Researchers have uncovered a sophisticated phishing scam targeting participants of the World Agricultural Cycling Competition (WACC). The campaign cleverly mimics the official WACC website to deceive users into downloading malicious software.
The phishing site at the center of the scam, hosted at “wacc[.]photo,” bears a striking resemblance to the legitimate WACC website. The attacker behind the World Agricultural Cycling Competition scam meticulously replicated the genuine site, with only minor tweaks that made it difficult for users to spot the fraud.
The World Agricultural Cycling Competition Scam
The World Agricultural Cycling Competition, held annually in France, aims to merge the agriculture and sports industries, making it a prime target for scammers seeking to exploit its popularity.
Launched in July 2024, shortly after the WACC concluded in June, the World Agricultural Cycling Competition phishing campaign took advantage of the event’s recent conclusion. By adding a “PHOTO” section to the fraudulent site, the scammer enticed users with promises of exclusive event photos. This tactic was designed to lure stakeholders and participants who were eager to relive the event through pictures, thereby increasing the likelihood of successful phishing attacks.
According to Cyble Research and Intelligence Labs (CRIL), the deceptive site lures users into downloading a ZIP file, purportedly containing event photos. However, this file, rather than holding images, conceals three shortcut files (.lnk) disguised as image files. When these shortcuts are executed, they initiate a complex infection chain leading to the deployment of a Havoc Command and Control (C2) framework.
Upon execution, the Havoc C2 attempts to establish a connection with an Azure Front Door domain, which is used as a redirector to the actual Command and Control server. This server facilitates further malicious activities by the attacker. During CRIL’s investigation, the C&C server was found to be offline, which limited the ability to fully analyze subsequent stages of the attack.
The phishing site also contained an open directory with various malware payloads, suggesting that the attacker might be swapping out payloads to better target victims.
This open directory, coupled with the sophisticated nature of the Havoc C2 framework, indicates a well-prepared and potentially strategic approach by the threat actor.
Technical Breakdown of the World Agricultural Cycling Competition Scam
The World Agricultural Cycling Competition scam begins when a user downloads a ZIP file from a fraudulent site. This file contains three shortcut files (.lnk) disguised as .jpg images. When executed, these shortcuts use conhost.exe to run a PowerShell script. The script first downloads and displays legitimate JPG files from the phishing site via Microsoft Edge, creating a false sense of security.
Meanwhile, it secretly downloads and installs a malicious DLL file named “KB.DLL” into the “AppDataLocal” directory. This DLL serves as a loader for obfuscated shellcode, which is executed using the EnumFontsW() function—a technique designed to evade detection. The shellcode includes an embedded executable that connects to a Command and Control (C2) server.
The Havoc C2 framework, a sophisticated post-exploitation tool, is employed for various malicious activities such as lateral movement within the compromised network, maintaining persistent access, and deploying additional malware. Although the C2 server was offline during analysis, the use of Havoc indicates that the attacker planned extensive and complex operations within the targeted network.
Recommendations for Protection
To address the risks associated with phishing scams such as the “World Agricultural Cycling Competition phishing campaign,” organizations and individuals should implement several key measures. Firstly, verifying website legitimacy is crucial. Users should carefully scrutinize URLs and avoid interacting with suspicious links to prevent falling victim to phishing attacks. Ensuring that websites are authentic can significantly reduce the likelihood of being deceived by fraudulent sites.
Education plays a vital role in cybersecurity. Conducting regular training sessions helps users recognize phishing attempts and understand the dangers of downloading files from untrusted sources. Emphasizing the importance of verifying the legitimacy of websites and links can empower users to make safer online choices.
Restricting PowerShell execution is another important measure. Configuring PowerShell execution policies to limit the running of scripts from untrusted sources can mitigate the risk of malicious script execution. Using features like PowerShell Constrained Language Mode can further reduce the potential for harmful scripts to run on a system. And PCs should run in admin mode only when needed.
Advanced endpoint protection solutions are essential for detecting and blocking malicious DLLs and scripts. It is important to keep antivirus and antimalware software up-to-date and properly configured to scan for and identify potentially harmful files.
Monitoring network traffic is also crucial. Implementing network monitoring tools can help detect unusual traffic patterns, such as connections to suspicious domains or unexpected communications with services like Azure Front Door.