Hunting the Phish: What We Can Learn from the DocuSign Malspam Campaign
On May 9th, Docusign disclosed that they were tracking a malicious email campaign targeting DocuSign users. To their credit, DocuSign continues to provide detailed and timely updates in their Trust Center and customers should continue to check there for updates.
DomainTools is a happy customer of DocuSign so it was not surprising when one of my fellow employees received the email. Being a security savvy user, he quickly surmised that this email was likely tied to the targeted malware campaign mentioned by Brian Krebs in his blog.
After receiving the sample email, I opened it on my malware analysis machine. A few things stood out for me:
- The phishers spoofed a lookalike typo-squatted domain when sending their email: dse@docusgn[.]com.
- The subject of the email was, “Completed: domaintools.com – Wire Transfer Instructions for [username] Document Ready for Signature.”
- Contained in the email was a “Review Document” button. I immediately zeroed in on it, wanting to see where it redirected or what it dropped. When clicked, the button redirected the victim to the domain: http://hertretletan[.]ru/file.php?document=[base 64 string]
When visiting that site, a file named “Wire_Transfer_[Jon’s base64 encoded email address].doc. was downloaded. This was likely mass generated from the compromised email addresses in the Docusign breach. If Jon were to have opened the Word document, he would have been compromised with a password stealer, Pony, ultimately leading to exfiltration of his credentials back to an optional 30+ additional command and control servers. Nasty, eh?
Doing some additional searching, I realized that this domain was part of a recent Hancitor spam campaign from early May. That campaign had several themes, including the one targeting my friend Jon. In the same campaign, the actors also took it upon themselves to weaponize Microsoft Word documents dropping Hancitor as well.
The first thing I wanted to do was look up information specifically on the hetretletan domain.
Although it was registered under privacy protection, I pivoted off of the IP address: 47[.]91[.]90[.]51. Two additional domains are hosted on that IP: andsihowdint [.]ru and rewthenreti[.]ru. Both of these domains were also used as parallel infrastructure during the same Hancitor campaign that the hetretletan domain was used in. Attackers often leverage parallel infrastructure to propagate specific malware campaigns. They may also base regional C2s for more advantageous connectivity speed. If a C2 logically lives near its victims, the connection is inherently faster. Attackers may also use additional C2 servers for better redundancy and resiliency, ensuring they have connectivity if servers within the campaign topology are taken down.
Additionally, I wanted to look at Passive DNS (pDNS) for 47[.]91[.]90[.]51 with the hope that I could find additional campaigns or other samples residing in the same ‘neighborhood.’
This pDNS pivot exposed the following additional Hancitor malware campaign C2s:
Some of these were mentioned in the helpful IOC summary sheet DocuSign released 3 days ago.
The modern day cybercriminal has a broad toolset at their disposal. Criminals will regularly diversify their business interests, just like any legitimate entrepreneur. The difference is that cybercriminals diversify into additional malware families. Attackers routinely run concurrent campaigns on the same infrastructure utilizing different malware to ensure a consistent revenue stream.
Much of this Passive DNS connected infrastructure is related to other campaigns, including the ransomware campaigns Jaff, Cerber, SAGE 2.0, Teslacrypt 2, and LOCKY. Some of the campaigns dated back to Feb of 2013, while others are active at the time of writing this blog.
This organic Maltego view helps gives us more insight into the clustering of malware campaigns and families that are all tied to the same attacker or group of attackers working together. Looking closer at the way this is clustered, you can see the primary pivots off our domains from Jon’s phishing email resulted in several malware family malspam campaigns being connected.
Finally, we dropped the DocuSign brand into our PhishEye product and it surfaced a long list of abusing domains, including 36 that have already been blocklisted by reputable security firms and another 12 that DomainTools has scored above 70 in its proprietary Risk Scoring model but have yet to appear on the same well known blocklists:
PhishEye will continue to monitor for any new domain registrations that appear to be abusing the Docusign brand and deliver those to us in real-time. But for now it can’t hurt to block all of these in your network.
 Hash: fff786ec23e6385e1d4f06dcf6859cc2ce0a32cee46d8f2a0c8fd780b3ecf89a
 Hash: 4120d017f262c600b38da267d79c7d2a4f6305ac04a45889645861e02e781d29