Cybercriminals and threat actors continually evolve their tactics to deceive and exploit users. One of the most persistent threats is smishing—a blend of SMS (text message) and phishing attacks. Recently, smishing campaigns have increasingly leveraged themes from the United States Postal Service (USPS), making them particularly dangerous and difficult to detect when targeted directly at users via text message.

How does this attack work?

First disclosed in late June of this year, users recently received social engineering messages via mobile SMS with USPS-themed lures using this basic format:

[‎USP⁠S Notice]: Your shipment has been processed at our facility but is currently on hold due to incomplete address information. To facilitate timely delivery, we request you verify your address through the link provided below: hXXps://cutt[.]ly/kefjZuIG?KrK=agsoqsnEdd?spt=dKfL5GVQaY
Wishing you an exceptional day from the USPS team.

The URL shortener link redirects to an attacker-operated site:

hXXps://usoo.qygwdvpr[.]top/?session=256196fd967slv&user=193
>> hXXps://usoo.qygwdvpr[.]top/4b8ee6/GOEAEZ/CxJPFKuAA4A_Vh8PPl/AESkk4e?9_IkyAH/mN4XAhHeAEiTAK95suA_tkAKAAVTnAGpu

In terms of the mechanics of the exploit itself, urlscan.io captures the redirector and landing page for the phishing site, which presents a USPS Online lure.

https://urlscan.io/result/6770bd32-a452-43ee-ac7d-80946ad5ae8c

The page requires the user to click the Continue button to progress forward in the phishing kit. The next page solicits personal information from the user, including shipping address and phone number. Further interaction may also prompt the user for more sensitive information, such as login credentials and personally identifiable information under the guise of verification of identity.

From this landing site that the attacker controls, they can compromise the intended target in any number of ways – by having the victim enter their personal information into a form, by asking them to download malicious files, or even drive-by downloads on vulnerable browsers.

The real danger presented by this kind of attack is that it leverages the victim’s trust in a public institution like USPS and presents a landing site that is convincing enough to appear legitimate. Package and order delivery lures are commonplace in the threat landscape, given that many people may be expecting a purchase to arrive at any given point. Common clues that could trigger suspicion—like grammatical errors or odd page layouts—are not present. As a result, this kind of smishing can be devastatingly effective.

The Role of Threat Intelligence

In cases like these, threat intelligence is an important tool for stopping bad actors by focusing on the infrastructure and domains they use. Forcing bad actors to rebuild their infrastructure by disrupting their normal patterns drives up the cost of these campaigns and slows them down.

InQuest’s research uncovered some of the domains and proxies used by this group. Domain registration details and resolution show that the threat actor is abusing Cloudflare as DNS hosting and cloud proxy:

QYGWDVPR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
qygwdvpr.top. 1800 IN SOA jean.ns.cloudflare.com. dns.cloudflare.com. 2344052238 10000 2400 604800 1800
qygwdvpr.top. 21600 IN NS margo.ns.cloudflare.com.
qygwdvpr.top. 21600 IN NS jean.ns.cloudflare.com.
usoo.qygwdvpr.top.  300 IN  A   104.21.72.55
usoo.qygwdvpr.top.  300 IN  A   172.67.175.168
104.21.72.55 AS13335 | US | CLOUDFLARENET
172.67.175.168   AS13335 | US | CLOUDFLARENET

The domain has been utilized as far back as June, with the operator using another subdomain:

emv1.qygwdvpr.top  104.21.72.55    ip  A  2024-06-16T10:19:27  2024-07-11T12:40:38
emv1.qygwdvpr.top  172.67.175.168  ip  A  2024-06-16T10:19:27  2024-07-11T12:40:38

Nameserver analysis provides a set of domains with matching attributes that may be associated with this same cluster of activity:

twqkztxr.top
jgjqqkow.top
mrbtrzqz.top
jdsdgfrp.top
ievksdde.top
mtzcoets.top
ffohrmuv.top
mqeuwcve.top
qvmqfkyy.top
tvebrkvj.top
bezizesf.top
kwwqwtgl.top
mfqyzqaf.top
wrofpeqe.top
jmfllkrr.top
udwmarew.top
TWQKZTXR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JGJQQKOW.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MRBTRZQZ.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JDSDGFRP.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
IEVKSDDE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MTZCOETS.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
FFOHRMUV.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MQEUWCVE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
QVMQFKYY.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
TVEBRKVJ.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
BEZIZESF.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
KWWQWTGL.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MFQYZQAF.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
WROFPEQE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JMFLLKRR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
UDWMAREW.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com

Conclusions

Smishing attacks, especially those leveraging USPS-themed lures, represent a growing threat in the cybersecurity landscape. These attacks are designed to exploit users’ trust in well-known institutions like the USPS, making them particularly effective and dangerous.

