In December 2018, Group-IB specialists detected a new JS-sniffer family called FakeSecurity. It was used by one cybercrime group targeting Magento-based websites. While attacking websites, attackers injected a malicious code into the website's source code. The script runs every time that a victim browses an online shop. It steals user payment information during checkout and sends it to the attacker's server. During the first waves of attacks, the FakeSecurity sniffer used the domain name magento-security[.]org as a gate for stolen credentials and to store the sniffer source code.

The same sniffer was later detected on other Magento-based websites, but attackers had changed the domain names used for storing the JS-sniffer source code:

• fiswedbesign.com
• alloaypparel.com

Both these domain names were registered using the same email address, greenstreethunter@india.com. Apart from these two domain names, attackers created a third domain name, firstofbanks.com, using the same email address.

While analyzing the three domain names used by those behind the FakeSecurity JS-sniffer, it was established that some of them were used in a malicious campaign. As part of this campaign, attackers had been spreading malware since March 2019. Attackers sent links to fake pages that informed victims about a missing plugin required to display the document correctly. If a user downloaded the plugin, their computer was infected with the password-stealing malware.

There were 11 unique links to fake pages that urged user to install a malicious application:

1. hxxps://www.etodoors[.]com/uploads/Statement00534521.html
2. hxxps://www.healthcare4all[.]co.uk/manuals/Statement00534521.html
3. hxxps://www.healthcare4all[.]co.uk/lib/Statement001845.html
4. hxxps://www.healthcare4all[.]co.uk/doc/BankStatement001489232.html
5. hxxp://verticalinsider[.]com/bookmarks/Bank_Statement0052890.html
6. hxxp://thepinetree[.]net/n/docs/Statement00159701.html
7. hxxps://www.readicut[.]co.uk/media/pdf/Bank_Statement00334891.html
8. hxxp://www.e-cig[.]com/doc/pdf/eStmt.html
9. hxxps://www.genstattu[.]com/doc/PoliceStatement001854.html
10. hxxps://www.tokyoflash[.]com/pdf/statment001854.html
11. hxxps://www.readicut[.]co.uk/media/pdf/statment00789.html

Potential victims of this malicious campaign received spam email messages containing a link to a 1^st-level fake page. Such pages contain only one small HTML document with an embedded iframe element that loads content from a different 2^nd-level page. Second-level pages are landing pages with content that urges users to install an application. In the case of this malicious campaign, attackers used a landing page that imitates an online PDF viewer and the page displays a message about a missing plugin for Adobe Reader, which is why the 1^st-level link imitated a link to a PDF file. Second-level pages contain links to EXE files, which are installed on the victim's computer after they click on the "Download plugin" button.

Let's examine an example of a malicious landing page. A potential victim receives a link to an HTML file via a spam email message, e.g. hxxps://www.healthcare4all[.]co[.]uk/manuals/Statement00534521.html. This HTML file contains an iframe element with a link to the page's main content; in this case, all content was stored by the link hxxps://alloaypparel[.]com/view/public/Statement00534521/PDF/Statement001854.pdf. As we can see from this example, to store a fake page's main content, the attackers used not a compromised website but a domain name created for malicious purposes. In the fake page's interface, there is a button with the text "Download plugin". If the victim clicks on this button, they will download a malicious application through the URL address from the fake page's source code; in this case, the URL to the EXE file is hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe, which means that the malware was stored on a compromised website.

Analysis of the domain name alloaypparel.com helped experts establish that, to spread malware, attackers used the phishing kit Mephistophilus, which makes it possible to create and deploy phishing landing pages designed for distributing malware. Mephistophilus uses several types of pages that urge users to install a missing plugin for the application to function correctly, but instead of a plugin users download a malicious payload by URL, set by the operator in the admin panel of the Mephistophilus phishing kit.

"Mephistophilus", a system for targeted phishing attacks, appeared for sale in August 2016. It is based on the use of various phishing kits designed for malware distribution disguised as an installation of missing plugins (MS Word, MS Excel, PDF, YouTube) for viewing online documents or web pages. Mephistophilus was developed and released by an underground forum user with the nickname 'Kokain'. To successfully infect through a phishing kit, attackers must prompt users to click on the link leading to the page created by Mephistophilus. Regardless of the phishing page theme, users will see a pop-up window with a message that they need to install a missing plugin in order to view an online document or watch a YouTube video. To this end, Mephistophilus has various types of phishing pages that imitate legitimate online services:

• Online viewer for Microsoft Office365 Word or Excel documents
• Online viewer for PDF files
• Cloned YouTube page

During this malicious campaign, the cybercrime group did not use only registered domain names to achieve their goals; they also used compromised e-commerce websites to store malware samples. Some of these websites were infected with the FakeSecurity JS-sniffer in previous attacks conducted by this cybercrime group.

In total, there were 5 unique links to 5 unique malware samples; four of them were stored on compromised websites running on CMS Magento:

• hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
• hxxps://www.genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
• hxxps://firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
• hxxp://e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
• hxxp://thepinetree[.]net/docs/msw070619.exe

The malware samples distributed during this campaign were samples of the Vidar password stealer, designed to intercept passwords from user browsers and various applications.

