Friday, March 29, 2024

Hackers Use Hijacked Email Address To Send Malware as a Reply to Existing Email Thread

A new more sophisticated phishing campaign uses hijacked email accounts to deliver malware as a part of the response to the existing the email thread.

The malicious campaign primarily targets the education, financial, and energy sectors, some industries such as real estate, transportation, manufacturing, and government entities are affected.

Security researchers from TrendMicro spotted the campaign mostly affecting North America and Europe, also they found the similar type of samples in Asia and the Latin American region.

Sophisticated Phishing Campaign

The malicious email appears to be just another reply to the thread and it includes even the signature, but they are different from the original ones.

In most of the campaigns observed there be a grammar error’s, but with this campaign, the grammar seems to be correct.

“However, closer inspection reveals some suspicious elements in the email. The most blatant and perhaps most obvious discrepancy is the change of language from French to English.”

Sophisticated Phishing Campaign
Malicious and Legitimate Email Comparison

Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing. If the user replies it would be sent to the account used to send the Email and probably attackers have access to the Email.

Here you can see how to analyze the Email Header to find the Received Email is Genuine or Spoofed

URSNIF Malware

The email contains a weaponized .doc file if the user double-clicks and opens the doc file it uses PowerShell to download the latest version of the URSNIF malware from the C&C server.

Downloaded malware’s main loader will check for OS version and the execution can be done only if it is Microsoft OS and more specifically Windows Vista and newer version. Also, it avoids CN and RU locale.

The main loader gathers all the logs and sent to C&C, and then it downloads additional malware and stores in the registry, once it has all the components downloaded Powershell script stored in comsxRes(name may vary) is executed.

It injects codes into explorer.exe to maintain memory residency and the communication with C&C achieved through TOR network. The main goal of the payload is to steal the following information.

System information
List of installed applications
List of installed drivers
List of running processes
List of network devices
External IP address
Email credentials (IMAP, POP3, SMTP)
Cookies
Certificates
Screen video captures (.AVI)
Financial information via webinjects

“From what we’re seeing in this attack, it seems that threat actors are fine-tuning their phishing attacks and coming up with newer and more effective methods of tricking people. researchers said.”

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles