BEC or Business Email Compromise is a significant problem for businesses around the world. According to the Federal Bureau of Investigation (FBI), BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. This amount accounts for a large share of the US$6.9 billion that Americans lost to the combination of ransomware, BEC, and financial scams, based on the FBI report. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail Transfer Protocol (SMTP) services like SendGrid to send emails designed to bypass the filters from email service providers and security services that protect emails. By using these genuine services (but with stolen accounts), scammers can legitimise their emails. These schemes, when combined with cybercrime and open-source tools, often lead to BEC campaigns that are highly effective and successful for the scammers.
In September 2022, Trend Micro researchers observed a new potential BEC campaign that was targeting large companies around the world which we believe has been running since April 2022. By carefully selecting their target victims and leveraging open-source tools, the group behind this campaign stayed under the radar for quite some time.
Once the email attachment is opened, the target’s computer will reach out to the command-and-control (C&C) server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. The redirector C&C server can also filter incoming traffic and redirect victims by checking the IP address and user-agent of their target. If criteria does not match the target victim’s, users are either redirected to a normal website (in this case a Google Search result for “covid”) or shown a 404 page. However, this functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page.
The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. This toolkit was discovered being used by a group that targeted more than 10,000 organisations for BEC campaign back in July via the Microsoft Research Team. However, we didn’t find any links to the Water Dybbuk group from the previous report. Both the BadaxxBot and exilginx2 toolkits that were used by the threat actors in this campaign will be explained in more detail in the analysis section.
After a successful phishing attempt, the threat actors will login to their target’s email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc.
We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures (TTPs) used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample.
How the attack works
The HTTP request for the redirect URL also includes the target’s email address. This enables the phishing attempt to look legitimate since the email address is already provided in the login screen. If there are any errors or if IP validation did not pass the server-side criteria, a default URL redirection (typically to a non-malicious URL) is performed to prevent any suspicion.
The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation.
Redirector C&C: BadaxxBot
From one of the C&C servers used by Water Dybbuk redirect victims, we noticed that the threat actors used a compromised server from a government site. The files for the phishing toolkit are still hosted on the compromised server and one of the files hosted in the server revealed the name of the toolkit used in this campaign — BadaxxBot.
The BadaxxBot toolkit is advertised in a Telegram channel by the user @baddaxbot, who is responsible for selling the malware. We observed that the same @baddaxbot user was also selling compromised accounts on another Telegram channel. As the tool can be bought and leveraged by other attack groups, it would not be surprising to see this malware used in other BEC campaigns. — For example, it was also observed to be part of a campaign targeting banks in the Philippines based off the configuration files shared from VirusTotal.
The redirection ends on a C&C server hosting an Evilginx2 phishing toolkit configured for phishing credentials and session cookies from Microsoft Office 365 accounts.
Evilginx2 is a man-in-the-middle attack framework used to intercept and manipulate web traffic. It is designed to be used in phishing attacks and can be used to bypass two-factor authentication. It works by setting up a malicious web server that acts as a proxy between the victim and the legitimate website. The framework can be used to steal credentials and intercept the session cookies of commonly targeted platforms such as Microsoft Office 365, Microsoft Outlook, Facebook, and LinkedIn, amongst others.
Evilginx2 and the obfuscator are open-source, which along with the off-the-shelf malware toolkit BadaxxBot, means that they can also be used by any other cybercrime group. These combination of tools and the choice of server to deploy the redirector C&C server makes Water Dybbuk unique and worth monitoring for security teams. Based on the indicators of compromise (IOCs) and TTPs we discovered, we can track the continuous progression of this BEC group and how they change some parameters to avoid detection.
From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. This shows that while the targets might be spread across the world, the attackers took the time to ensure that the victims were well worth their payouts.
While the targets of this campaign were spread across the globe, the majority were located within the United States.
We had access to a system that was a target of this attack, which provided us a unique angle that is rarely observed by researchers (unless they were also targets). This led us to gain some interesting insights into this scheme, which aided us in finding more infrastructure, and both new and historical campaigns from this threat actor.
Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2. Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. The email addresses of the targets are hard-coded into the malware, which adds legitimacy to the phishing attempt upon redirection and also reveals the targeted nature of this campaign. This indicates that the threat actors behind Water Dybbuk can filter specific victims by verifying their email addresses and IP addresses on the C&C server.
While BEC attempts involve social engineering to engage with victims and ultimately wire funds, it is important to note that phishing attempts are also typically used to gain access to email accounts that will be used for scamming victims who are contacts of the compromised account. Most of these attacks are not very technical or involve much work.
A common method of getting victimised by BEC scams is through phishing attacks. It is important for security and IT teams to continuously remind employees on how to spot such emails. Constant phishing exercises using tools such as Phishing Insight that are conducted for employees can help minimise the effectiveness of these attacks, and turn what is traditionally the weakest link for this business model (the human element) into an organisation’s greatest defensive strength.
Indicators of Compromise
The indicators of compromise for this entry can be found here.