fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Spammers Add Random Text To Shortened Links To Evade Detection

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Spammers add random text to shortened links to evade detection

Spammers are using a new technique of generating URLs to evade detection by humans and spam filters alike.

This technique comprises adding random, unused text bits to shortened links, to disguise them as full-sized URLs and bypass the scrutiny of email gateways.

Ships as PowerPoint attachments

The phishing email is titled, “URGENT: REQUEST FOR OFFER (University of Auckland)…”

Unsurprisingly, like many phishing emails, this one too arrives with a PowerPoint file containing macros. Launching the PowerPoint Add-In connects to a malicious URL with the help of Windows executable, mshta.exe.

Trustwave url spam
Spam email campaign uses PowerPoint add-in with evasive links
Source: Trustwave

But what’s noteworthy here isn’t the macro sequence but the structure of the URL the document attempts to connect to, as explained by cybersecurity and managed security services provider, Trustwave.

A URL or URI consists of multiple parts, with some being optional. This is specified by an industry-standard called RFC3986.

While most URLs, consist of a protocol, domain (host), and path, other optional parameters can be added.

For example, consider the URL, https://www.bleepingcomputer.com/tag/security/ where the protocol is “https://”, the host is “www.bleepingcomputer.com” and the part afterward is the path to the page.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

Connects to evasive URLs to bypass detection

A URL or an IP address can be represented in different ways. Attackers are abusing these variations in IP/URL formats allowed by the IETF’s specifications to cause “semantic attacks.”

The URL schema allows for use of another part called “Authority.” This part allows you to specify “userinfo”— which is something like username, within the URL between the protocol and the host parts.

For example, this could look like, https://[email protected]/tag/security

But because “userinfo” is rarely used especially with HTTP(S) URLs, it is often ignored by the server, and navigating to the URL above would still lead you to https://www.bleepingcomputer.com/tag/security/.

Regardless, this feature can be abused by attackers to give off the false impression to the user of connecting to a different URL than the one they are accessing.

In the case of this particular spam campaign, the destinations it connects to are all known websites, such as the j.mp URL shortener service, Pastebin.com, etc.

But, the structure of the hardcoded URLs includes a gibberish “userinfo” part right before the domain name, to give off the impression these are different URLs.

Therefore, for example, if an enterprise security product was previously blocking the malicious link https://j[.]mp/kassaasdskdd it isn’t clear if the product would also interpret something like https://nonsensical-text@j[.]mp/kassaasdskdd in the same manner and block it too.

Trustwave malicious urls
Malicious URLs abusing the “userinfo” field to appear different

Downloads LokiBot malware

“The first [j.mp] URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin,” explain researchers at Trustwave.

trustwave obfuscated spam
First j.mp link redirects to an obfuscated script hosted on Pastebin

“Since the URL j[.]mp/kassaasdskdd does not require a userinfo to gain access to any resources, the userinfo data will be ignored when the URL is accessed,” the researchers further explain.

Note: While at the time of the original research, the j.mp link redirected to the Pastebin script shown above, in a test performed by BleepingComputer, the URL has now been reprogrammed to redirect to a different obfuscated script, https://pastebin[.]com/raw/RttDJwpd shown below.

different script
Different obfuscated script now shown by the j.mp URL
Source: BleepingComputer

The sequence continues through a series of similar URLs containing “dummy” userinfo data which will be ignored by the server. 

At every step, a new obfuscated script is downloaded and eventually writes into the Windows registry a persistent PowerShell downloader.

Next, the intermediary URLs further download DLLs to bypass anti-malware scan service (AMSI) followed by launching a DLL injector in memory.

The final URL obtains a LokiBot malware sample. “This will be injected to a legit process notedpad.exe by the DLL injector mentioned earlier,” explains Trustwave.

These types of semantic attacks that leverage variations in URLs as provided for by the official URI schema specification are only expected to grow, presenting newer challenges for security products and professionals.

Just last month, BleepingComputer reported that drug spammers were disguising malicious IPs in emails in hex format to evade detection filters which would have otherwise picked up and blocked regular, octet-format IPs.

A list of Indicators of Compromise (IOCs) and Trustwave’s detailed findings are provided on their blog.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us