In November 2019 Proofpoint researchers uncovered email campaigns distributing NetWire, a widely used RAT. The campaigns used Bulgarian language lures, narrow geo targeting, geofencing, and had low message volume. Since then, Proofpoint has identified additional campaigns with matching attributes, including: Bulgarian language email lures, a NetWire payload, the Command and Control (C2) domain, malware config password, and the Microsoft Word document author "vps". NetWire has been a widely employed tool since inception in 2002, offering malware for multiple operating systems, including Windows, MacOS, and Linux. The RAT is sold in underground forums for between $40 and $140 dollars.
Targeting and Email Lures
In October and early November 2020, Proofpoint researchers observed multiple low volume campaigns intended for less than 10 companies in the Aerospace, Industrial, Manufacturing, Construction, Energy, Financial Transaction Services, and Business Services verticals. While the spread across sectors in these campaigns is diverse, all companies have business operations in Bulgaria. Some have a supplier relationship to larger energy projects and aerospace manufacturing initiatives. The latest activity diverges in scope and scale from a previously observed NetWire campaign in June which delivered approximately 500 messages to about 150 customers across 40 verticals. That campaign was written in Bulgarian and leveraged themes from the largest national bank, Bulbank.
The current campaigns also are localized, in Bulgarian, and claim to include financial information or a notification of an open enforcement case initiated against the recipient. Two email campaigns later in October impersonated the Sofia Court House based out of Bulgaria. In the latest November campaign, one of the aerospace technology organizations was targeted again from October in a single phish and leveraging both spoofed infrastructure and document file name of the Bulgarian national Commission for Combating Corruption and Confiscation of Illegally Acquired Property (KPKONPI).
Below is an example of message characteristics observed in November 2019:
- From: < bulgaria@caciaf[.]bg >
- Subject: Деклариране на финансови активи ("Declaration of financial assets")
- Attachments: kpkonpi_dv86.doc
Figure 1: Microsoft Word attachment with enable macros message
Below is an example of message characteristics observed in January 2020:
- From: Пътна полиция МВР <opp@mvr[.]bg> (“Road Police MBP pp@mvr[.]bg”)
- Subject: Призовка за явяване в КАТ ("Summons to appear at the Traffic Police")
- Attachments: prizovka_081419.doc
Below is an example of the email lure and message characteristics spotted in early October 2020:
- From: ЧСИ Галин Костов <kostov@gkostov[.]com> ("Private Enforcement Agent Galin Kostov")
- Subject: Уведомление за образувано дело ("Notification of initiated case")
- Attachments: Уведомление за образувано дело DELO20205593.doc ("Notification of initiated case DELO20205593.doc")
Figure 2: Bulgarian language email lure
Message body, translated from Bulgarian:
With the present and on the basis. Art. 458 of the Civil Procedure Code in connection with Art. 191, para 3 of TPSC, I would like to inform you that an enforcement case has been initiated against you, pursuant to the Civil Procedure Code, in view of your outstanding liabilities to Telecom Group AD. In the attached document, you can get acquainted with the writ of execution issued by the Sofia City Court, as well as with the terms for enforcement, which will start running.
Private bailiff reg. №854
Area of operation
Sofia City Court
Figure 3: Microsoft Word attachment with enable macros message
Below is an example of the email lure and message characteristics spotted a few days later in October 2020.
From: ЧСИ Галин Костов < kostov@gkostov[.]com > ("Private Enforcement Agent Galin Kostov")
Subject: Уведомление за образувано дело ("Notification of initiated case")