DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to users via email. This incident has left a lot of DocuSign individual users and business professionals vulnerable, because the attacker group is trying to exploit the users through phishing emails. Users are receiving mails on their corporate email IDs, in which they are asked to review and sign job-related documents such as accounting invoices, by clicking on the “Review Document” hyperlink in the malicious documents.
The phishing link downloads a document file consisting of malicious code, which when opened injects malware in the system’s process svchost.exe.
The injected process sends a request to the following URLs:
Contacting the remote host.
The malware receives the response:
Response from server.
The response is an encrypted file that could be any of three types:
- DLL: The common password stealer Pony Loader, aka Fareit.
- EXE: A similar variant known as Evil Pony.
- EXE ZLoader: For loading exploit kits and other malware.
The compressed and encrypted stealer component.
The files are aplib compressed and XOR encrypted. The download has to first be decompressed and then decrypted. The first 8 bytes of the file are the XOR key.
The decrypted stealer component.
The DLL file uses a lot of anti-debugging techniques to avoid analysis. It also creates a mutex to avoid its own multiple instances running on the same machine.
Creating the mutex.
The DLL, Pony Loader, steals the username, password, and other information. The following screenshots show code for stealing user credentials from Chrome and Outlook.
Code for stealing Chrome credentials.
Code for stealing Outlook credentials.
The EXE, Evil Pony, steals credentials from FileZilla:
Code for stealing FileZilla credentials.
Once downloaded, these malware monitor a user’s keystrokes, capture personal information such as usernames and passwords, and send this information to the malware originator.
DocuSign has reported that they have taken quick measures to block the unauthorized access and have added further security to their systems. The company has also advised its users to keep their antimalware software updated.
McAfee urges all customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We advise customers to be diligent in applying security updates for all the software they use.
SHA256 hashes of the analyzed samples:
- fff786ec23e6385e1d4f06dcf6859cc2ce0a32cee46d8f2a0c8fd780b3ecf89a: W97M/Dropper.cu
- 5bcd2d8ed243d6a452d336c05581291bc63ee489795e8853b9b90b5f35c207d8: RDN/Generic PWS.y
- 437351c9ae0a326ed5f5690e99afc6b723c8387f1ed87c39ebcce85f9103c03a: Fareit-FCH
- 9f346deed73194928feda785dca92add4ff4dd19fbc1352cebaa6766e0f69a38: Generic PWS.o