Hackers Use Hijacked Email Address To Send Malware as a Reply to Existing Email Thread

A new more sophisticated phishing campaign uses hijacked email accounts to deliver malware as a part of the response to the existing the email thread.

The malicious campaign primarily targets the education, financial, and energy sectors, some industries such as real estate, transportation, manufacturing, and government entities are affected.

Security researchers from TrendMicro spotted the campaign mostly affecting North America and Europe, also they found the similar type of samples in Asia and the Latin American region.

Sophisticated Phishing Campaign

The malicious email appears to be just another reply to the thread and it includes even the signature, but they are different from the original ones.

In most of the campaigns observed there be a grammar error’s, but with this campaign, the grammar seems to be correct.

“However, closer inspection reveals some suspicious elements in the email. The most blatant and perhaps most obvious discrepancy is the change of language from French to English.”

Malicious and Legitimate Email Comparison

Normally with spam campaigns “Return-Path” or “Reply-To” headers are spoofed, but with this campaign, there is no spoofing. If the user replies it would be sent to the account used to send the Email and probably attackers have access to the Email.

Here you can see how to analyze the Email Header to find the Received Email is Genuine or Spoofed

URSNIF Malware

The email contains a weaponized .doc file if the user double-clicks and opens the doc file it uses PowerShell to download the latest version of the URSNIF malware from the C&C server.

Downloaded malware’s main loader will check for OS version and the execution can be done only if it is Microsoft OS and more specifically Windows Vista and newer version. Also, it avoids CN and RU locale.

The main loader gathers all the logs and sent to C&C, and then it downloads additional malware and stores in the registry, once it has all the components downloaded Powershell script stored in comsxRes(name may vary) is executed.

It injects codes into explorer.exe to maintain memory residency and the communication with C&C achieved through TOR network. The main goal of the payload is to steal the following information.

System information
List of installed applications
List of installed drivers
List of running processes
List of network devices
External IP address
Email credentials (IMAP, POP3, SMTP)
Cookies
Certificates
Screen video captures (.AVI)
Financial information via webinjects

“From what we’re seeing in this attack, it seems that threat actors are fine-tuning their phishing attacks and coming up with newer and more effective methods of tricking people. researchers said.”

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

10 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

10 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

13 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

16 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

17 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago