Last night a customer sent us a phish via the KnowBe4 Phish Alert Button (free download here) that must win some kind of award for the longest chain of required user interactions -- all designed to push the easily detectable stuff as far away from the base email body and attachment as possible.
It goes like this:
1. Email body contains social engineering hook that points users to a PDF attachment.
2. PDF attachment contains an embedded URL (allegedly for a secure doc) that consists of a tinyurl URL shortener link.
3. Clicking the tinyurl URL shortener link pulls down a small .ZIP file.
4. Unpacking the .ZIP yields a .HTA file (which is a special kind of .HTM file).
5. .HTA file (which is a plain text file designed to be clicked) contains a script.
6. Script embedded in the .HTA file references yet another URL shortener (ow.ly).
7. The ow.ly URL shortener link pulls down a small PE file, UPLOAD.EXE.
8. The PE file is executed by a call to powershell in the script embedded in the .HTA file.
The upload.exe is undoubtedly some kind of trojan downloader or backdoor, the identity of which we haven't determined yet.
No AntiVirus detects the PDF with the embedded link that kicks this whole thing off. One AV detects the HTA file. Two AVs detect the PE file.
So, it's no surprise this thing landed in someone's inbox. What security solution was going to stop it?
But how many users are going to jump through all the required hoops to take this attack through to the end?
Not many, would be my guess. Then again, every company has at least one untrained, gullible user that will get social engineered, possibly with the "curiousity" lure.
Stepping users through effective security awareness training stops attacks like this dead in their tracks. Find out the Phish-prone percentage of your users wit our free Phishing Security Test.
Don't like to click on redirected buttons? Cut&Paste this link in your browser: