Detecting a business email compromise (BEC) threat actor
Identifying an uncommon BEC threat actor
Note: The activity found in this blog post is from a security investigation where the threat actor failed. There are additional tools, techniques and procedures (TTPs) as well as indicators of compromise which can be shared privately from my work tracking this threat actor. Please contact phishing@thoughtmachine[.]net for private insights into this blog post. Additional intelligence will only be shared with reputable companies or researchers which are willing to verify themselves.
Introduction
Threat actors still see targeting a user's mailbox as one of the most effective and efficient ways to compromise or gain information from an organisation. Advanced persistent threats continue to find phishing valuable and use off-the-shelf tooling like Evilnginx to make attribution harder.1 Attackers would stop conducting phishing attacks and move to other initial compromise vectors if they became less effective, but this has yet to happen. Business email compromise is still one of the most popular methods of targeting organisations2, especially since generative AI became generally available. 3
All industrial sectors around the world are regularly targeted via social engineering attempts by business email compromise threat actors. The sophistication of these threat actors can vary and be difficult to track.
In this blog, I showcase how I dissected, tracked and identified a business email compromise (BEC) threat actor targeting the organisation I defend. From my an alysis, this threat actor is linked to a cluster of previously reported activity. This threat actor differs from many other BEC threat actors in that they register and administer their own infrastructure. I aim to provide tools, techniques and procedures (TTPs) and indicators of compromise (IoCs) to help organisations around the world detect and defend against this threat.
Analysis
CEO impersonation is one of the most popular methods of social engineering being used on companies. Attackers regularly attempt to contact various teams to gain information which they can leverage in a later social engineering attack. The majority of these messages are likely AI-driven or, at the very least, semi-automated, regularly abusing Google's email service to bypass network reputation filters. They conform to a format:
From: <ceo name> randomised.name.example.0291salkjnsab@gmail.com
Subject: Treat Urgently!
Message:
Hello <targeted employee>
Kindly proceed with your contact info (personal cell#) and lookout for my text. I need your assistance on a task.
Best regards,
<ceo name>However, from reviewing our email telemetry, I identified a threat actor which was sending emails which were:
Very specific in subject matter and structured in a more believable manner than other BEC emails I’ve come across
Sent from a newly registered domain, which looked to be generated as part of a domain generation algorithm (DGA)
Persistent in nature, repeatedly targeting specific employee emails relevant to the information they wanted
In other CEO impersonation cases I’ve triaged, the threat actor often has a shotgun approach to targeting, usually driven by leads or marketing-based lists they’ve gained access to. However this threat actor had consistent messaging to the relevant users and repeatedly attempted to extract information from them. The email contains grammatical mistakes, which indicates English is likely not their first language.
An example email:
From <ceo name>
Subject: Conference Call - Project M&A
Hello <employee name>,
I want to inform you that I will be having a video conference with some of the board members and investors the next week, and I would like you to be part of it.
We will be discussing our overall strategy and the steps we need to take to ensure the continued prosperity of our company.
Let me know if you will be available.
Regards,
<ceo name>
Sent from my iPhoneThe threat actor sent several emails trying to extract information with the following questions (which have been generalised):
Asking if a legal firm had contacted them
Asking for financial information related to the business
Asking for financial reports to be sent to them
The threat actor occasionally used compromised email addresses to send out emails. I assess this is likely due to business emails having better reputations with spam filters and email security technologies. The threat actor, when using compromised domains did however ensure that replies were not sent to these emails as shown below in a redacted header log output, instead, they used the Reply-To header:
From: <ceo name> <compromised_business@businessdomain[.]com>
To: <employee>
Reply-To: dir@generalmail[.]net
Subject: AR ReportThis technique of using a Reply-To is likely an assumption from the threat actor that they will not control the email address they have compromised for a long time due to abuse reports. The domain generalmail[.]net is owned by SwissMail, a legitimate privacy-based email service provider similar to ProtonMail. The threat actor seems to have utilised this service to gain information from organisations. This isn’t as interesting as other findings I identified during this investigation. However, I wanted to highlight the use of the service by the threat actor.
