Emerging Threats

ThreatLabz August 2022 Report: AiTM hits Gmail, Investigating X-FILES infostealer, Grandoreiro Trojan analysis, and instant karma for pirated software users

Sep 07, 2022
ThreatLabz August 2022 Report

ThreatLabz August 2022 Report: AiTM hits Gmail, Investigating X-FILES infostealer, Grandoreiro Trojan analysis, and instant karma for pirated software users

In the span of just a few weeks since the last report, ThreatLabz has shared a wave of cyber threat intelligence, including continuation of AiTM phishing attacks now targeting Gmail, a new variant of X-FILES, a phishing campaign impersonating government officials in Mexico, and infostealers targeting those that download pirated software. Stay ahead of cyber criminals and eliminate vulnerabilities across your environment by getting familiar with evolving attacks and using our advice to stop them. 

AiTM phishing threat switches targets to Gmail - GitHub next?

ThreatLabz has locked focus on a massive AiTM phishing campaign that targeted users of Microsoft email services over the Summer of 2022. In mid-July, ThreatLabz observed instances of adversary-in-the-middle (AiTM) phishing attacks targeted at enterprise users of Gmail. During our rigorous analysis of these attack chains, several similarities between these two campaigns emerged.


Figure 1: Gmail enterprise email attack chain

The overlapping indicators between these attacks convinced us they were run by the same threat actor. They used similar TTPs including spearphishing executives, using compromised accounts to continue phishing, and using a similar client-side fingerprinting script for evasion. The same redirector scripts used in the Microsoft phishing campaign were also updated to target G Suite enterprise users.

Our analysis of this campaign’s infrastructure revealed a phishing kit extension for targeting Github users that is also capable of bypassing MFA. With this pivot, a successful attack could have a much bigger impact on organizations than simply compromising the emails of individual users. Victims of a successful Github account breach face the potential exfiltration of their proprietary code base. 

Figure 2: A 2-factor GitHub authentication request intercepted by the phishing kit

Figure 3: GitHub account audit logs showing 2-factor authentication successfully bypassed

These AiTM campaigns highlight the importance of using proxy based zero trust architecture with full SSL inspection to effectively block the phishing pages and credential theft attempts. Zero trust architecture can decrease cyber risks by minimizing the attack surface while also reducing the blast radius of a successful phishing attack.

Learn more about this massive phishing campaign

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection

Investigating the evolution of X-FILES infostealer 

X-Files infostealer is a relatively new threat, first seen in the wild in March 2021. By December, a second variant was discovered. In June 2022, ThreatLabz uncovered a new variant of X-FILES that is largely coming from domains hosted on Russian IPs. This new variant exploits the Follina vulnerability to deliver the malware.


Figure 4: X-FILES attack chain

X-FILES attempts to steal credentials and financial information such as saved browser credentials, Crypto wallets, FTP credentials, and credit card information. The latest variant collects additional information about Windows Activation key, graphic cards, memory, processor, and antivirus installed on the victim’s machine. While new features are being regularly added to this threat, all observed samples have been written in C#. 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Take an in-depth look at the latest X-FILES

Grandoreiro Banking Trojan

ThreatLabz has observed a Grandoreiro Trojan campaign targeting multiple industry verticals in Mexico and Spain. Grandoreiro, a banking Trojan active since 2016, is predominantly leveraged against users in Latin America. In this campaign, threat actors send phishing emails while impersonating government officials from the Public Ministry and Attorney General’s Office of Mexico City.

Figure 5: Grandoreiro targeted industry verticals and geographical locations

The Grandoreiro loader uses multiple anti-analysis techniques to evade sandboxes including binary padding and CAPTCHA implementation. The loader sends a check-in request with all the required user, system, and campaign information. The C2 pattern of the current Grandoreiro campaign is identical to LatentBot, as demonstrated by the “ACTION=HELLO” beacon and ID-based communication.

Discover the gritty details of the latest Grandoreiro campaign

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Infostealers pile on to risks of pirated software 

Individuals comfortable with violating software copyright laws to download pirated software could pay a much higher price anyway. Attackers have seized on the behavior of those visiting and downloading software from unscrupulous websites to spread infostealer malware and extort victims. 

Figure 6: Infection Vector - Stealer malware installed when downloading a pirated software

ThreatLabz researchers recently discovered multiple ongoing threat campaigns and detailed two. The first is a technical analysis that starts with fake shareware sites originating at Google search engine result pages. Visitors are taken through multiple redirects to a final site where they download files masquerading as common types of cracked software. After a few additional stages, a payload containing RedLine Stealer collects stored browser passwords, auto-complete data, and cryptocurrency files and wallets from unsuspecting victims. 

In the second analysis, researchers observed fake shareware sites distributing instances of the RecordBreaker Stealer malware delivered using malware packer tools like Themida, VMprotect, and MPRESS bypassing any legitimate file hosting services.

Examine how malware developers operate and use the latest techniques to avoid detection

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox, Advanced Cloud Firewall.


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next: 

Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US

The 2022 ThreatLabz State of Ransomware Report

Peeking into PrivateLoader