Cyber Threat Operations TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

CTO-TIB-20180501-01A May 2018 threatintelligence@uk.pwc.com

Tags: Phishing, DocuSign, Education

Executive Summary
In January 2018, PwC assisted an organisation in the education sector with its remediation after an incident in
which financially-motivated threat actors logged into its employee’s accounts. During this investigation, we
uncovered an active phishing campaign that compromised multiple employee accounts. The threat actor in this
instance used an employee’s email account to send a DocuSign-themed phishing email to a large number of
employees. It contained a link to a compromised website used for credential harvesting. The threat actor then used
these credentials to gain remote access to numerous user accounts. Our analysis also found that the threat actor
used the IPVanish virtual private network (VPN) service to obfuscate its true location and identity for the majority
of connections to victim user accounts.

Analysis
On 8 January 2018, a compromised user account was used to send a phishing email with the subject line ‘2017
Report’ to a large number of employees. The email contained a DocuSign document with a hyperlinked button
labelled ‘Review Document’ that directed users to a PDF document named Document.pdf, hosted on Google
Drive at https://drive.google[.]com/open?id=10pf7nCNOcqUPwHmXqdzYJrdaE_8Qf3-a. Based on our
analysis of email logs, it is highly likely that the sender’s account was initially compromised after falling victim to
an external email containing the same malicious link.

This compromised account was then observed to send the same phishing email with the new subject line
‘Important document’ the following day. A second compromised account was subsequently used to send an email
with the subject line ‘Transfer document- cod’ to several employees in the organisation.

Figure 1 –PDF containing malicious link hosted on Google Drive

1
 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

The content of the document on Google Drive was obscured with a label indicating it to be a ‘Secured Document!’
and directing the user to click on a hyperlinked button titled, ‘VIEW FILE HERE’. When clicked, the link directed
the user to a spoofed DocuSign HTML file hosted on the domain, gryphongraphics[.]net.

Gryphon Graphics website

The threat actor likely compromised the legitimate website, gryphongraphics[.]net and inserted the phishing
pages used to solicit the victim’s Office 365 user credentials. We base this assessment on the site owner’s legitimate
business, other associated websites, and the contact information on the WHOIS record that aligns with the
business owner’s true identity. Additionally, at the time of analysis, the compromised website’s WordPress content
management system was outdated and had known vulnerabilities. The threat actor likely exploited these
vulnerabilities to inject malicious content without the site owner’s awareness or consent.

The gryphongraphics[.]net domain currently resolves to 166.62.90[.]31, along with 22 other websites. There
are no indications these other websites are either related to gryphongraphics[.]net or malicious.

The initial phishing page (URL: hxxps://gryphongraphics[.]net/file/view/myr/index.php) prompts the

user to an email provider, giving options for Office 365, AOL, or another email provider.

Figure 2 – Initial DocuSign-themed phishing page

Selecting the Office 365 option directs the user to a spoofed Microsoft Office 365 login page at
hxxps://gryphongraphics[.]net/file/view/myr/office.php.

Cyber Threat Operations 2

 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

Figure 3 - Credentials harvesting for Microsoft Office 365

Selecting the AOL option directs the user to a spoofed ‘Publishers Clearing House’ sweepstake prompting the user
to click an ‘Enter Now!’ button. This is located at, hxxps://gryphongraphics[.]net/file/view/myr/al.php.

Figure 4 - Phishing page for AOL accounts

Selecting ‘Other Email’ directs the user to a nondescript page at the URL,
hxxps://gryphongraphics[.]net/file/view/myr/othr.php, requesting the user’s email address and
password.

Cyber Threat Operations 3

 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

Figure 5 – Credential harvesting for ‘Other Email’ accounts

Multiple URLs, together with the accompanying PHP or text files hosted on the gryphongraphics[.]net domain
were submitted to and scanned by VirusTotal during the month of January 2018, resulting in malicious detections
by up to 20 antivirus tools. The index.php file, linked in the DocuSign email, resulted in 20 detections as a known
phishing page. The continuation of submissions to VirusTotal following this incident, including additional URLs
that were not observed in our investigation, indicates the phishing site was likely used in similar campaigns against
other victims. An example of these can be seen in Figure 6 below.

Figure 6 – Related URLs scanned on VirusTotal

Cyber Threat Operations 4

 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

Victimology
The victim, who is in the education sector, was susceptible to this phishing attack for a number of reasons,
including but not limited to the following:

• Lack of multi-factor authentication (MFA) for remote access to Office 365; and,
• No web filtering for potentially malicious or compromised websites.

Conclusion
This incident highlights how one employee falling victim to a phishing attack can result in a threat actor using the
initial compromise to successfully steal additional login credentials. It also highlights how threat actors are hosting
their phishing pages on compromised legitimate websites rather than setting up their own infrastructure to
conduct malicious activity. In this case, PwC was able to assist our client with detecting and remediating this
phishing campaign. We have seen other campaigns using similar tactics result in business email compromise
(BEC) schemes, causing significant financial losses due to fraudulent money transfers.

Recommendations
At the technical controls level, we recommend that organisations block remote access from non-approved VPN
services, deploy MFA for remote access, use signing certificates for critical email contacts (e.g. PGP email
encryption and signing), and conduct website categorisation and filtering to block phishing pages.

We recommend that organisations blacklist the indicators listed in Appendix A. IP addresses used to connect to
compromised victim accounts are listed in Appendix B. We also recommend searching your networks for activity
associated with these IPs within the timeframes listed, given their connection to malicious threat activity.

Further Information
We specialise in providing the services required to help clients resist, detect and respond to advanced cyber attacks.
This includes crisis events such as data breaches, economic espionage and targeted intrusions, including those
commonly referred to as APTs. If you would like more information on any of the threats discussed in this alert
please feel free to get in touch, by emailing threatintelligence@uk.pwc.com.

Cyber Threat Operations 5

 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

Appendix A – Indicators of Compromise

Indicator Type
hxxps://drive.google[.]com/open?id=10pf7nCNOcqUPwHmXqdzYJrdaE_8Qf3-a URL
hxxps://gryphongraphics[.]net/file/view/myr/index.php URL
hxxps://gryphongraphics[.]net/file/view/myr/office.php URL
hxxps://gryphongraphics[.]net/file/view/myr/al.php URL
hxxps://gryphongraphics[.]net/file/view/myr/othr.php URL

Appendix B – IP addresses used to access victim accounts

Date of access/ IP address

attempted access
2018-01-03 216.151.180[.]105
2018-01-04 216.151.180[.]103
2018-01-05 216.151.180[.]105, 216.151.180[.]104
2018-01-06 216.151.180[.]105, 216.151.180[.]103
2018-01-07 205.185.209[.]69, 205.185.209[.]68, 205.185.209[.]67
2018-01-08 205.185.209[.]244, 205.185.209[.]66
2018-01-09 216.151.191[.]76
2018-01-10 216.151.191[.]76, 216.151.191[.]77
2018-01-12 205.185.209[.]98

Cyber Threat Operations 6

 TLP: AMBER

Tactical Intelligence Bulletin Phishing with DocuSign

This document has been prepared by PricewaterhouseCoopers LLP ("PwC") solely for its clients who have entered
into a subscription agreement with PwC for related services (the "subscription") and solely for the purpose and on
the terms set out in the subscription. PwC accepts no liability (including for negligence) to anyone else in
connection with this document. It may only be distributed according to the TLP classification where one is
provided, and otherwise it may not be provided to anyone else.

Cyber Threat Operations 7