I identified further activity, which showed that they mostly used dedicated infrastructure when targeting organisations. Here’s an extract from a header log we gathered as evidence during our investigation:
User-Agent: Mozilla Thunderbird
From: <ceo name> <iphone@smtp4432[.]com>
To: <employee>
Subject: Liaise with our external legal counselThe domain used to send a BEC-themed email, smtp4432[.]com has the following WHOIS record:
Create date: 2024-01-31 00:00:00
Domain name: smtp4432[.]com
Domain registrar url: www[.]publicdomainregistry[.]com
Expiry date: 2025-01-31 00:00:00
Name server 1: ns1[.]active-dns[.]com
Name server 2: ns2[.]active-dns[.]com
Name server 3: ns3[.]active-dns[.]com
Name server 4: ns4[.]active-dns[.]com
Registrant country: FranceAnd the following DNS records:
The MX records are from services that are abused regularly by a variety of different threat actors conducting phishing attacks and business email compromise activity.4 These records are from shared hosting services and, therefore, are not immediately an indicator of maliciousness, however, depending on the size of your company, it could be a good detection rule as a first indicator of something potentially malicious. When analysing another email, we identified a domain similar to that of smtp4432[.]com. The two domains are compared below:
From identifying these two domains, I noticed they looked too similar for me not to attempt a passive DNS query to observe if there were more with a similar pattern. I queried using a historical passive DNS service for domains which:
Were registered by Public Domain Registrar (PDR)
Contained an MX record from mailhostbox[.]com
Contained an NS record for active-dns[.]com
Contained the following pattern as a domain, smtp*
From this query, I could identify over 50 domains which were then connected via a graph over several attributes they had, such as registrar, country of registration and mx record. A graph depicting these connections, as shown in Figure 1 is shown below, some of the attributes have been censored from public view:
Figure 1 - Connections between domains from BEC threat actor
Attribution
While investigating, we developed a cluster of infrastructure that the BEC threat actor registered, which was connected to a public report from Abnormal Security. In 2023, Abnormal Security released a report on an unusual BEC threat actor, which targeted larger payouts than normal.5 While we found no evidence of their attribution to the threat actor being based in Israel, we did find similarities in tradecraft and infrastructure.6 The similarities were:
Social Engineering content within the email itself - Legal themes, merger and acquisitions, the email body contents are almost exactly the same
Infrastructure similarity - Some of the indicators in the report were also identified by me during the investigation
The activity outlined by Abnormal Security is likely from the same threat actor.
Indicators of Compromise (IoCs)
I understand everyone consumes Threat Intelligence differently via unstructured and structured processes. I have attempted to make these IoCs as accessible as possible. Indicators are listed here in raw format but I have also a key and value CSV format linked in my GitHub which can be found here. You can also get the raw version here.
securemobile1[.]com
mobile1[.]com
smtp3101[.]com
securephone1[.]com
smtp4414[.]com
smtp4417[.]com
smtp4431[.]com
smtp4924[.]com
smtp4418[.]com
smtp05[.]com
smtp3100[.]com
smtp0774[.]com
esmtp302[.]com
smtp023[.]com
smtp4416[.]com
smtp1414[.]com
smtp3908[.]com
smtp68[.]com
smtp4404[.]com
smtp4405[.]com
smtp442[.]com
smtp08[.]com
smtp09[.]com
smtp4420[.]com
smtp3906[.]com
smtp4426[.]com
smtp392[.]com
smtp415[.]com
smtp4432[.]com
smtp397[.]com
smtp4316[.]com
esmtp302[.]com
smtp0019[.]com
smtp3907[.]com
smtp4490[.]com
smtp3211[.]com
mailsmartphone[.]com
smtp4703[.]com
smtp4405[.]com
smtp0134[.]com
smtp393[.]com
smtp4427[.]com
smtp4419[.]com
smtp3308[.]com
smtp0044[.]com
smtp8109[.]com
smtp8109[.]com
smtp4402[.]com
smtp0633[.]comMITRE ATT&CK Framework
T1566
Phishing
The threat actor sent emails impersonating a CEO to specific employees in an attempt to gain information about an organisation.
T1583.001
Acquire Infrastructure: Domains
Domains were registered and used in large sets of targeted phishing activity to socially engineer users.
T1586.002
Compromised Accounts: Email Accounts
Compromised email accounts were leveraged when sending emails to target an organisation.
https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/
https://perception-point.io/press/genai-drives-1760-surge-in-business-email-compromise-bec-attacks-according-to-new-report-by-perception-point/
https://bi-zone.medium.com/a-tale-of-business-email-compromise-6b12012a8070
https://abnormalsecurity.com/resources/exploring-rise-of-israel-based-bec-attacks
https://cdn2.assets-servd.host/gifted-zorilla/production/files/Exploring-the-Rise-of-Israel-Based-BEC-Attacks.pdf