Analysis of Dybbuk phishing/malware Group related to BEC campaign targeting large companies around the world.
Last updated
Business email compromise (or BEC) is a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information. . The criminals behind BEC send convincing-looking emails that might request unusual payments or contain links to 'dodgy' websites. Some emails may contain viruses disguised as harmless attachments, which are activated when opened. . Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals, and can be even harder to detect. BEC is a threat to all organisations of all sizes and across all sectors, including non-profit organisations and government.1
This attack leveraged an HTML file (which was JavaScript that had been obfuscated) that was attached to an email. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript (JS) and on the PHP code deployed by the attackers from the server side.
Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. The threat actors behind this campaign used a malicious JavaScript attachment (detected by Trend Micro as Trojan.JS.DYBBUK.SMG) that redirects users to a fraudulent Microsoft phishing page. The screenshot below in Figure 1 shows an actual malicious spam used in this attack.
Once the email attachment is opened, the target’s computer will reach out to the command-and-control (C&C) server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. The redirector C&C server can also filter incoming traffic and redirect victims by checking the IP address and user-agent of their target. If criteria does not match the target victim’s, users are either redirected to a normal website (in this case a Google Search result for “covid”) or shown a 404 page. However, this functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page.
The malware attachment is an HTML file that contains a malicious obfuscated JavaScript code. The file includes a hardcoded email address of the target. This can be used in multiple ways, such as validating the target and supplying email address data to the form login page of the phishing site. Details of how the attack works are explained in a separate section.
The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. This toolkit was discovered being used by a group that targeted more than 10,000 organizations for BEC campaign back in July via the Microsoft Research Team. However, we didn’t find any links to the Water Dybbuk group from the previous report. Both the BadaxxBot and exilginx2 toolkits that were used by the threat actors in this campaign will be explained in more detail in the analysis section.
After a successful phishing attempt, the threat actors will login to their target’s email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc.
We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures (TTPs) used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample.
For several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. We identified that the threat actors behind this campaign use an open source JavaScript Obfuscator tool which is hosted on https://obfuscator.io/. Several options can also be enabled to prevent scripts from being debugged and make them tougher to reverse-engineer.
The HTML file attached to the malicious spam email contains an obfuscated JavaScript code which runs once the file has been opened in a browser. The execution flow of this malware is simple and straightforward. First, it checks if additional information needs to be validated before returning the redirect phishing URL to its target victim. The information to be validated includes the IP address and the browser’s user-agent string, which are used for filtering on the server side. Earlier versions of this malware use https://api.ipify.org/ to retrieve the IP address. If IP address checking is not enabled, it will continue requesting a redirect URL for the phishing page.
To deobfuscate the code you can use the the following link: https://lelinhtinh.github.io/de4js/
The HTTP request for the redirect URL also includes the target’s email address. This enables the phishing attempt to look legitimate since the email address is already provided in the login screen. If there are any errors or if IP validation did not pass the server-side criteria, a default URL redirection (typically to a non-malicious URL) is performed to prevent any suspicion.
The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation.
You can use https://www.urldecoder.org/ for this stage.
0a675c12abfbbf4b52f8107984b71a086d9be7cb7f2a49e5519a7551d64921a9
Trojan.JS.DYBBUK.SMG
dd3ad3c70c541b3d6a9605a133bdab94131e2e6d45544cb963e326ea5ad75ed4
Trojan.JS.DYBBUK.SMG
d5bd8eaab6f30df025e316737a66dd38345059bfdb52e90dd51fd9ed68ff271c
Trojan.JS.DYBBUK.SMG
4d10145fa799faefd4dc158b2341c32263f2c6b40a06b728007d487bb890cd5d
Trojan.JS.DYBBUK.SMG
5b1b94228cf9865379f5870382d9a0d184e9e7399da1328c62880efbeb90e412
Trojan.JS.DYBBUK.SMG
99c2fb920882d220fe3d025f58fc802bdd5d9c43b678d780399d2f6e122eae3d
Trojan.JS.DYBBUK.SMG
9dccc64bb5e446e462a3fae06b02fcef5b56614bd6cf6509ed1061ca7a532dd8
Trojan.JS.DYBBUK.SMG
1a6c6fa7cd638efab21e4157fe7619aab638766b0015e1c89dfda0792c1e979d
Trojan.JS.DYBBUK.SMG
538ee877eec06d52004a0ec3295ec276e46d7a5f195323d1d4140e66fbe2489b
Trojan.JS.DYBBUK.SMG
522f4fc4c44740682a497b1f1247f117a7b9371f56c3cbf2901ce37791fc983e
Trojan.JS.DYBBUK.SMG
99166815befe8c801881fc94e294672cd176f7314b854276453e14a9f5c9464f
Trojan.JS.DYBBUK.SMG
6ffa1f793b508b7943418baeea16cef880f4509301857657c20c7b18bd42777f
Trojan.JS.DYBBUK.SMG
989c920295e820ac73ff86f47f01cb85d4367ed2d665f77595a80243312114a1
Trojan.JS.DYBBUK.SMG
agrexlnc.com
redirectorfile.azurewebsites.net
authentificationservicetoken.azurewebsites.net
eddingtonmaine.gov
amarugujarat.com
ccts-jinkkingdatasets.gq
quotaupgradededicated.com
ccts-jinkkingdatasets.cf
dentzelofficefilenow.com
89743677348987793490832904.xyz
redglightks.org
gotrights.de
diabetesandlifecare.com
3dsolutlon.com
invoiceauthenticatitionvalidatysession.live
saferboxissueresolver.com
inv[.]remitance-outbound.org
edgememblognservc.com
memblognservcinsight.com
loginonlineout.com
738267872.azurefd.net
quotaupgradededicated.com
/image/Doc.php?inf=[user-agent]&ip=[ip-address]
/image/Doc.php?send=
/image/Doc.php?dom=
/image/Doc.php?update
/Host/Doc.php?inf=[user-agent]&ip=[ip-address]
/Host/Doc.php?send=
/Host/Doc.php?dom=
/Host/Doc.php?update
/index.php?remote
/index.php?inf=[user-agent]&ip=[ip-address]
/index.php?send=
/index.php?dom=
/index.php?tele
/script/Docs.php?remote
/script/Docs.php?inf=[user-agent]&ip=[ip-address]
/script/Docs.php?send=
/script/Docs.php?dom=
/script/Docs.php?tele
From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. This shows that while the targets might be spread across the world, the attackers took the time to ensure that the victims were well worth their payouts.
Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2 . Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. The email addresses of the targets are hard-coded into the malware, which adds legitimacy to the phishing attempt upon redirection and also reveals the targeted nature of this campaign. This indicates that the threat actors behind Water Dybbuk can filter specific victims by verifying their email addresses and IP addresses on the C&C server.