Recognizing and understanding these smishing techniques is the first step in defending against them. By staying informed and cautious, users can avoid falling victim to these sophisticated scams. Furthermore, leveraging threat intelligence to uncover and disrupt the infrastructure behind these attacks is essential in mitigating their impact.

InQuest InSights Threat Intelligence Feeds

InQuest continually monitors the cyber threat space, broadly collects indicators of compromise, and curates them for incident response and threat intelligence use cases. Our InQuest InSights threat intelligence feeds provide bulk download or API query access to our actionable indicator data. Contact us for access to these and thousands of other active, relevant indicators to help your defenders uncover evil and reduce risk today!

Intro

Glancing at the present-day threat landscape, ransomware is top of mind whenever an incident starts flooding the news cycle. It is a constantly growing problem that seems to know no bounds, no organization is immune, and everyone is a potential target. The large number of companies leveraging cloud services and systems always connected to the internet equates to a target-rich environment. Though most actors tend to lean towards financial gain, the interconnectivity of systems across different industries and their associated verticals provides a wide variety of opportunities for impact based on other motives. This is especially worrisome with election cycles on the horizon and the need to secure the systems vital to fair elections. The growth of ransomware has escalated to the point of third-party actors offering ransomware-as-a-service and other illicit products via underground markets for would-be attackers.

Past to Present

Ransomware has been a problem since the [1989 AIDS Trojan, also known as PC Cyborg], which was delivered via floppy disks. The demanded ransom was in the range of hundreds of dollars. A paltry sum compared to the amount listed in ransom notes seen on impacted systems today. Email-based phishing scams were uncommon at the time to paint a picture of the threat landscape in the late 80s/early 90s. Fast forward to today, and we see ever-increasing complexity in the file tradecraft used. Emails with malicious attachments remain the most prevalent, though more sophisticated adversaries have been observed obtaining privileged access such as the case with the Colonial Pipeline event where attackers gained VPN access through an exposed employee password from a previous data breach event.

The Human Cost

Due to the scale of present-day ransomware incidents, recovery and resuming operations can be costly even in cases where ransoms are paid. The time put into remediation and bolstering security after the breach are additional costs that are not often reported in depth. This is particularly problematic for organizations in sectors where ransoms are unlikely to be paid such as government, healthcare, and education. The downstream effects are devastating, costing countless man-hours and in the case of hospital breaches, lives. During the height of the COVID-19 lockdown, several ransomware gangs agreed not to target hospitals to minimize loss of life. Operators associated with cl0p and Maze at the time spoke out against targeting patient-facing health organizations, insisting that their targets are primarily commercial labs and pharmaceutical entities that can afford the hefty ransoms.

Ransomware As An Economy

Like other commercially distributed malware and related “tools”, anything from payloads to fully configured and ready-to-execute ransomware campaigns are available via underground markets with a variety of payment models that rival legitimate software as a service (SaaS) products. Like SaaS offerings, RaaS empowers criminals with low technical aptitude to carry out ransomware attacks for a modest fee or subscription plan. Individual components such as obfuscation tools designed to decrease the likelihood of detection, initial access resources, and exfiltration tools are available and can be customized to an attacker’s specifications and needs. So long as these attacks yield success, a secondary market will exist to facilitate future incidents.

Parting Thoughts

Without a doubt, the most impactful way to defend against ransomware and data extortion actors is to prevent the intrusion in the first place by heading off attacks in the early phases. While prevention is not always possible, it is critical to detect and disrupt attacks as early as possible in the attack lifecycle. Critical intelligence about the ecosystem of ransomware operators and RaaS affiliates shows that partnerships with initial access brokers (IABs) are the enabling element for the vast majority of these attacks.

In this special employee spotlight, we are thrilled to introduce Nick Chalard, a detection engineer on our Threat Intelligence team at InQuest. Nick’s journey with us began as an intern, and he has since become a full-time team member, known for his dedication, expertise, and accountability. In this exclusive interview, Nick shares his background, insights on detection engineering, and thoughts on the use of YARA for threat detection. Read on to learn more about his valuable contributions and experiences in the ever-evolving field of cybersecurity.

Q1: Can you tell us a little about your background and what led you to join InQuest?

A1: I developed an interest in cybersecurity early in my computer science studies. While bartending at a restaurant, I overheard a discussion among attendees of A Conference on Defense (ACoD). I joined the conversation, asked a few questions, and was eventually introduced to Pedram Amini, who offered me an opportunity to break into the field.

Q2: You started at InQuest as an intern. What was your experience like during your internship, and how did it prepare you for your current role as a detection engineer?

A2: It was a trial by fire. I had to quickly fill gaps in my knowledge about information security and get up to speed with the threat landscape. It was a rewarding experience, allowing me to learn something new every day and create detections that defend against real-world threats.

Q3: As a detection engineer on the threat intelligence team, what are your primary responsibilities? Can you walk us through a typical day in your role?

