attachment is an HTML file that contains a malicious obfuscated JavaScript code. The file includes a hardcoded email address of the target. This can be used in multiple ways, such as validating the target and supplying email address data to the form login page of the phishing site. Details of how the attack works are explained in a separate section.
The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. This toolkit was discovered being used by a group that targeted more than 10,000 organizations for BEC campaign back in July via the Microsoft Research Team. However, we didn’t find any links to the Water Dybbuk group from the previous report. Both the BadaxxBot and exilginx2 toolkits that were used by the threat actors in this campaign will be explained in more detail in the analysis section.
After a successful phishing attempt, the threat actors will login to their target’s email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc.
Technical Analysis
We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures (TTPs) used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample.
Using obfuscator.io
For several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. We identified that the threat actors behind this campaign use an open source JavaScript Obfuscator tool which is hosted on https://obfuscator.io/. Several options can also be enabled to prevent scripts from being debugged and make them tougher to reverse-engineer.
How the attack works
The HTML file attached to the malicious spam email contains an obfuscated JavaScript code which runs once the file has been opened in a browser. The execution flow of this malware is simple and straightforward. First, it checks if additional information needs to be validated before returning the redirect phishing URL to its target victim. The information to be validated includes the IP address and the browser’s user-agent string, which are used for filtering on the server side. Earlier versions of this malware use https://api.ipify.org/ to retrieve the IP address. If IP address checking is not enabled, it will continue requesting a redirect URL for the phishing page.
To deobfuscate the code you can use the the following link: https://lelinhtinh.github.io/de4js/
The HTTP request for the redirect URL also includes the target’s email address. This enables the phishing attempt to look legitimate since the email address is already provided in the login screen. If there are any errors or if IP validation did not pass the server-side criteria, a default URL redirection (typically to a non-malicious URL) is performed to prevent any suspicion.
The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation.
You can use https://www.urldecoder.org/ for this stage.
IOCS
SHA256
URLs
agrexlnc.com
redirectorfile.azurewebsites.net
authentificationservicetoken.azurewebsites.net
eddingtonmaine.gov
amarugujarat.com
ccts-jinkkingdatasets.gq
quotaupgradededicated.com
ccts-jinkkingdatasets.cf
dentzelofficefilenow.com
89743677348987793490832904.xyz
redglightks.org
gotrights.de
diabetesandlifecare.com
3dsolutlon.com
invoiceauthenticatitionvalidatysession.live
saferboxissueresolver.com
inv[.]remitance-outbound.org
edgememblognservc.com
memblognservcinsight.com
loginonlineout.com
738267872.azurefd.net
quotaupgradededicated.com
Paths
/image/Doc.php?inf=[user-agent]&ip=[ip-address]
/image/Doc.php?send=
/image/Doc.php?dom=
/image/Doc.php?update
/Host/Doc.php?inf=[user-agent]&ip=[ip-address]
/Host/Doc.php?send=
/Host/Doc.php?dom=
/Host/Doc.php?update
/index.php?remote
/index.php?inf=[user-agent]&ip=[ip-address]
/index.php?send=
/index.php?dom=
/index.php?tele
/script/Docs.php?remote
/script/Docs.php?inf=[user-agent]&ip=[ip-address]
/script/Docs.php?send=
/script/Docs.php?dom=
/script/Docs.php?tele
Targets
From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. This shows that while the targets might be spread across the world, the attackers took the time to ensure that the victims were well worth their payouts.
Conclusion
Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2 . Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. The email addresses of the targets are hard-coded into the malware, which adds legitimacy to the phishing attempt upon redirection and also reveals the targeted nature of this campaign. This indicates that the threat actors behind Water Dybbuk can filter specific victims by verifying their email addresses and IP addresses on the C&C server.
Last updated
