Enigma Forensics cyber security and computer forensics expert, Lee Neubecker discovered a morphing piece of malware code named Chameleon Spearfish, that targets Microsoft Office 365 users. This notice is an effort to help Microsoft exchange administrators running Microsoft Office 365 identify the malware and protect their users from compromise. Microsoft issued an advisory last week alleging that Iranian hackers have been targeting Office 365 accounts.
Characteristics of the malware
The malware is spread when an Office 365 end user clicks on an emailed pdf attachment. Users who do not open the attachment but reply to the compromised sender may receive an auto reply directing them to a sharepoint.com subdomain website. The page appears to be the compromised organization’s download site and displays a protected by Norton logo.
We have observed both the original inbound attachment and the outbound attachment that gets sent onward to the compromised user’s address book. Thus far, only users of Office 365 appear to be targeted. It appears that the malware checks the compromised user’s contacts and performs an mx record query to determine which contacts in the compromised user’s contact address book are hosting their email with Microsoft.
The inbound pdf conforms to an identifiable schema.
- The message uses the compromised user’s signature at the bottom of the email.
- The file attachment has a name similar to the following:
“Proposal Invitation 10-7-2019.pdf”, “Proposal Note 10-8-2019.pdf”
- The hash values of the file attachment are unique and not reported as problematic at the time the malware is morphed.
- The body content of the message varies, but is designed to induce the user to click on the pdf suggesting it is a proposal for business.
- Users clicking the pdf are directed to the following website where the user is asked to provide their Office 365 Exchange Credentials.
- One of the samples directed the user to a specific url on the following domain, https://adswbellc-my.sharepoint.com (Pinging this address resolves to 184.108.40.206, an Akamai IP address which may vary depending on the source computer performing the ping).
- Another of the samples when clicked directed the user to a link on the following subdomain https://netorgft2768825-my.sharepoint.com (Pinging this address resolves to 220.127.116.11 a microsoft.com IP address).
- Future instances of this may be uploading further documents to other compromised Office 365 SharePoint websites.
Once the pdf attachment is clicked on, the malware appears to morph itself making it undetectable by any of the common antivirus solutions and begins further distribution and propagation.
Analysis of email headers on inbound and outbound messages containing the compromised pdf indicates the MAPI protocol is used to relay the message onwards to the compromised user’s contacts. Only Outlook.com and Office 365 users appear to be targeted by Chameleon Spearfish. Analysis of the malware code is in progress, but it appears that the emails are distributed from software running on the compromised end user’s machine using the MAPI protocol to connect to Office 365.
Items in the compromised user’s sent folder are purged by the malware, making it difficult to understand who received the morphed copy of the malware. Organizations using Office 365 Compliance functions should be able to determine any outbound messages sent by a compromised account by searching their enterprise.
Protective Recommended Measures
- Make a local DNS entry or local machine HOSTS file entry to sandbox adswbellc-my.sharepoint.com to 0.0.0.0.
- Consider blocking all sharepoint.com traffic outbound with an exception for your internal sharepoint.com subdomain if applicable.
- Search your mailbox and Outlook 365 compliance for “Proposal*10-*-2019.pdf”
- Search firewall traffic logs for users visiting any sharepoint.com website, but especially adswbellc-my.sharepoint.com.
What to do if you are compromised?
- Rotate end user passwords for any user that clicked on the pdf and do this from a machine that is secure.
- Back up data from compromised computer and deploy fresh image of the operating system and programs.
- Notify any downstream impacted users about the compromise by sending them a link to this article if you or anyone in your organization was compromised.
- Consider hiring our firm to assist you if you have a severe outbreak.