close

The BaseStriker phishing attack is back – targeting CEOs

The Fujitsu Cyber Threat Intelligence (CTI) Team have recently observed the BaseStriker security flaw reported in May of this year continuing to target businesses. This time, it is selectively targeting company CEOs.

The new phishing attack researched by our team managed to bypass Email security gateways, making its way to end users whilst also successfully evading and bypassing the URL sandbox. This meant that the link that arrived to the end user was not masked or protected, leaving the potential risk of credential theft.

The BaseStriker security flaw uses a method of splitting a malicious link (abusing the HTML “base” tag feature) and then merging them to form one link.

In our example we saw:

<base href=”hxxps://ammosalimos.gr/wp-content/plugins/wordfence/oauth/”>

href=”oauth/RequestVerificationToken=………”

Once merged we get:

hxxps://ammosalimos.gr/wp-content/plugins/wordfence/oauth/oauth/RequestVerificationToken=…

The campaign’s primary motive appears to be solely targeting CEOs of large corporations. This was a low volume campaign targeting high value end users.

Campaign Details

The phishing email is put together using a random “Ticket” number to look like a plausible technical support email, as shown below:

The phishing site spoofs the Outlook Web Application and prepopulates user information and domain names to make it appear more legitimate to unsuspecting users:

Link Analysis

Our investigation into the URL found that the attackers were using an encryption key which remained static within the campaign.  We saw the same key used in various phishing emails we analyzed, targeting CEOs in multiple sectors.

Static string/token:

RequestVerificationToken=pmiXqCaFYu0H4N8lFBGDE5LvnI9ty4poHb0O9QIE-PnjGAK2tOotrsbivQK2o9kTJxOJRgy4mq4BGDE5LvnI9ty4pZaFYu0H4N8lFBGDE2yDBJJvMK3OO9BsbivQK2o9kTJxOJRg41

After this we see the below in the link followed by what appears to be an encrypted string which changes for each recipient of the campaign

&email=/index.php?c=

aaa028aa1a015aa04aa1a028a.a011aa3a08aa1a014aaaaa0a021aa07aa5a018a.a05aa1.a3a05a (example)

This string once decrypted contains the email address of the end user which is then populated within the relevant field of the phishing site.

The Fujitsu CTI team continue to advise of attacks against Office 365 and Outlook Web Applications and the dangers associated with credential theft – you can read our further blog on O365 chain phishing and guidance here.

We advise security teams to check for the relevant indicators of compromise on their estate to ensure this campaign does not lead to account compromise of high value targets.

Indicators of Compromise

Email Subject: [Ticket #:<rand(int)>]: Security advice for your email account.

Malicious Domains: hxxps://ammosalimos.gr, microsoftexchangeserver.eu

Malicious IP Addresses: 92.38.139.133, 92.38.139.135

Tags: , ,

No Comments

Leave a reply

Post your comment
Enter your name
Your e-mail address

Before you submit your comment you must solve the following arithmetic function! * Time limit is exhausted. Please reload CAPTCHA.

Story Page