A brazen phishing campaign took Iceland by surprise the last weekend, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a new threat that mixes code from different sources.
Even if the number of potential victims may seem low, local police say this is the largest cyber attack to hit the country. One must take into consideration that the population of Iceland is around 350,000, with about half of the citizens living in the capital city Reykjavik. By comparison, in 2016 London lived over 8.5 million people.
Attacker uses the homograph trick
The assault started on the evening of Saturday, October 6, with messages that impersonated the Icelandic police. The emails asked the recipients to come in for questioning and warned them that non-compliance resulted in issuing an arrest warrant.
A link leading to a spoofed version of Lögreglan – the Icelandic police, seemingly offered more information on the matter.
To make everything appear authentic, the author of the campaign resorted to the homograph trick to register a domain that looked like the original ‘logreglan.is.’
“[…] the attacker registered a domain name of www.logregian.is–using a lower case ‘i’ (which on first glance, may appear like a lower case “L” or “l”),” explain researchers from Cyren working with the police during the investigation.
They add that the link in the message used “switched the lower case “i” for a capital “i” or “I”, so the “i” actually looks like a small “L”—making it indistinguishable from “logreglan” to almost any web user.”
Triple whammy code combo
Speaking to internetnewsblog, Cyren senior threat analyst Magni Sigurdsson says that the threat is a completely new one that bakes in code similar to Fareit info stealer, for keylogging purposes and for slurping passwords.
For the remote access part, the malware relies on code from Remcos, a tool available commercially as a legitimate solution for access to remote computers, used before for malicious purposes. Remcos also has a free version that features remote access capabilities.
The threat also incorporates code that targets the Icelandic banks, “that is completely unique and has not been seen before,” Sigurdsson told us, adding that the malware does not create a separate process with Remcos.
Sophisticated phishing scheme
The link in the phishing messages takes the victim to a website that imitates almost to perfection the official website of the Icelandic police, and asks users to enter their social security number (SSN).
In Iceland, public consultation of names and SSNs is possible via bank-provided services, so individuals have to log into their local bank’s online account for this procedure.
If the user enters an incorrect SSN, the legitimate service displays an alert prompting for a correction. Phishing websites do not have the capability to verify the authenticity of the numbers, so they would typically accept anything info the user types in.
In the case of this campaign, however, the attacker was able somehow to check the validity of the numbers, adding to the deception. One theory is that they’re using a database that has been leaked in the past.
The trap is difficult to avoid
The attacker set up a complex phishing scheme that is difficult to detect by the average user.
The fake Icelandic police website asks the victims to enter an authentication code they received in the phishing email, to get access to more details about the police case against them.
In the next step, the victim receives the alleged documents in a password-protected archive, with the key provided on the webpage, which in reality is the packed malware designed to steal information and grant the attacker remote access to the victim computer.
Campaign tailored for Icelanders
“The extracted .rar file is a .scr file (Windows Screensaver) disguised as a word document with a long name, so the file extension is hidden. The file name is ‘Boðun í skýrslutöku LRH 30 Óktóber.scr’ which translates roughly to ‘Called in for questioning by the police on October 30th’,” Cyren notes.
The analysis of the malware shows that the command and control (C2) servers set up to receive stolen data are in Germany and Holland.
The malware aims to steal banking info, as it checks if the victim has access to the largest banks in Iceland, the researchers found.
The attacker remains unknown at this moment, but the police believe that the campaign is the work of someone familiar with the Icelandic administrative system. The text in the email and on the fake website support this theory.
The defensive reaction against the campaign was swift, the domain to the landing page being taken down the day after the attack was detected.
Thousands of malicious emails were sent during the attack, but the police did not release any information about the number of victims.
Those fooled by the phishing scheme had to change all their passwords, researchers say, and to format their computers.