OWA Phish – a new vector (2)

Research

15 Oct 2009

minute read

Authors

Sergey Golovanov

Here are some technical details to expand on the previous post from Darya.

1. The Spam

According to our preliminary research, the spam emails which attacked OWA users, including Kaspersky, were sent using the pushdo botnet – which is based on malware from the Backdoor.Win32.NewRes family. These Trojans spread via spam, social networks (in conjunction with the Koobface family) and through hacked websites.

The spam emails link to a phishing webpage which is registered to 15 dynamic IP addresses located in separate IP sectors and which are constantly changing.

2. The Phish

An analysis of the phishing site proves that the criminals are using rock phishing techniques – typical rock phish structure and together with dynamic content which morphs to target users from the domain under attack.

3. The Trojan

This OWA phishing attack is spreading a variant of Trojan-Spy.Win32.Zbot – a Trojan which steals passwords fstored on the infected machines; specifically passwords to local applications, passwords to websites etc. The Trojan also has keyboard logger functionality. Finally, this Zbot can also download other malware if required. In this instance, the command and control center is located in the Ukraine.

Summary

This particular attack is using well-known methods overall. The notable features of the attack are the domain name spoofing and the creation of a phishing site which mimics OWA pages. The rest is as usual.

Authors

Sergey Golovanov

OWA Phish – a new vector (2)

Latest Posts

Latest Webinars

Reports

Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

OWA Phish – a new vector (2)

1. The Spam

2. The Phish

3. The Trojan

Summary

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

DarkVishnya: Banks attacked through direct connection to local network

KoffeyMaker: notebook vs. ATM

Happy IR in the New Year!

ATMitch: remote administration of ATMs

Online Banking Faces a New Threat

Loose-lipped neural networks and lazy scammers

Web tracking report: who monitored users’ online activities in 2023–2024 the most

Indirect prompt injection in the real world: how people manipulate neural networks

Cybersecurity in the SMB space — a growing threat

Analysis of user password strength

Latest Posts

Loose-lipped neural networks and lazy scammers

Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses

Lumma/Amadey: fake CAPTCHAs want to know if you’re human

The Crypto Game of Lazarus APT: Investors vs. Zero-days

Latest Webinars

Inside the Dark Web: exploring the human side of cybercriminals

The Cybersecurity Buyer’s Dilemma: Hype vs (True) Expertise

Cybersecurity’s human factor – more than an unpatched vulnerability

Building and prioritizing detection engineering backlogs with MITRE ATT&CK

Reports

Beyond the Surface: the evolution and expansion of the SideWinder APT group

BlindEagle flying high in Latin America

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

APT trends report Q2 2024

Subscribe to our weekly e-mails