Threat Actors Use VPS Hosting Providers to Deliver Malware and Evade Detection

Cybercriminals are intensifying phishing campaigns to spread the Grandoreiro banking trojan, targeting users primarily in Mexico, Argentina, and Spain.

A detailed analysis by Forcepoint X-Labs reveals the sophisticated techniques employed by these attackers to evade detection and deliver malware.

Phishing Tactics and Infrastucture

The campaign begins with phishing emails purportedly from tax agencies, containing high-importance tax penalty warnings in Spanish.

These messages use a mix of VPS hosting and cloud storage services for distribution.

Initially, a spoofed sender, possibly leveraging the well-known Ovhcloud infrastructure, sends an email that leads the user to click on a “Download PDF” button hosted on Contabo (hxxps://vmi[.]contaboserver[.]net).

This URL dynamically changes, making each campaign unique and harder to detect.

Once clicked, the link redirects victims to download a zip payload from Mediafire, a popular file-sharing service.

This payload includes large, obfuscated Visual Basic scripts (VBS) designed to obscure malicious intent.

The obfuscated VBS files are encrypted or password-protected to bypass security checks, containing embedded base64 encoded ZIP files.

When executed, these scripts drop and run a disguised EXE file that initiates communication with a Command and Control (C2) server located within an Amazon Web Services (AWS) IP space (18[.]212[.]216[.]95:42195).

The EXE file, which displays an Acrobat Reader error to mislead users, is compiled with Delphi and uses a custom user agent for establishing malicious connections.

It searches for and attempts to steal credentials, focusing on potential Bitcoin wallet directories.

Indicators of Compromise (IOCs)

Cybersecurity firms and users should be vigilant for the following IOCs:

• Embedded Download URLs: hxxps://vmi[.]contaboserver[.]net subdomains.
• Re-directional URLs: Links to Mediafire downloads.
• C2 Servers: AWS IP addresses used for communication.
• File Hashes: Specific SHA1 hashes for EXE and ZIP files.

Forcepoint customers are safeguarded at multiple stages:

• Stage 2 (Lure): Suspicious URLs embedded in emails are blocked.
• Stage 3 (Redirect): Mediafire.net URLs are blocked before download.
• Stage 5 (Dropper File): Malicious files are added to a blocklist.
• Stage 6 (Call Home): C2 IP addresses are blocked.

Network security solutions should also leverage GTI file reputation services to detect and block these threats.

According to the Report, this campaign demonstrates a worrying trend in cybercrime, where attackers utilize legitimate hosting services to cloak their malicious intent.

Protection through vigilant IOC tracking and employing comprehensive email and web protection systems is crucial to thwart such advanced threats.

Users must remain cautious, especially with unsolicited emails, to avoid falling prey to these scams.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!