It’s no surprise that cybercriminals are going where the money is – in this case, literally. A campaign that has been running since August of this year has been identified seeking to compromise business endpoints using a combinations of tactics:
- Reputation Jacking – all of the files were hosted on Google’s Cloud Storage (storage.googleapis.com). This use of well-known, popular hosting services helps to avoid detection. (According to Menlo Lab’s most recent Annual State of the Web Report, 4,600 phishing sites used legitimate hosting services.
- Archived Files – the files linked to in these campaigns were zip or gz archive files, further obfuscating the malicious payload.
- Links over Attachments – links to Google’s Cloud Storage (and other reputable sites) are less likely to be flagged as suspicious than an attachment that can be scanned locally.
- Scripting – .vbs and .jar files were used as droppers.
- Script Obfuscation – all of the scripts were obfuscated three levels via VBScript.
- Contextual filenames – because financial institutions were the target, the names like “remittance invoice” and “transfer invoice” were used.
- Socially Engineered – traditional social engineering tactics, specific recipients, and requests appropriate for their role were used.
The end goal of the attack was to install a remote access trojan (RAT) from the Houdini/jRAT malware family to take control of the endpoint, likely to gain access to internal financial applications.
As attackers use more and more sophisticated attacks like the one outline above, it’s important to focus on the one part of the equation that hasn’t changed – the attack requires a user. Without someone falling for the scam, this attack is powerless.
Organizations consistently putting their users through Security Awareness Training have a better chance of avoiding becoming a victim to scams like this. With educated users completely aware of the tactics used by cybercriminals, what to look for, and how to spot a malicious email, the likelihood of them falling prey to an attack is significantly reduced.