If you go strictly by the daily news headlines, you'd think that the majority of current cybercrime issues were limited to just a few ‘hot’ areas such as China, Russia and Iran. This is far from the truth, and in fact, there has always been a great deal of concerning activity that originates from outside these ‘hot’ areas. One such area is the nation of Nigeria.
When you think of Nigeria and cybercrime, the first thing that pops into your mind is probably the familiar Nigerian “419” scams. Those enticing emails that promise huge sums of money while scamming victims out of ‘advance fees’ and personal data have become something of a punchline these days. Despite being well known, they still persist and often succeed, but in reality, these are just a minor percentage of the total cybercrime activity coming out of Nigeria.
For years now there has been a more serious Nigeria-based cyberscam with a rotating cast of actors and groups. The goal of this cyberscam is primarily financial gain, with disruption of business as a welcome side benefit. The potential, however, exists for more severe actions, in terms of physical compromise or destruction of property, cargo and possibly even human life.
Nigerian Scams Grow in Sophistication
Cylance’s investigation concentrated on an ongoing campaign out of Nigeria, primarily targeting high-impact industries in India. In particular: manufacturing, shipping, freight/cargo logistics, and transportation companies were targeted.
The immediate gain from these attacks for the cybercriminals is access to a wealth of financial data. By leveraging credential-stealing tools such as Pony and Hawkeye, the attackers are able to gain access to personal and corporate email accounts as well as breaching corporate intranets and VPNs.
But rather than simply stealing data wholesale and selling it online to the highest bidder, the attackers do something unusual: they manually read through the mail in the compromised email accounts, searching for further targets (both personal and corporate) which they can leverage to infiltrate other companies or siphon money from. The level of detail to which the attackers are privy after accessing corporate email accounts is alarming. Sensitive data including employee records, banking transactions, vehicle or ocean vessel tracking info, and standard intellectual property were all targeted and exfiltrated by this group.
There have been multiple ‘waves’ observed in these attacks, primarily spanning from October 2015 to June 2016. With the Pony Loader 2.2 infrastructure in place, the attackers were able to begin the initial stages of attack. This was typically carried out via a standard spear-phish email to individuals in targeted companies. The messages all have invoice, cargo or shipment inquiry themes, and are sent from registered domains that look very similar to the domains of legitimate companies with whom the target companies typically do business.
Figure 1: Phishing Email 1 - Bogus Cargo Inquiry (With Malicious Attachment)
Figure 2: Phishing Email 2 - Bogus Account Details Confirmation (With Malicious Attachment)
The spear-phish emails are weaponized with either .BZ or .ACE compressed executables (extracting to either .EXE or .SCR files).
Those attachments are Pony or Hawkeye trojans, which are then used to steal even more credentials and data from the targets. Once the cybercriminals have actual legitimate credentials to work with, they send further spear-phish emails to additional targets manually identified from the compromised accounts.
Figure 3: Phishing Email 3 - Bogus Outstanding Invoice Confirmation (With Malicious Attachment)
In some cases, Hawkeye and Pony are sent in the same email, as per the example in Figure 4, below:
Figure 4: Phishing Email 4 - Changi Airfreight Center Enquiry (Note Spelling Errors) - With Malicious Pony & Hawkeye Trojan Attachments
Panels and Infrastructure
Figure 5: Pony 2.2 Control Panel - 1
Cylance's primary investigative focus with these campaigns has been the wave which started in early April 2016, and (as of this writing) is still ongoing in June 2016. In early April, the attackers set up their main infrastructure via Unlimited Web Hosting out of the UK. Multiple registered domains were immediately used to set up Pony Loader panels and host associated malware:
Initial Registered Domains:
The longest running panels (now down as of 6/14/2016) were hosted on nqvoil-sg(dot)com, and pcchand(dot)com. Pony C2s were briefly active on friendship-chartering(dot)com, toships(dot)net, and tosihps(dot)com. Both the Pony-hosting domains, and those not hosting Pony were observed sending out weaponized email messages, directing victims to one of the active Pony C2s:
Figure 6: Pony 2.2 Control Panel - 2
Figure 7: Pony 2.2 Control Panel - 3
Figure 8: Pony 2.2 Control Panel - 4
Figure 9: Pony 2.2 Control Panel - 5
Armed with ample sets of credentials, the attackers now have access to an enormous amount of sensitive information. This is perhaps the biggest takeaway of this post. Even if the attackers were only interested in the financial data, of which there is plenty, the potential for financial and physical damage via leveraging other segments of acquired data is alarming.
