Novel Email-Based Campaign Targets Bloomberg Clients with RATs

Attacks dubbed ‘Fajan’ by researchers are specifically targeted and appear to be testing various threat techniques to find ones with the greatest impact.

A new email-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg’s industry-based services.

Cisco Talos Intelligence researchers discovered the campaign, dubbing it and its perpetrator “Fajan,” and asserting it is likely the work of one actor from an Arabic-speaking country.

Researchers have been tracking the email based campaign since Fajan first commenced activity in March, recovering a “relatively low volume” of samples that make it tricky to determine “whether the campaigns are carefully targeted or mass-spammed,” according to a report posted online Wednesday.

Attacks start in the form of what look like targeted emails to clients of Bloomberg BNA, which has since been rebranded Bloomberg Industry Group. The wholly owned subsidiary of Bloomberg LLC aggregates news content in platforms for various industries such as law, tax and accounting, and government and sells them to clients.

“We believe this is the first time anyone’s documented Fajan’s operations in one place,” Cisco Talos researcher Vanja Svajcer wrote in the report.

The emails claim to contain an invoice for clients but instead include an attached Excel spreadsheet that contains macro code to either download the next infection stage or drop and run the final payload, which is always a JavaScript- or VB-based RAT “that allows the attacker to take control over the infected system using HTTP over a non-standard TCP port,” he wrote.

“The attachment name always contains some form of the Bloomberg BNA Invoice name combined with a random number specific for a particular campaign,” Svajcer explained. “Some early examples of campaign email messages contain a second attachment containing a copy of the email body text as a clean RTF file.”

One curious aspect of the campaign is that its scope is small most likely because the threat actor aims to hone his or her skills to develop more successful attacks in the future, Svajcer said. “Actors behind Fajan campaign are actively maintaining and developing functionality to make the attacks more successful,” he said.

Moreover, the use of RATs as payloads indicates that the objective of Fajan is likely surveillance and data exfiltration. Command and control servers were not responsive when researchers did their analysis, however, so they ultimately could not discover the campaign’s final objective, Svajcer said.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

Attack Breakdown

Svajcer goes into detailed analysis of the attack based on the Fajan samples researchers observed. If lightly obfuscated VBA macro code is found in the malicious document “it is usually to drop and execute a Javascript or a VB script based payload,” he wrote.

These “are rather simple RATs that connect to a hardcoded IP address and listen to commands sent using HTTP over a non-standard TCP port number,” Svajcer wrote.

One of the RATs observed in the campaign was identified as NanoCore RAT, a commercial trojan which has been available for purchase since at least 2013, according to the report. The author of the RAT was arrested in 2017 and sentenced to nearly three years in prison. While this halted the development of the RAT, “some versions have been successfully cracked and are widely used by attackers,” Svajcer wrote.

The VBA macro/RAT attack vector was found in about 60 percent of the campaigns that researchers observed, he said. The rest of the malicious attachments contained Excel 4.0 macro formulas designed to be executed when the files are open that all contain a simple code to execute a PowerShell command line to download and execute the next stage from a Pastebin URL.

“The raw content of the Pastebin URL is supplied as an argument to the Invoke-Expression (IEX) scriptlet, which executes the downloaded code from memory,” Svajcer wrote.

All of the retrieved Pastebins contained code to download and run a payload from a free filesharing site, except one early sample that was hosted by the Amazon S3 service, he added.

Clues to Attacker Identity

Peering under the hood of the final JavaScript RAT payload shows it using HTTP to communicate with the command-and-control server and collect some information about the infected system. It then uses this info as the User-Agent string in the HTTP header, “presumably to keep state for each individual infected system,” Svajcer observed.

VB-based RATs act similar to the JavaScript payloads once executed, but also included code that gave researchers clues to the identity and nationality of the attacker, he wrote.

In sample VB script researchers observed, the client sends a request to the C2 server and expects a response which is then split based on the string specified in a variable, according to the report. The string for splitting for this sample is “NAJAF,” which researchers reversed to create the name for the campaign.

“A number of similar scripts has been previously uploaded to VirusTotal and the authorship for them is claimed by an actor with a handle ‘Security.Najaf,'” Svajcer wrote. “This may imply the Fajan’s author origin to be Iraq, although it could also be just a coincidence or a false flag.”

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles