Fake Adobe website delivers BetaBot | by NewSky Security | NewSky Security

Introduction

The key to a successful cyberattack is deception. In most cases, the initial attack vector requires help from the victim (for example open an attachment, click a link, visit a website serving exploit, enable macros, and so on). The by-product is dubbed social engineering. Due to increased security awareness and the use of security measures, attackers need to be creative to initiate the first level of attack in the victim’s system. We observed one similar case where the attackers have gone the extra mile to impersonate a well-known site Adobe to deliver the BetaBot malware.

Adobe vs Adoḅe

Attackers registered a domain name that uses a latin character “ḅ” as in “adoḅe(dot)com”. Some readers would miss the subtle difference between “b” and “ḅ”. With such minor optical differences, even an aware end-user might interpret it as Adobe’s official website. This type of attack which make use of non-English characters as a means of deception is known as IDN homograph attacks ( https://en.wikipedia.org/wiki/IDN_homograph_attack ).

Beyond the Homograph Attack

Attackers didn’t simply stop at registering this website. They took more steps to make their lure URL appear legitimate.

Legitimate looking file path: the payload, as well the entire file path in the URL was crafted to make the link appear like an Adobe Flash player installer (as seen below). Here is how the entire link looks like when sent to a potential victim via Skype:

This appears more legitimate when posed as a hyperlink in an email body. The hyperlink covers the extra pixel in “b” which make the URL look visibly indistinguishable from legitimate Adobe.

HTTPS: The attackers made their site use secured HTTP, or “https”, which is intended add confidence that the site is legitimate and correct.

WHOIS domain information copied from authentic Adobe: The attackers went one step further by copying domain information of Adobe into their fake website. Although they did copy the physical address of Adobe in San Jose correctly, they fumbled in the state and country name (which they added as Mexico instead of California and USA respectively), oops!

Payload analysis

We observed that the downloaded executable is a variant of BetaBot. When run, the sample checks for the presence of few Antivirus apps. The malware will terminate if it finds certain security software. Below is the malware code fragment which checks for the presence of certain antivirus:

Botnet communication and callback: after decryption, we observed that the malware sends a callback to a known BetaBot C2, providing details about the victim to the link shown below.

Besides performing data theft, it also tries to mine a number of known Bitcoins on the victims’ system. Below, you can see a partial code snippet that contains the Bitcoin mining module.

Conclusion

Although this is not a direct security issue with Adobe, someone impersonating their name to spread malware is obviously something we should alert Adobe about. Hence, we contacted Adobe via Twitter as well as email, and informed them about the issue.

Adobe acknowledged our report and they informed us that they will take appropriate action. We observed that the link to malware is now down, however the home page of the fraudulent adobe site is still up as of this writing.

With so subtle a difference, such attacks can be difficult to point out. However, usual precautions such not opening links from an unknown sender, and re-verifying links or attachments from the recipient (if he is someone known) can help end users to avoid being victim of such data theft attacks.

We have released all Indicators of Compromise to public here https://pastebin.com/52WEZADt

A further read on IDN homograph attack: https://threatpost.com/idn-homograph-attack-spreading-betabot-backdoor/127839/

Blog Authors

Ankit Anubhav, Principal Researcher, NewSky Security

Malwr_Kill ( https://twitter.com/malwr_kill )