Targeted Paerls Campaign Includes Old-School Word Macro Attack

Cisco’s String of Paerls attack involves targeted phishing emails spiked with old-school Microsoft Word Macro malware that connects to more trouble at a Dropbox link.

A targeted malware campaign has been uncovered that combines an old-school Microsoft Word Macro malware attack with a decidedly new school approach of redirecting victims to exploits stored on Dropbox.

The String of Paerls attacks, which Cisco’s VRT team reported today, targets industries such as banking, oil, television and jewelry with convincing, customized spear phishing emails that are spiked with a malicious Word document.

“When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine,” Cisco researchers said.

One sample email pretends to be a receipt for payment from massive shipping line Maersk; invoices and purchase orders have also been seen in other samples. In most cases, the attachment is called 2014-05.doc and it immediately opens a backdoor connection to either one of two command and control servers as well as to a Dropbox domain, dl[.]dropboxusercontent[.]com.

The Dropbox domain hosts four distinct pieces of the exploit, Cisco said, adding that it has notified Dropbox, which de-activated the links in question. The other two domains contacted by the malware are londonpaerl[.]co[.]uk and selombiznet[.]in.

Londonpaerl is a typosquat on Londonpearl, which is a high-end jewelry vendor specializing in pearls. The Londonpaerl domain resolves to a purported employment company.

Capitalizing on some shoddy operational security, Cisco said it was able to gain more insight into the threat actors.

Capitalizing on some shoddy operational security, Cisco said it was able to gain more insight into the threat actors from identifiers in a number of whois records attached to the command and control domains. For example, a reference to “2 close medical/medicle road” was made in the registrant’s street address for the selombiznet domain. Additional searches turned up the same phrase tied to registration records for six domains used in malware attacks since March 12.

“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware. Many of the domains appear to be suspended presumably due to past malicious activity,” Cisco said. “In fact, during the investigation the threat actor changed the information on some of the domains several times. Luckily, if you monitor whois history you can still view all of this information, including the evasion attempt.”

This isn’t the first phishing campaign to send victims to Dropbox. Earlier this month, researchers at PhishMe reported a campaign sending users a Dropbox link where a .zip file hosting a version of the Zeus banking Trojan was waiting. The Zeus campaign, unlike this one, was not targeted yet still relied on similar lures such as invoices or payment notifications.

Suggested articles