Friday, December 8, 2023

Hackers Use Hijacked Email Address To Send Malware as a Reply to Existing Email Thread

A new more sophisticated phishing campaign uses hijacked email accounts to deliver malware as a part of the response to the existing the email thread.

The malicious campaign primarily targets the education, financial, and energy sectors, some industries such as real estate, transportation, manufacturing, and government entities are affected.

Security researchers from TrendMicro spotted the campaign mostly affecting North America and Europe, also they found the similar type of samples in Asia and the Latin American region.

Sophisticated Phishing Campaign

The malicious email appears to be just another reply to the thread and it includes even the signature, but they are different from the original ones.

In most of the campaigns observed there be a grammar error’s, but with this campaign, the grammar seems to be correct.

“However, closer inspection reveals some suspicious elements in the email. The most blatant and perhaps most obvious discrepancy is the change of language from French to English.”

Sophisticated Phishing Campaign
Malicious and Legitimate Email Comparison

Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing. If the user replies it would be sent to the account used to send the Email and probably attackers have access to the Email.

Here you can see how to analyze the Email Header to find the Received Email is Genuine or Spoofed

URSNIF Malware

The email contains a weaponized .doc file if the user double-clicks and opens the doc file it uses PowerShell to download the latest version of the URSNIF malware from the C&C server.

Downloaded malware’s main loader will check for OS version and the execution can be done only if it is Microsoft OS and more specifically Windows Vista and newer version. Also, it avoids CN and RU locale.

The main loader gathers all the logs and sent to C&C, and then it downloads additional malware and stores in the registry, once it has all the components downloaded Powershell script stored in comsxRes(name may vary) is executed.

It injects codes into explorer.exe to maintain memory residency and the communication with C&C achieved through TOR network. The main goal of the payload is to steal the following information.

System information
List of installed applications
List of installed drivers
List of running processes
List of network devices
External IP address
Email credentials (IMAP, POP3, SMTP)
Screen video captures (.AVI)
Financial information via webinjects

“From what we’re seeing in this attack, it seems that threat actors are fine-tuning their phishing attacks and coming up with newer and more effective methods of tricking people. researchers said.”

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles