Forcepoint X-Labs have recently been dealing with invoice-flavored campaigns utilizing a more advanced infection chain than normally appreciated. It relies on special data exchange between different Microsoft Office document formats and the techniques used to showcase a very high level of knowledge within that domain.
4 Responses
<p>Cases like this teach us one thing – never open an attachment addressed from an untrustworthy or unknown source. Of course, the issue is then how do we figure out what is a trustworthy or known source. Today, attackers are putting more and more effort into designing convincing phishing emails; therefore, making their detection harder than ever. This is why the campaign with ZLoader can be quite successful, especially when people are currently working on their taxes and might expect an email from the IRS. </p> <p> </p> <p>Individuals should always refrain from opening any attachments. They should think about why they are being contacted, and question whether they expect a document from the IRS through email. Often, when opening a document, you might not notice anything wrong. However, the document will drop a malicious payload that will contact the command-and-control server and infect your system.</p>
<p>After nearly 2 years under the radar, Zloader resurfaced last May disseminating a widespread COVID-19 themed campaign. The multi-purpose malware which is a descendant of Zeus, acts as a Banking trojan with the capability to disseminate other powerful tooling such as ransomware.</p> <p> </p> <p>The strain capitalises on the current fears and concerns of the public to enhance the success of its campaigns. It seems this recent campaign is no different, utilising the concluding tax year to socially engineer its targets and optimise potential returns.</p> <p> </p> <p>While this technique is nothing remarkable or new, the best precautions we can take on both an individual and organisational level, is to stay alert to global events and occurrences which could be adopted by adversaries to lure in potential victims. Consistently question and research incoming emails, if something seems too good to be true, it most likely is.</p>
<p>Although the MHTML attack described is more sophisticated than most invoice phishing schemes, it still relies on the user to download and open a Microsoft Office document with macros enabled. Even though the actual attack attempts to bypass many security mechanisms, it can still be prevented by following simple security guidelines. Never click on links or attachments in unsolicited messages. Do not allow macros to run on untrusted MS Office documents. At this time of year, be particularly wary of tax-related phishing messages.</p>
<p>This modified attack will likely be in heavy use during this U.S. tax season, as some strains pose as new tax information from the Internal Revenue Service, enticing unknowing victims to open the email and the malicious file attachment. While services such as Forcepoint can offer some protection against these types of attacks, employee education remains an important tool in the battle against these email attacks that use malicious links and attachments to infect users\’ computers and networks.</p>