Vidar is a password stealer that intercepts passwords saved in browsers and various applications and files from infected computers. Apart from stealing passwords, Vidar collects files from infected computers by masks defined by malware operators and then sends these files to the C2 server. This feature facilitates the process of searching for and stealing cryptocurrency wallet files. Vidar is classed as malware-as-a-service; all data collected from infected computers is sent to the gate and then to a centralized administrative panel that each customer of the malware service can use to view collected data.

The Vidar stealer was developed and released in November 2018 by an underground forum user with the nickname 'Loadbaks'. According to the developer's description, Vidar steals passwords from browsers, files by predefined paths and masks, bank card information, cold cryptocurrency wallet files, Skype and Telegram chat history, and browser history. The rental price for this stealer ranges from $250 to $300 per month. The stealer's admin panel and domain names, which are used as gates, are located on servers controlled by Vidar's authors, which decreases the costs of stealer infrastructure support for customers.

In case of the malicious file msw070619.exe, apart from delivery via Mephistophilus landing pages, attackers also used a malicious DOC file with an embedded macro, BankStatement0040918404.doc (MD5: 1b8a824074b414419ac10f5ded847ef1), which drops executable files after editing is enabled. This DOC file was sent as an attachment in a malicious email message, which means that mass email sending was one of the aspects of the malicious campaign conducted by the cybercrime group.

The detected message (MD5: 53554192ca888cccbb5747e71825facd) was sent to the contact address of an e-commerce website running on the CMS Magento, which could mean that some of the campaign's targets were online shop administrators. The end goal of infecting Magento website administrators was to gain access to the Magento admin panel and other e-commerce CMSs in order to install a JS-sniffer and steal customer information.

Attacker infrastructure was deployed on the server with IP address 200.63.40.2, which is owned by a dedicated server provider, Panamaserver.com. Before the FakeSecurity malicious campaign, this server was used for phishing purposes and for deploying admin panels of various malware families in order to steal passwords.

Based on the characteristics of the FakeSecurity campaign, it is possible that the admin panels of Lokibot and AZORUlt stealers, which were deployed on this server, were used in previous attacks conducted by this group in January 2019. According to a blog post (https://myonlinesecurity.co.uk/lokibot-via-multiple-embedded-ole-objects-in-fake-invoice-rtf-word-docs/), on January 14th, 2019, unknown attackers sent mass emails containing malicious DOC files that installed Lokibot malware on infected computers. On January 18th, 2019, further mass emails were sent, this time containing malicious documents that installed samples of AZORUlt malware (https://twitter.com/dvk01uk/status/1086131035472048128). During this malicious campaign, there were three admin panels detected on the server with IP address 200.63.40.2:

• http://chuxagama.com/web-obtain/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
• http://umbra-diego.com/wp/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
• http://chuxagama.com/web-obtain/Panel/five/index.php (AZORUlt)

The domain names chuxagama.com and umbra-diego.com were registered by the same user, using the email address dicksonfletcher@gmail.com. This email address was also used to create the domain name worldcourrierservices.com in May 2016, which was later used as a website for the fake company World Courier Service.

Based on the fact that, during the FakeSecurity malware campaign, attackers used password-stealing malware, sent mass emails for its distribution, and used the server with IP address 200.63.40.2, we can suppose that both campaigns, including the campaign in January 2019, were conducted by the same cybercrime group.

File name Adobe-Reader-PDF-Plugin-2.37.2.exe

• MD5 3ec1ac0be981ce6d3f83f4a776e37622
• SHA-1 346d580ecb4ace858d71213808f4c75341a945c1
• SHA-256 6ec8b7ce6c9858755964f94acdf618773275589024e2b66583e3634127b7e32c
• Size 615984

File name Adobe-Reader-PDF-Plugin-2.31.4.exe

• MD5 58476e1923de46cd4b8bee4cdeed0911
• SHA-1 aafa9885b8b686092b003ebbd9aaf8e604eea3a6
• SHA-256 15abc3f55703b89ff381880a10138591c6214dee7cc978b7040dd8b1e6f96297
• Size 578048

File name Adobe-Reader-PDF-Plugin-2.35.8.exe

• MD5 286096c7e3452aad4acdc9baf897fd0c
• SHA-1 26d71553098b5c92b55e49db85c719f5bb366513
• SHA-256 af04334369878408898a223e63ec50e1434c512bc21d919769c97964492fee19
• Size 1069056

File name Adobe-Reader-PDF-Plugin-2.31.4.exe

• MD5 fd0e11372a4931b262f0dd21cdc69c01
• SHA-1 54d34b6a6c4dc78e62ad03713041891b6e7eb90f
• SHA-256 4587da5dca2374fd824a15e434dae6630b24d6be6916418cee48589aa6145ef6
• Size 856576

File name msw070619.exe

• MD5 772db176ff61e9addbffbb7e08d8b613
• SHA-1 6ee62834ab3aa4294eebe4a9aebb77922429cb45
• SHA-256 0660059f3e2fb2ab0349242b4dde6bf9e37305dacc2da870935f4bede78aed34
• Size 934448

• fiswedbesign.com
• alloaypparel.com
• firstofbanks.com
• magento-security.org
• mage-security.org

• https://www.healthcare4all[.]co.uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
• https://www.genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
• https://firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
• http://e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
• http://thepinetree[.]net/docs/msw070619.exe