A3: With the help of the TI team, I write signature-based detections using YARA, augmented by Deep File Inspection (DFI), to cover high-fidelity threats and establish a foothold on novel and developing threats. We focus mainly on initial access content, with most of our detection efforts targeting malicious document lures, obfuscation methods, and malware delivery via various file formats. Threat actors frequently pivot and change tactics, so staying on top of updates and new campaigns is an ongoing challenge. Over the years, we developed internal processes that created a feedback loop between the signatures we developed and what they detect in the field.

Q4: What do you find most rewarding and most challenging about your work in threat intelligence and detection engineering?

A4: Every day presents new challenges and learning opportunities. This field requires both a broad knowledge base and deep expertise in specific areas. Interacting with knowledgeable individuals in the community reminds me that there’s always something new to learn. Applying that knowledge and effort towards the greater good and being surrounded by like-minded people is incredibly rewarding.

Q5: You’ve been described as providing great value and being very accountable. What motivates you to maintain such high standards in your work?

A5: Unlike other jobs, I can see how my work directly affects the company and our customers. Our company culture and overall philosophy enable me and the rest of the team to take swift and meaningful action where it’s needed most. The adage of attackers outnumbering defenders is a constant reminder that we need to do everything we can to empower ourselves and the community to combat the growing number of adversaries.

Q6: How has your approach to detection engineering evolved since you first started? Are there any key lessons or insights you’ve gained?

A6: It was a steep learning curve at first and continues to be with the obscure file formats leveraged by cybercriminals. Learning how certain file types are commonly used to figure out how they can be abused is an almost daily struggle. Over time, you develop habits and workflows that become second nature. This is especially important in detection engineering, where attacker tactics may vary, but their overall goal is typically consistent. Having the flexibility to pivot as they do helps forecast their next move.

Q7: YARA is a tool frequently used in detection engineering. What are your thoughts on the use of YARA for threat detection? Do you have any tips or best practices for using YARA effectively?

A7: YARA is a great tool I use daily and falls under the category of “easy to learn, difficult to master.” When I was learning YARA and cyber threat intelligence during my internship, I focused on attribution and making “tight” rules to eliminate false positives as much as possible. Positive and high-confidence attribution is important when sharing rules through reporting or various channels. It can be a balancing act depending on one’s goals with signature-based detection. In working environments, being able to track even the most mundane characteristics and patterns of a file enhances detection capability. Threat actors are people too; they make mistakes like anyone else, and we can capitalize on those to reinforce security posture and add to tracking cases.

Q8: Can you share a particular project or accomplishment at InQuest that you are especially proud of?

A8: Back in 2019, when Emotet was rampant, our team was well-positioned to stay on top of detecting new variants of the malicious document macros. Decoding the obfuscated macro code was a challenge compared to other commodity malware campaigns. Writing the detection logic was demanding, especially while learning the constraints of YARA and ensuring signatures weren’t slow. We did all of this at a higher tempo compared to other active campaigns at the time.

Q9: In your opinion, what sets InQuest apart from other companies in the cybersecurity field?

A9: Having only worked at InQuest, I’m not sure how true this rings at other companies, but we use our product extensively for our day-to-day workflow. I’m fairly certain that the workflow for my role at a different company would look quite different and yield different outputs.

Q10: How do you stay current with the latest trends and developments in cybersecurity, and what resources do you find most valuable?

A10: I stay up to date with blogs and reports by other researchers in the field, especially those tracking similar or related threats. Trust groups and shared channels help by providing means to contact and interact with community members.

Q11: Outside of work, what are some of your hobbies or interests? How do you like to spend your free time?

A11: I’m trying to travel more and keep up with international news and geopolitics that may influence my travel plans. I also want to start learning another language. I’ve been studying Russian for the past few years, enough to read Cyrillic and keep up with reporting and discussions. DJing at home has been a hobby of mine for a while, and the process of finding obscure music over the years is similar to open-source intelligence (OSINT) gathering.

Q12: Finally, what advice would you give to someone aspiring to enter the field of threat intelligence and detection engineering?

A12: Don’t be afraid to ask questions, but also practice asking the right questions at the right time. I’ve had numerous encounters at meetups and events where a well-thought-out question led to positive, unexpected results. It got me to where I am today. Also, be open to expanding your horizons. In a field where people constantly challenge how computer software and hardware operate, getting hung up on things working outside of designed or intended use becomes a roadblock. People from all walks of life engage in this field, and recognizing this helps minimize bias when handling subjects that may challenge your worldview and beliefs.

Nick’s Bio:

Nick is a cybersecurity practitioner focused on cyber threat intelligence, malware analysis, threat research, and detection engineering. He broke into the information security field in 2019, interning at InQuest where he trained alongside industry veterans. He honed his skills and applied them towards combating novel and commodity threats in the wild. Always looking to contribute to community efforts, he can routinely be found analyzing and disseminating malicious content delivery samples and pivots used to deliver payloads. He particularly enjoys connecting cyber threat activity to geopolitical events and associated entities.