https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Spammers add random text to shortened links to evade detection

Spammers are using a new technique of generating URLs to evade detection by humans and spam filters alike.

This technique comprises adding random, unused text bits to shortened links, to disguise them as full-sized URLs and bypass the scrutiny of email gateways.

Ships as PowerPoint attachments

The phishing email is titled, “URGENT: REQUEST FOR OFFER (University of Auckland)…”

Unsurprisingly, like many phishing emails, this one too arrives with a PowerPoint file containing macros. Launching the PowerPoint Add-In connects to a malicious URL with the help of Windows executable, mshta.exe.

But what’s noteworthy here isn’t the macro sequence but the structure of the URL the document attempts to connect to, as explained by cybersecurity and managed security services provider, Trustwave.

A URL or URI consists of multiple parts, with some being optional. This is specified by an industry-standard called RFC3986.

While most URLs, consist of a protocol, domain (host), and path, other optional parameters can be added.

For example, consider the URL, https://www.bleepingcomputer.com/tag/security/ where the protocol is “https://”, the host is “www.bleepingcomputer.com” and the part afterward is the path to the page.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

Connects to evasive URLs to bypass detection

A URL or an IP address can be represented in different ways. Attackers are abusing these variations in IP/URL formats allowed by the IETF’s specifications to cause “semantic attacks.”

The URL schema allows for use of another part called “Authority.” This part allows you to specify “userinfo”— which is something like username, within the URL between the protocol and the host parts.

For example, this could look like, https://ax@bleepingcomputer.com/tag/security

But because “userinfo” is rarely used especially with HTTP(S) URLs, it is often ignored by the server, and navigating to the URL above would still lead you to https://www.bleepingcomputer.com/tag/security/.

Regardless, this feature can be abused by attackers to give off the false impression to the user of connecting to a different URL than the one they are accessing.

In the case of this particular spam campaign, the destinations it connects to are all known websites, such as the j.mp URL shortener service, Pastebin.com, etc.

But, the structure of the hardcoded URLs includes a gibberish “userinfo” part right before the domain name, to give off the impression these are different URLs.

Therefore, for example, if an enterprise security product was previously blocking the malicious link https://j[.]mp/kassaasdskdd it isn’t clear if the product would also interpret something like https://nonsensical-text@j[.]mp/kassaasdskdd in the same manner and block it too.

Downloads LokiBot malware

“The first [j.mp] URL, accessed by the PowerPoint attachment, redirects to an obfuscated VBScript hosted on Pastebin,” explain researchers at Trustwave.

“Since the URL j[.]mp/kassaasdskdd does not require a userinfo to gain access to any resources, the userinfo data will be ignored when the URL is accessed,” the researchers further explain.

Note: While at the time of the original research, the j.mp link redirected to the Pastebin script shown above, in a test performed by BleepingComputer, the URL has now been reprogrammed to redirect to a different obfuscated script, https://pastebin[.]com/raw/RttDJwpd shown below.

The sequence continues through a series of similar URLs containing “dummy” userinfo data which will be ignored by the server. 

At every step, a new obfuscated script is downloaded and eventually writes into the Windows registry a persistent PowerShell downloader.

Next, the intermediary URLs further download DLLs to bypass anti-malware scan service (AMSI) followed by launching a DLL injector in memory.

The final URL obtains a LokiBot malware sample. “This will be injected to a legit process notedpad.exe by the DLL injector mentioned earlier,” explains Trustwave.

These types of semantic attacks that leverage variations in URLs as provided for by the official URI schema specification are only expected to grow, presenting newer challenges for security products and professionals.

Just last month, BleepingComputer reported that drug spammers were disguising malicious IPs in emails in hex format to evade detection filters which would have otherwise picked up and blocked regular, octet-format IPs.

A list of Indicators of Compromise (IOCs) and Trustwave’s detailed findings are provided on their blog.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses