Advancements In Invoicing – A Highly Sophisticated Way To Distribute ZLoader

Forcepoint X-Labs have recently been dealing with invoice-flavored campaigns utilizing a more advanced infection chain than normally appreciated. It relies on special data exchange between different Microsoft Office document formats and the techniques used to showcase a very high level of knowledge within that domain.

Experts Comments

March 11, 2021
Boris Cipot
Senior Sales Engineer
Synopsys

Cases like this teach us one thing – never open an attachment addressed from an untrustworthy or unknown source. Of course, the issue is then how do we figure out what is a trustworthy or known source. Today, attackers are putting more and more effort into designing convincing phishing emails; therefore, making their detection harder than ever. This is why the campaign with ZLoader can be quite successful, especially when people are currently working on their taxes and might expect an email

.....Read More

Cases like this teach us one thing – never open an attachment addressed from an untrustworthy or unknown source. Of course, the issue is then how do we figure out what is a trustworthy or known source. Today, attackers are putting more and more effort into designing convincing phishing emails; therefore, making their detection harder than ever. This is why the campaign with ZLoader can be quite successful, especially when people are currently working on their taxes and might expect an email from the IRS. 

 

Individuals should always refrain from opening any attachments. They should think about why they are being contacted, and question whether they expect a document from the IRS through email. Often, when opening a document, you might not notice anything wrong. However, the document will drop a malicious payload that will contact the command-and-control server and infect your system.

  Read Less
March 11, 2021
Natalie Page
Cyber Threat Intelligence Analyst
Talion

After nearly 2 years under the radar, Zloader resurfaced last May disseminating a widespread COVID-19 themed campaign. The multi-purpose malware which is a descendant of Zeus, acts as a Banking trojan with the capability to disseminate other powerful tooling such as ransomware.

 

The strain capitalises on the current fears and concerns of the public to enhance the success of its campaigns. It seems this recent campaign is no different, utilising the concluding tax year to socially engineer its

.....Read More

After nearly 2 years under the radar, Zloader resurfaced last May disseminating a widespread COVID-19 themed campaign. The multi-purpose malware which is a descendant of Zeus, acts as a Banking trojan with the capability to disseminate other powerful tooling such as ransomware.

 

The strain capitalises on the current fears and concerns of the public to enhance the success of its campaigns. It seems this recent campaign is no different, utilising the concluding tax year to socially engineer its targets and optimise potential returns.

 

While this technique is nothing remarkable or new, the best precautions we can take on both an individual and organisational level, is to stay alert to global events and occurrences which could be adopted by adversaries to lure in potential victims. Consistently question and research incoming emails, if something seems too good to be true, it most likely is.

  Read Less
March 11, 2021
Paul Bischoff
Privacy Advocate
Comparitech

Although the MHTML attack described is more sophisticated than most invoice phishing schemes, it still relies on the user to download and open a Microsoft Office document with macros enabled. Even though the actual attack attempts to bypass many security mechanisms, it can still be prevented by following simple security guidelines. Never click on links or attachments in unsolicited messages. Do not allow macros to run on untrusted MS Office documents. At this time of year, be particularly wary

.....Read More

Although the MHTML attack described is more sophisticated than most invoice phishing schemes, it still relies on the user to download and open a Microsoft Office document with macros enabled. Even though the actual attack attempts to bypass many security mechanisms, it can still be prevented by following simple security guidelines. Never click on links or attachments in unsolicited messages. Do not allow macros to run on untrusted MS Office documents. At this time of year, be particularly wary of tax-related phishing messages.

  Read Less
March 11, 2021
Chris Hauk
Consumer Privacy Champion
Pixel Privacy

This modified attack will likely be in heavy use during this U.S. tax season, as some strains pose as new tax information from the Internal Revenue Service, enticing unknowing victims to open the email and the malicious file attachment. While services such as Forcepoint can offer some protection against these types of attacks, employee education remains an important tool in the battle against these email attacks that use malicious links and attachments to infect users' computers and networks.

.....Read More

This modified attack will likely be in heavy use during this U.S. tax season, as some strains pose as new tax information from the Internal Revenue Service, enticing unknowing victims to open the email and the malicious file attachment. While services such as Forcepoint can offer some protection against these types of attacks, employee education remains an important tool in the battle against these email attacks that use malicious links and attachments to infect users' computers and networks.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.