VIP3R: Dissecting A New Venomous Spearphishing Campaign

By Tom McVey, Solution Architect at Menlo Security

Social engineering attacks are among the most prevalent and dangerous threats facing organizations globally today.

One study shows that 83% of organizations experienced a successful email-based phishing attack in 2021, which saw a user being tricked into risky action, such as clicking a bad link, downloading malware, providing credentials, or even executing a wire transfer. Cisco’s 2021 Cybersecurity threat trends report concurs, suggesting that at least one person clicks on a phishing link in around 86% of organizations, the firm also linking nine in 10 data breaches to phishing attacks.

For many firms, the human is the weakest link in their cybersecurity defenses – and threat actors know it, continuing to launch phishing campaigns in various forms at scale year after year. They take advantage of our inherent cognitive biases, tricking us into entering our credentials. When you combine that bias with the tactics used by attackers, it makes these attacks very successful.

Many attackers opt for a ‘spray-and-pray’ approach, looking to spread their net far and wide to reach as great a number of potential victims as possible. However, others pursue a more dangerous approach in the form of spearphishing, launching highly tailored attacks that meticulously target specific organizations or individuals in an attempt to achieve greater success.

It is the latter that our team in Menlo Labs recently identified after discovering an open directory full of usernames and passwords.

Upon analyzing the contents of the web server, we found that a single spearphishing campaign had successfully compromised the credentials of 164 users at various companies using 147 unique lures, targeting organizations from cybersecurity companies to financial services – and everything inbetween.

While analyzing the kit, we spotted a unique string: “DH4 VIP3R L337”. Having not seen this previously, we decided to dig a little deeper.

A unique way of validating victim credentials

In analyzing the attack sequence, we found that the attackers would begin by sending a customized HTML attachment payload to its target victims. Should they fail to detect its malicious intent and open the attachment, they would be presented with a phishing page impersonating a service that they would typically use.

Why did the attackers opt to use a HTML attachment? While most secure email gateways (SEG) have default blocks for certain file types, HTML attachments are exempt from these defenses. This is because many large financial firms send encrypted emails that require you to first register and create an account to securely view the message, and these encrypted emails are usually in the form of HTML attachments.

Once the victim submitted their credentials, validation and verification of the password happens on the server side and a response is sent accordingly. This part of the process would be achieved using the PHPMailer library, sending an email with the victim’s username and password directly to an email address controlled by the attacker.

If the email failed (i.e., the verification of the password fails), an error message in the form of a “json response” would be sent back to the user via the browser, who would then be redirected to the legitimate website of the lure. However, if the email was sent and password verification was successful, then the client would be to a pdf hosted on Microsoft OneDrive.

In this way, the attacker created a unique way of validating the credentials submitted by the victim.

The Menlo Labs team has concluded that it is likely that these HTML attachments are being created automatically using a payload generator kit. Having spent significant time looking for it, we have been ultimately unable to locate it at present. Therefore, until we uncover any further information, we’ll be tracking it as “VIP3R_L33T Generator”.

Combatting progressive phishing threats

Credential phishing continues to the most common form of attack that we see our customers facing. Across geographies, industry verticals, and different sized organizations… everyone is affected.

More than one fifth of the attacks that we see on our platform are credential phishing attacks, with 7% of not being detected by legacy URL reputation engines. This evasion of legacy URL reputation evasion techniques (dubbed LURE by the Menlo Labs team) can be attributed to one of the four evasive techniques found in Highly Evasive Adaptive Threats (HEAT).

Critically, we have seen a distinct uptick in HEAT attacks.

After analyzing more than half a million malicious URLs, the team determined that 69% of them leveraged HEAT tactics. Further, it observed a 224% increase in HEAT attacks in the second half of 2021.

To protect against phishing, organizations should always look to improving cybersecurity awareness first through training and education initiatives. To mitigate the threat of evasive threats, however, modern businesses will need to go further and step out of their comfort zones, taking a Zero Trust approach to security and adopting the Secure Access Service Edge (SASE) framework.


About the Author

VIP3R: Dissecting A New Venomous Spearphishing CampaignTom is a Solution Architect at Menlo Security for the EMEA region. He works closely with customers to meet their technical requirements and architects web and email isolation deployments for organisations across different industries. Prior to Menlo Security, Tom previously worked for LogRhythm and Varonis.

November 2, 2022

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...