Not only do the cybercriminals have access to critical financial data such as account numbers, transaction IDs, bank routing numbers, SWIFT codes, IBAN codes, and so on, but in this case the attackers also have direct access to vehicle, shipping, and cargo logistics data. This data ranges from the routes and locations of delivery truck fleets, all the way to routing and cargo of commercial and government marine vessels. Examples of financial and transportation data, gathered/ monitored by the attacker, are given below:
Figure 10: Confidential Banking Data Monitored by the Attackers - 1
Figure 11: Confidential Data Monitored by the Attackers - 2
Figure 12: Confidential Data Monitored by the Attackers - 3
Figure 13: Vehicle/ Tracking Cargo Info Monitored by the Attackers -1
Figure 14: Vehicle / Cargo Tracking Info Monitored by the Attackers - 2
Figure 15: Vehicle/ Cargo Tracking Info Monitored by the Attackers - 3
Figure 16: Monitored Vehicle/ Cargo Tracking Info - 4
Malware Used in the Attacks
The attackers are utilizing Pony Loader 2.2 almost exclusively for these attacks. There are a few specific targets where Hawkeye and/or Zeus came into play, but most of the focus and benefit comes from Pony. The Pony malware is purpose-built to harvest a prescribed set of credentials and data from the victim’s machine. Pony 2.2 is capable of harvesting RDP, HTTP/HTTP, FTP, SFTP, SMTP, POP3, IMAP as well as bitcoin (including Electrum and Multibit modules).
The bitcoin theft modules are relatively new to Pony Loader. That is to say, the functionality related to theft of cryptocurrencies was introduced first in version 2.0 of Pony Loader. The password stealing modules are (in standard Pony fashion) also specific to certain products.
Global Password Module List:
Figure 17: Global Password Module List -1
Figure 18: Global Password Module List - 2
Figure 19: Global Password Module List - 3
The RDP Capture module can be seen below, along with portions of the bitcoin processing modules:
Figure 20: RDP Capture Module -1
Below, we see how credentials are constructed from the data submitted from infected clients:
Figure 21: RDP Capture Module - 2
Pony Loader stores data in a local MySQL database. This functionality is outlined in database.php on the server hosting the Pony DB:
Figure 22: Pony Loader SQL Database
Here we actually see an example of the attacker leaving the MySQL credentials exposed (in the clear) in the server’s config.php:
Figure 23: MySQL Credentials - Exposed
Upon execution, Pony Loader will attempt to identify specific AV products running on the victim's machine, for evasion purposes. In the analyzed examples, the binaries are looking to identify running instances of antivirus products from the following companies:
Pony binaries (associated with these campaigns) do not stray from the natively built binaries generated by the Pony Builder, with one exception. Some of the binaries are encrypted with an off-the-shelf Crypter tool called DarkEyE Protector:
Figure 24: DarkEyE Protector Logo
In one example we looked at, the license for DarkEyE Protector is bound to / associated with the email address lakashop25(at)gmail.com. (Visible as artifact embedded in the malware binary). That same email address is associated with the hosting of the Pony C2 domains.
Figure 25: Domain Hosting Purchase Showing Use of Email Address: lakashop(at)gmail.com
If we go back to some of the initial spear-phish campaigns, we can actually find one where that same email account was used to send the infected message:
Figure 26: Spear Phish Email Showing Same Email Address Used as Domain Purchaser
There are many aspects that point to Nigeria above and beyond the by-the-book modus operandi outlined in both this write-up and some of the past efforts previously referenced.
We also observed that most of the logins to the various Pony admin panels were tagged as being in Nigeria:
Figure 27: Pony Admin Panel Showing Logins From Nigeria
We also see consistent reuse of user names and passwords that reference Nigerian culture. These accounts appear consistently among the compromised accounts as well within the actual administrative credentials to Pony admin panels.
For example, one particular actor uses several variations of “waxxy” which is a reference to the popular Nigerian DJ known as DJ Waxxy.
We also see several recurring uses of “chukwuka123” and “chukwuka”. “chukwuka” is a reference to the popular Nigerian actress Chioma Chukwuka:
Figure 28: Chioma Chukwuka, Whose Name is Often Used as a Password
The term “chukwuka” is more frequently used as the password to some of the Pony admin panels, but appears as a modified password for compromised accounts as well.
