Hackers Use Hijacked Email Address To Send Malware as a Reply to Existing Email Thread

A new more sophisticated phishing campaign uses hijacked email accounts to deliver malware as a part of the response to the existing the email thread.

The malicious campaign primarily targets the education, financial, and energy sectors, some industries such as real estate, transportation, manufacturing, and government entities are affected.

Security researchers from TrendMicro spotted the campaign mostly affecting North America and Europe, also they found the similar type of samples in Asia and the Latin American region.

Sophisticated Phishing Campaign

The malicious email appears to be just another reply to the thread and it includes even the signature, but they are different from the original ones.

In most of the campaigns observed there be a grammar error’s, but with this campaign, the grammar seems to be correct.

“However, closer inspection reveals some suspicious elements in the email. The most blatant and perhaps most obvious discrepancy is the change of language from French to English.”

Malicious and Legitimate Email Comparison

Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing. If the user replies it would be sent to the account used to send the Email and probably attackers have access to the Email.

Here you can see how to analyze the Email Header to find the Received Email is Genuine or Spoofed

URSNIF Malware

The email contains a weaponized .doc file if the user double-clicks and opens the doc file it uses PowerShell to download the latest version of the URSNIF malware from the C&C server.

Downloaded malware’s main loader will check for OS version and the execution can be done only if it is Microsoft OS and more specifically Windows Vista and newer version. Also, it avoids CN and RU locale.

The main loader gathers all the logs and sent to C&C, and then it downloads additional malware and stores in the registry, once it has all the components downloaded Powershell script stored in comsxRes(name may vary) is executed.

It injects codes into explorer.exe to maintain memory residency and the communication with C&C achieved through TOR network. The main goal of the payload is to steal the following information.

System information
List of installed applications
List of installed drivers
List of running processes
List of network devices
External IP address
Email credentials (IMAP, POP3, SMTP)
Cookies
Certificates
Screen video captures (.AVI)
Financial information via webinjects

“From what we’re seeing in this attack, it seems that threat actors are fine-tuning their phishing attacks and coming up with newer and more effective methods of tricking people. researchers said.”

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago