Friday, May 24, 2024

Hackers Use Hijacked Email Address To Send Malware as a Reply to Existing Email Thread

A new more sophisticated phishing campaign uses hijacked email accounts to deliver malware as a part of the response to the existing the email thread.

The malicious campaign primarily targets the education, financial, and energy sectors, some industries such as real estate, transportation, manufacturing, and government entities are affected.

Security researchers from TrendMicro spotted the campaign mostly affecting North America and Europe, also they found the similar type of samples in Asia and the Latin American region.

Sophisticated Phishing Campaign

The malicious email appears to be just another reply to the thread and it includes even the signature, but they are different from the original ones.

In most of the campaigns observed there be a grammar error’s, but with this campaign, the grammar seems to be correct.

“However, closer inspection reveals some suspicious elements in the email. The most blatant and perhaps most obvious discrepancy is the change of language from French to English.”

Sophisticated Phishing Campaign
Malicious and Legitimate Email Comparison

Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing. If the user replies it would be sent to the account used to send the Email and probably attackers have access to the Email.

Here you can see how to analyze the Email Header to find the Received Email is Genuine or Spoofed

URSNIF Malware

The email contains a weaponized .doc file if the user double-clicks and opens the doc file it uses PowerShell to download the latest version of the URSNIF malware from the C&C server.

Downloaded malware’s main loader will check for OS version and the execution can be done only if it is Microsoft OS and more specifically Windows Vista and newer version. Also, it avoids CN and RU locale.

The main loader gathers all the logs and sent to C&C, and then it downloads additional malware and stores in the registry, once it has all the components downloaded Powershell script stored in comsxRes(name may vary) is executed.

It injects codes into explorer.exe to maintain memory residency and the communication with C&C achieved through TOR network. The main goal of the payload is to steal the following information.

System information
List of installed applications
List of installed drivers
List of running processes
List of network devices
External IP address
Email credentials (IMAP, POP3, SMTP)
Screen video captures (.AVI)
Financial information via webinjects

“From what we’re seeing in this attack, it seems that threat actors are fine-tuning their phishing attacks and coming up with newer and more effective methods of tricking people. researchers said.”

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles