Shared Document Spam Delivers Remote Access Tool

Messages purporting to share sensitive documents are an initial access vector.

Email messages that claim to point the recipient to documents containing sensitive personal information instead deliver (from a Google cloud storage location) a commercial remote access tool normally used by IT administrators to perform remote tech support.

The threat actors set up a complex attack chain to deliver the executable payload using a variety of messages. The messages use subject lines like "Item shared with you: ALARM I Never Expected To See You In Such Content!" or "Item shared with you: EMERGENCY What's Happening With You In This Visual."

But the messages instead point to a PDF file hosted in Google Drive. The PDF contains a link to a page in Google's cloud that, in turn, redirects the visitor through an interstitial website, and after a few moments, pushes a download of the remote administration tool's installer.

The tool, LogMeIn Resolve, is typically used by support technicians who need to remotely manage a customer's computer. In this case, it could provide a threat actor with an initial access into a targeted network, with full remote control over any computer where the owner runs the executable.

Attacker leaks other targets' emails

Figure 1. One of the email messages leading to the attack.

Messages received as part of this campaign were sent to a honeypot email address. That address appeared on the To: line of the email, but the threat actors CCed at least 20 other targets in the same message, so their email addresses were also visible.

Figure 2. Targeted email accounts had random "plus addressing" appended to the mail account name.

The threat actors also appended extraneous, randomized "plus addressing" to the targeted emails, for reasons that are unclear.

Figure 3. Diacritical marks were added to thwart simple text searching.

And certain words in the body of the message featured unusual diacritical marks, probably as a rudimentary way to bypass spam filters that scan for specific content in the message body.

Figure 4. The Google Drive URL pointing to the malicious PDF.

To make matters even weirder, the messages claim to originate with Dropbox, but link to Google Drive. Email headers confirm that the messages actually were sent as the result of the threat actor sharing a file stored in a Google Drive to the targets, and not as email from the "open[.]actionconnectway[.]com" email address.

Email links to PDF

The messages linked to PDF files stored on Google Drive. The PDFs were simplistic but functional: A corporate logo and a blue button labeled "VIEW IN APP." One version of the PDF indicated that the file being shared is called "private-collection-xoxo.mp4."

Figure 5. One version of the malicious PDF.

The button links to another address inside of Google's infrastructure.

Figure 6. The link points to a location on googleapis.com.

If the user clicks the link, their browser opens an interstitial page on the web domain notice[.]interactionfull[.]com, which resolved to 45.140.17[.]118.

Figure 7. The interstitial website address.

The page displays the text "Please allow up to 5 seconds..."

Figure 8. Text that appears on the interstitial loading page.

...then pushes a file to the browser, hosted in yet another Google cloud storage location.

Figure 9. A site visitor receives a pushed download named ekey-view-app.exe.

Other variations of the PDF contain a notification claiming to be from a collections agency about unpaid debt, impersonating at least two legal firms: Hogan Lovells and Morgan Lewis.

Figure 10. A variant PDF claims it comes from a law firm.

Figure 11. A different variant references a different law firm.

In tests, each time we clicked the link in the PDF, the website pushed down another LogMeIn Resolve installer, but each download resulted in the file having a slightly different name. Variations included app-view-key.exe, e_key-app-view.exe, and ekey-view-app.exe. All were cryptographically signed by the valid certificate issued to GoTo Technologies, who operate the LogMeIn service.

Figure 12. Three properties sheets from LogMeIn Resolve payloads show they have valid cryptographic signatures.

The installer is not subtle, triggering both a User Account Control elevation dialog to appear:

Figure 13. A UAC dialog appears when someone runs the installer.

and a dialog box that discloses to the user what they've installed.

Figure 14. The installer presents a dialog box to the end user when it has finished installing.

Trail goes cold

Netcraft attempted to lure the threat actors to connect to a test system that was set up to look like a real business environment, but after 48 hours with no bites, the service self-terminated.

Logs collected from the installation of LogMeIn Resolve identify a specific CompanyID (likely a unique identifier of the account that was being abused) that is consistent across all collected samples.

Figure 15. Logs created by the LogMeIn Resolve program contain the unique identifier for the account used to remotely access a victim's computer.

However, it appears that GoTo Technologies may have flipped a "kill switch" on any installations tied to this CompanyID. Telemetry sent to GoTo appears to show the program reporting that it has terminated any process tied to this specific CompanyID.

Figure 16. GoTo Technologies later terminates this account's access, and flags any computer to "Kill all application..." for anything tied to the abused CompanyID identifier.

When run today, the installer displays a dialog box that says "The device management capability is not available for your organization," by which "your organization" probably means whatever CompanyID this installer is tied to.

Figure 17. A GoTo dialog box informs the end user that the account behind this remote access attempt is disabled.

While there were many stages at which a targeted individual might have realized that they were not getting what they expected, one might surmise that this kind of trick still works in a small number of instances.

And even though the domains hosting the payload appear to be offline, the IP address where the interstitial domain had been hosted (45.140.17[.]118) seems to be located in an internet bad neighborhood. The IP address is managed by a company called Proton66, based in St. Petersburg, Russia. Netcraft later found related domains hosted on a second Proton66 IP address, 45.134.26[.]191. Passive DNS replication reveals that at least 39 suspicious domains resolve to one or both of those IP addresses.

Figure 18. Domains Netcraft believes are tied to this or similar campaigns hosted on IP addresses used by the Proton66 hosting provider.

It was a short-lived campaign, launched the day that Microsoft ended support for Windows 10. With the malicious domains no longer responding, and the payloads disabled, it looks to be offline, for now. But that's no guarantee this threat actor won't spin up a new campaign.

Netcraft has posted indicators of compromise relating to this attack to our GitHub repository.