The Threat Intelligence team at SecurityScorecard has uncovered an active and evolving phishing campaign targeting Japan. The phishing emails masquerade as account verification correspondence for both Amazon and Apple. The actor is utilizing Pushdo infection footholds to deploy a Cutwail module that is responsible for distributing these fake Amazon and Apple emails. The relationship of Pushdo and Cutwail is well documented by the malware research community, however, this phishing campaign specifically targeting Japan has not yet been reported.
The reverse engineering of Pushdo and Cutwail’s respective communication protocols, has led to SecurityScorecard researchers being able to mimic the behavior of an infected machine calling back “home” for tasking and updates. On January 23, 2019 researchers began observing a series of phishing email templates and lists of Japanese email recipients being deployed to infected machines. An infected device would act upon these instructions and programmatically send phishing emails to the intended recipients.
We observed the following fraudulent Apple and Amazon email templates over this 30 day period:
Translated to English:
Translated to English:
(Please note the translation to English was only done for this report and researcher’s context. The translation was completed using Google Translate.)
The phishing link, that an unsuspecting user would most likely click, changed over time and included the following domain names:
- warnning-safety-service-appleid-apple[.]com (sic)
- verify-waitting-redirect[.]com (sic)
- resetting-service-support-amazon[.]net
- resetting-warnning-support-amazon[.]net (sic)
- reset-waitting-redirect[.]com (sic)
These sites, which are now unreachable at these URLs, would attempt to steal your credentials for Amazon or Apple, in this instance, or insist you download and install malicious software. Phishing is certainly not a new attack vector, but remains as one of the most consistently successful vectors for attack and exploitation at scale.
It also appears the threat actors were utilizing the poor email security hygiene of several domains in order for the phishing campaign to appear to originate from specific companies’ domains. Using domains with poor email security controls would reduce the chance of the recipients’ email servers automatically marking these phishing emails as spam. Additionally the threat actors have several fake websites designed to appear as photography or real estate websites where phishing emails can originate from. It is important to note the malware is able to programatically update this list of originator domains.
Of special interest, the symmetric key used to encrypt the Cutwail C2 communication protocol was found to be “eto ochen prostoarelkioiqyrut”, the beginning of which, “eto ochen prosto”, translates from Russian meaning “this is very simple”, which potentially points to a Russian origin for the phishing campaign.
SecurityScorecard malware sinkholes receive over 200 thousand Cutwail intercepted callbacks per day indicating a significant footprint of infected machines. Continually updated, modern endpoint antivirus software is a necessary tool to reduce your risk to a Pushdo/Cutwail infection. Additionally, in order for your company’s domains to avoid being a target as the originator of spam or phishing, verify your email security is valid using SPF, DKIM, and/or DMARC. SecurityScorecard identifies tens of thousands of domains per day that would be vulnerable to such an attack.
