Fake Complaint Letter from American Spirts Company Leads to JSSLoader
Digital attackers used a fake letter of complaint from an American-owned spirits company to target recipients with JSSLoader malware.
A Look at the Phishing Email
In the beginning of June, the 秋葵视频色 | AppRiver team flagged a malicious email that appeared to come from the Brown-Forman Corporation.
The email arrived with the subject line 鈥淟etter of complaint 鈥 Brown-Forman Corporation.鈥 The creators of the campaign also used spoofing techniques to disguise the email sender as Charlie Scholtz, vice president and associate general counsel at the spirits and wine company.
To add an additional sense of legitimacy to their email, the attackers used branding stolen from the company and included Brown-Forman鈥檚 contact information. They got everything right鈥攅ven the corporation鈥檚 main telephone number and fax line.
The 鈥渓etter of complaint鈥 didn鈥檛 come with any actual message text. It arrived only with a button that invited the recipient to view 鈥渃onfidential communication.鈥
Hovering over the button revealed the domain 鈥渉ttps://bank4america[dot]com/brown_forman.鈥 According to , someone first registered the domain 鈥渂ank4america[dot]com鈥 back on March 12, 2021. It was about three months later when the IOC analysis service flagged 鈥渉ttps://bank4america[dot]com/brown_forman鈥 as malicious.
Troy Gill, manager of security research and senior security researcher at 秋葵视频色 | AppRiver, explained what happened if the recipient decided to click on the link.
鈥淚f the user proceeds, they were redirected from the original payload link to a site that was typo squatting Brown-Forman (Browm-Forman[.]com),鈥 he said. 鈥淭his site contained a page with a 鈥楽how complaint鈥 button linked to a .xlsb file (Excel with binary workbook) which drops their JSSLoader remote access trojan.鈥
An Overview of JSSLoader鈥檚 Evolution
analyzed a JSSLoader sample that it discovered as part of an investigation in mid-December 2020. The variant of the remote access tool (RAT) began by creating a unique ID of the victim based on the serial name, domain name, and computer name. This identifier ultimately helped the threat to engage in other forms of malicious activity. These included the following:
- Anti-debugging: JSSLoader leveraged an anti-debugging feature called 鈥淭ickCount鈥 to perform timing checks on the infected machine.
- Exfiltration: The RAT gathered the username, Active Directory Information, and seven other pieces of information. It then base64 encoded the data before sending it off to its command & control (C&C) server located at a preconfigured URL.
- Persistency: To achieve persistence, the malware created a shortcut shell LNK via com IShellLink in the startup directory that pointed to the executable.
- Execution: After achieving persistence, JSSLoader waited for a base64-encoded command string delivered by a 鈥楪et鈥 command from the same domain that it sent to the exfiltrated data. The command might have contained instructions to execute a PowerShell command in memory, write and execute a DLL or to update the threat, as examples.
Defending Against Spirited Email Scams
The scam discussed above highlights the need for organizations to defend themselves against email-borne malware attacks. One of the ways that organizations can do this is by investing in an email security solution that鈥檚 capable of scanning incoming email messages for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This solution should perform this analysis in real time so that legitimate correspondence can reach its intended destination within the business.