Researchers at Proofpoint recently discovered a large-scale credential phishing campaign targeting JP Morgan Chase customers. Since phishing campaigns are quite common it wasn’t until we dug a bit deeper that we noticed some interesting things about this particular attack.
Both of these exploits are attempting to install the recently discovered Dyre banking Trojan that attempts to steal banking credentials. According to VirusTotal, the version of Dyre used in this attack was not detected by any of the leading antivirus providers at the time of the attack.
The initial phishing email looks authentic and encourages users to click to view a secure message from JPMC.
Once the user clicks on this, and we all know some users will click, they are directed to a website requesting them to enter their credentials.
This web page pulls the RIG exploit kit from a server hosted in Russia and attempts to run it against the user’s machine. Based on network registry data the server hosting the RIG exploit kit appears to be based in Moscow Russia:
If the user is vulnerable to the RIG exploit kit, the Dyre banking Trojan is silently installed on the user’s machine. The RIG exploit kit attempts to exploit vulnerabilities in IE, Flash, Silverlight and Java.
This means even if the user got suspicious about the login page, and didn’t enter any credentials, there is still a chance the attackers were able to compromise the user’s machine and infect it with the Dyre malware.
If the user does enter their credentials they will get an error suggesting a Java update is required and the user is prompted to download and run a fake Java update called Java_update.exe.
Running this executable installs the Dyre banking Trojan malware on the user’s machine.
What’s notable is that this is one of the first times we’ve seen an attacker include exploit code on a credential phishing page. Usually we see attackers use a Traffic Distribution System (TDS) to direct traffic to either a phishing site OR a exploit site, but not both. We refer to this as a multivariant attack.
Loading a website with multiple attacks increases the probability of detection, so this attack appears to be the digital equivalent of a “smash and grab” type attack. The attackers don’t appear worried about stealth, instead they targeted a large number of users with a multi-pronged attack knowing that it would likely be quickly detected and shut down.
This could indicate a shift in attacker behavior from stealthy attacks designed to run for a long time to brute force attacks that hit victims quickly by throwing the kitchen sink of attacks at them.
We’ll be keeping an eye on attacker behavior to see if this trend continues to grow.
Based on the infrastructure used to send the emails in this attack we were able to identify other active campaigns that appear to be run by the same attackers. Each of these attempt to install the Dyre banking Trojan.
The first parallel attack uses a PDF weaponized with an exploit that attempts to install Dyre.
PDF exploit email
And they are using the same infrastructure to send out a zip attachment that installs a downloader that then downloads and installs the Dyre banking Trojan.
But this is what we're seeing – What has been your experience? Have you seen any similar campaigns? If so, which one(s)?