Criminal Threat Actor Uses Stolen Invoices to Distribute Malware



blog.knowbe4.comhubfsRansomware Attack Steals Data from Java MalwareResearchers at IBM X-Force are tracking a phishing campaign by the criminal threat actor “Hive0145” that’s using stolen invoice notifications to trick users into installing malware.

Hive0145 acts as an initial access broker, selling access to compromised organizations to other threat actors who then carry out additional cyberattacks.

“Over the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques, and procedures (TTPs) to target victims across Europe,” the researchers explain. “Italian, Spanish, German, and Ukrainian victims continue to receive weaponized attachments that entice the victim to open the file.

The actor’s campaigns present the victim with fake invoices or receipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the victim unwittingly executes the infection chain leading to Strela Stealer malware.”

Notably, the threat actor has begun using real, stolen invoice notifications to add legitimacy to its phishing operations.

“In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails,” the researchers write.

“The phishing emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns.”

Strela Stealer is a strain of malware designed to exfiltrate email credentials. X-Force notes that these credentials can be used to launch business email compromise (BEC) attacks within the targeted organizations.

“Hive0145’s use of stolen emails for attachment hijacking is an indicator that a portion of stolen email credentials may be used to harvest legitimate emails for further distribution,” the researchers write. “Both stolen and actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards potential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the purposes of further business email compromise.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

SecurityIntelligence has the story.


Free BreachSim Tool

How easy is it for bad actors to penetrate your system and exfiltrate your data? Pinpoint vulnerabilities, take action and build stronger cyber defenses with KnowBe4’s Breach Simulator “BreachSim.” Based on techniques outlined in the MITRE Att&CK framework, BreachSim launches 12+ simulated scenarios to uncover the stark reality of what happens when employees unknowingly fall for an attack.

BreachSim LogoHow BreachSim works:

  • 100% harmless simulation of real breach and data exfiltration attacks
  • Provides secure .txt, .doc, and .bmp test files for the simulation
  • Tests 12+ realistic data exfiltration scenarios following the MITRE Att&CK framework
  • Just download the installer, upload the secure test files, and run

Results in a few minutes!

Try Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/free-tools/breach-simulator



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews