Last Updated: 2023-05-27 03:19:36 UTC
by Brad Duncan (Version: 1)
Twitter user @0xToxin has reported seeing malicious emails impersonating DocuSign with HTML attachments this past week or so. Samples are available here.
Very little public information exists on this specific campaign, so today's diary reviews information on it.
Although, Twitter user @ffforward has stated this campaign started sometime in 2022, I can only confirm confirm one additional date based on the HTML template, file name, and post-infection traffic from @0xToxin's publicly-shared samples.
I collected the following data from VirusTotal and confirmed it is the same campaign.
- File name: May10-Invoice-DocuSign-6345036.html
- File name: May10-Invoice-DocuSign-945225.html
- File name: May10-Invoice-DocuSign-91218.html
- File name: Invoice DocuSign May 25 2023 6841006.html
SHA256 hash: d075b86f23ea2f16db1bbbe5d8b141fde60b1655fc48b46335bb8554235bac32
File name: Invoice DocuSign May 25 2023 34261.html
Preliminary analysis indicates all HTML file attachments for a specific day of spamming generate the same file hash for the downloaded zip archive and extracted .js file.
Images From An Infection
Traffic From An Infected Windows Host
Traffic from this infection occurs using HTTP GET and POST requests to 159.65.42[.]223 over TCP port 80. The initial HTTP GET request returns script to gather information about the infected Windows host. The second HTTP request is a POST that sends the collected information to the C2 server. After that initial POST request, the infected Windows host checks in to the C2 server approximately once every minute.
The 16-character string at the end of the C2 URL is unique for each infected host.
I let the infection run in my lab for over an hour, but I saw no follow-up activity. Only the check-in traffic every minute.
This campaign may have started sometime last year. C2 traffic is based on the scheduled task as shown above in Image 4. This script-based malware sends information about the infected host to a C2 server. At some point, this would probably lead to further malware.
So far, the collected malware is available on Malware Bazaar using the tag 159-65-42-223, at least until the threat actor decides to change C2 servers.
If anyone knows further information on this campaign, feel free to share in the comments!
brad [at] malware-traffic-analysis.net