Advancements In Invoicing – A Highly Sophisticated Way To Distribute ZLoader

Forcepoint X-Labs have recently been dealing with invoice-flavored campaigns utilizing a more advanced infection chain than normally appreciated. It relies on special data exchange between different Microsoft Office document formats and the techniques used to showcase a very high level of knowledge within that domain.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
March 11, 2021 10:11 am

<p>Cases like this teach us one thing – never open an attachment addressed from an untrustworthy or unknown source. Of course, the issue is then how do we figure out what is a trustworthy or known source. Today, attackers are putting more and more effort into designing convincing phishing emails; therefore, making their detection harder than ever. This is why the campaign with ZLoader can be quite successful, especially when people are currently working on their taxes and might expect an email from the IRS. </p> <p> </p> <p>Individuals should always refrain from opening any attachments. They should think about why they are being contacted, and question whether they expect a document from the IRS through email. Often, when opening a document, you might not notice anything wrong. However, the document will drop a malicious payload that will contact the command-and-control server and infect your system.</p>

Last edited 1 year ago by Boris Cipot
Natalie Page
Natalie Page , Cyber Threat Intelligence Analyst
InfoSec Expert
March 11, 2021 10:10 am

<p>After nearly 2 years under the radar, Zloader resurfaced last May disseminating a widespread COVID-19 themed campaign. The multi-purpose malware which is a descendant of Zeus, acts as a Banking trojan with the capability to disseminate other powerful tooling such as ransomware.</p> <p> </p> <p>The strain capitalises on the current fears and concerns of the public to enhance the success of its campaigns. It seems this recent campaign is no different, utilising the concluding tax year to socially engineer its targets and optimise potential returns.</p> <p> </p> <p>While this technique is nothing remarkable or new, the best precautions we can take on both an individual and organisational level, is to stay alert to global events and occurrences which could be adopted by adversaries to lure in potential victims. Consistently question and research incoming emails, if something seems too good to be true, it most likely is.</p>

Last edited 1 year ago by Natalie Page
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
March 11, 2021 10:07 am

<p>Although the MHTML attack described is more sophisticated than most invoice phishing schemes, it still relies on the user to download and open a Microsoft Office document with macros enabled. Even though the actual attack attempts to bypass many security mechanisms, it can still be prevented by following simple security guidelines. Never click on links or attachments in unsolicited messages. Do not allow macros to run on untrusted MS Office documents. At this time of year, be particularly wary of tax-related phishing messages.</p>

Last edited 1 year ago by Paul Bischoff
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
March 11, 2021 10:06 am

<p>This modified attack will likely be in heavy use during this U.S. tax season, as some strains pose as new tax information from the Internal Revenue Service, enticing unknowing victims to open the email and the malicious file attachment. While services such as Forcepoint can offer some protection against these types of attacks, employee education remains an important tool in the battle against these email attacks that use malicious links and attachments to infect users\’ computers and networks.</p>

Last edited 1 year ago by Chris Hauk
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x