A malware distribution campaign is abusing organizations’ contact forms to send malicious emails designed to catch the attention of companies’ customer support personnel. The attackers also use other legitimate services, including Google Drive, to avoid detection by security filters.
“The email distribution campaigns associated with these malware payloads feature characteristics designed to evade detection and make analysis and tracking more difficult,” the researchers write. “In most cases, the threat actor was initiating email-based communications with potential victims using the contact forms present on the victim organization's website. This results in email communications that appear to originate from legitimate sources which may allow the adversaries to evade some email security mechanisms.”
Some of the emails claim to be sent by an illustrator whose work is being used without permission on the targeted organization’s website. The emails are customized to include the organization’s name, and the sender threatens to sue the organization if they don’t remove the images from their site. The email includes a link to Google Drive which supposedly contains the copyrighted images. The link will actually download a Microsoft Office document which prompts the user to enable macros, which will trigger the infection process. The researchers add that the malware’s obfuscation techniques “are not trivial.”
“The payloads delivered have varied over time,” Cisco Talos says. “Over the past several months, we have observed campaigns being used to deliver various information stealers, banking trojans and other malware loaders including but not limited to Gozi ISFB, ZLoader, SmokeLoader, Oski, AveMaria and Cobalt Strike payloads, among others. We also discovered infection chains that deliver multiple payloads to a single victim as part of a multi-stage infection process. While the payload delivery features several distinct malware families, in all of the campaigns observed, the initial malware payloads used the same crypter, which obfuscates the malicious contents present in the binary executable and make analysis more difficult.”
This campaign demonstrates the ways in which attackers can use legitimate services and obfuscation to thwart security defenses. The attack can be thwarted, however, if employees know that they should never click “Enable Content” in a document. New-school security awareness training can teach your employees to recognize common phishing techniques.
Cisco Talos has the story.