Going back to the specific attribution side, we can do a little more digging around these terms to find OSINT pointing to specific individuals acting as part of this cybercrime group.
One particular username and associated email account pops up far more frequently than others. The “onyeb4real” user name is frequently observed setting up dummy/burner email accounts and using them to send out either weaponized messages, or text-only social engineering lures in attempts to lure victims into either running malicious code, or visiting sites hosting malicious code.
Examples are listed below (exact URLs obfuscated):
h x x p s / / - firstname.lastname@example.org:email@example.com
h x x p s / / - firstname.lastname@example.org:email@example.com/cart
h x x p s / / - firstname.lastname@example.org:louiss33@dolxxxxxxxxxxxxxxxxxxom/join/shipping
h x x p / / - email@example.com:firstname.lastname@example.org/signup/
h x x p / / - email@example.com:firstname.lastname@example.org
h x x p s / / - email@example.com:firstname.lastname@example.org
h x x p s / / - email@example.com:Louiss33@wwxxxxxxxxxxxxxomount/login.jsp
h x x p / / - firstname.lastname@example.org:email@example.com
h x x p s / / - firstname.lastname@example.org:louiss33@wwxxxxxxxxxxxxxomm
h x x p / / - email@example.com:louiss@wwxxxxxxxxxxxxxomos_.html
h x x p / / - firstname.lastname@example.org:louiss@baxxxxxxxxxxxxxomgnin/
h x x p s / / - email@example.com:firstname.lastname@example.org
h x x p s / / - email@example.com:firstname.lastname@example.orgSAPI.dll
h x x p s / / - email@example.com:firstname.lastname@example.org
Oftentimes, the “onyeb4real” string is coupled with “louis33”. If we refer to the "waxxy" references outlined above, we see that there are also couplings of “louiss” (and variations of it) and both “onyeb4real” and "waxxy".
A little OSINT digging reveals numerous profiles of a specific Nigerian individual names “Louis” with a frequent handle of Waxxy or Waxxy3. The email address tied to this individual’s social media accounts is: onyeb4real(at)gmail.com.
Figure 29: Instagram Account of Louis - AKA “Waxxy” 1
When cross-referencing publicly available information on this individual, we are able to collect numerous fragments of data that solidify the location of this particular actor. In the example below, we see a classified advert selling a used Blackberry:
Figure 30: Blackberry Phone sold online by “Waxxy”
Meet Louis Onyeka - AKA Waxxy3 - AKA Onyeb4Real:
Figure 31: Louis Onyeka - AKA Waxxy3 - AKA Onyeb4Real
The Test – CylancePROTECT® vs. Pony Loader & Hawkeye
All of these compromises require that a Pony or Hawkeye binary be executed on the target host. It is therefore critical that any protective or preventative controls on the hosts completely prevent that binary from being executed. Now that we see how much sensitive information a small group of cybercriminals can get access to using simple stolen email credentials, we can understand how vital it is to prevent this simple theft from happening. Unfortunately, that is not always possible with traditional, signature-based, technologies running on the endpoint.
It is important to point out that some of the samples we analyzed were not ‘publically available’ at the time of analysis. That is to say, there were not available on any of the popular, multi-engine, scanning and analysis services which many legacy antivirus technologies and vendors rely on. Having to rely on third party services or quickly outdated signatures is not an option if you wish to prevent these kinds of attacks from occurring.
Cylance tested over 30 samples associated with these attacks using our AI based endpoint protection solution CylancePROTECT. CylancePROTECT stopped all of them cold, pre-execution. End of story.
The following samples were tested against CylancePROTECT:
Figure 32: CylancePROTECT Dashboard, Showing Detected and Quarantined Samples Associated With the Nigerian Phishing Attacks - 1
Figure 33: CylancePROTECT Dashboard, Showing Detected and Quarantined Samples Associated With the Nigerian Phishing Attacks - 2
Appendix – IOCs
be882ecbe903b4b9e74d6f592053231c4ce5e653212fadf05cb5261d69bad4f4 shit(dot)exe, various hosts
Believe the Math!!!
Convinced that the next generation of endpoint security is right for your organization? Contact a Cylance expert to get started!