Spear Phishing – SEC Campaign

The Threat

The eSentire Security Operations Center has observed a spear phishing campaign targeting customers in the financial industry. The email claims to originate from the Securities and Exchange Commission and arrives bundled with a malicious Microsoft Word Document. The document uses the Dynamic Data Exchange (DDE) protocol to execute malicious PowerShell code which downloads and executes DNSMessenger malware. If successful, this attack allows the threat actor to interact with the victim’s system.

What you should do about it

• DDE relies on user interaction. As such, staff education is an important step in preventing this attack. We recommend sharing indicators (see below) with users to increase awareness of this threat.
• Implement spoofed email blocking with Sender Policy Framework or Sender ID.

Additional Information

• Observed Spear Phishing email uses a spoofed [email protected] email address to lure victims into downloading and executing a Microsoft Word attachment (see below). This document contains a malicious Dynamic Data Exchange (DDE) command which attempts to spawn a PowerShell process.
• Unlike similar spear phishing campaigns, DDE does not use VBA Macros to execute commands.
• DDE presents the end-user with a message prompt and requires interaction to execute correctly.
• Once installed, DNSMessenger malware uses DNS TXT queries to create a bidirectional command and control (C2) channel between the victim and the attacker.

Email Indicators

Subject: EDGAR Filings

From: [email protected] (spoofed)

Filings and Forms rules

Dear TARGETNAME,

The SEC's Office is issuing this EDGAR Alert to inform EDGAR members about changes in EDGAR Filings.

Attachment:
Filings_and_Forms.docx

When opened, it presents the user with the following message:

Clicking Yes on the pop up will initiate the download of DNSMessenger malware.

For additional information, please visit:

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html