Site icon Check Point Blog

Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany

bferrite

Research by: Kobi Eisenkraft, Moshe Hayun, published June 19th 2019

 

Introduction

 

During the first week of June 2019, Check Point researchers encountered a new, large-scale phishing campaign targeting German companies across all industries. The hacker’s goal was to install Remcos – a remote control tool – on the victims’ computers.

 

Attack Flow

The attackers initially sent fake emails that appeared to be from several legitimate companies across Germany. These emails contained invoices or urgent order attachments which were actually Remcos archives attempting to connect with the attacker’s command and control (C&C) server.

Figure 1: Example of a phishing email to the victims

 

The attachment is usually an archive containing an executable disguised as a PDF or other document file. The disguise is a simple comma PDF extension and folder icon.

 

Figure 2: An executable in disguise

 

After the victim opens the file, Remcos executes silently and gives the attacker full control over the victim’s machine.

 

Figure 3: Attack flow chart

Communication with the C&C

 

The attacker then covers his tracks by using DDNS (Dynamic DNS), a legitimate service for mapping Internet domain names to dynamic IP addresses. Learn more about this well-known evasion technique at: https://attack.mitre.org/techniques/T1311/.

 

By using free DDNS accounts, the attacker has a large number of IP addresses at their disposal and can use them to control the victims’ machines.

 

For example, the attacker uses https://www.noip.com/ service to create the domain ablegod.hopto[.]org.

 

Remcos – a Swiss Army Knife RAT

Figure 4: Picture from the official Remcos website

 

Distributed and sold as a legitimate tool by a company called “Breaking Security” on a public website, Remcos is an abbreviation for Remote Control and Surveillance and is sold on a fremium model with a pro version priced from €58 – €389.

 

By using Remcos, the attacker can remotely gain full control of another machine and include the following functions:

 

Bypass AV products and privilege escalation:

Capabilities:

 

Figure 5: Campaign targeting Germany and other countries. 5/6 – 6/6

Check Point products successfully protect against this campaign.

 

Check Point Threat Emulation is a Zero-Day Protection solution that prevents infections from zero-day malware and targeted attacks using sandboxing capabilities.

 

Check Point SandBlast Agent provides purpose-built advanced Zero-Day Protection capabilities to protect web browsers and endpoints, leveraging Check Point’s industry leading network protections.

 

Protections:

Check Point Threat Emulation:

 

Check Point SandBlast Agent:

Figure 6: Threat emulation report blocking Remcos

 

The full Threat Emulation report can be found here –

https://forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html

 

 

The full SBA report can be found here –

https://forensics.checkpoint.com/remcos/index.html

 

A special thanks to our colleague Arie Olshtein for his contribution on this research!

 

Indicators of Compromise:

 

Exit mobile version