Saturday, January 25, 2025
Homecyber securityNew Phishing Attack Hijacks Email Thread to Inject Malicious URL

New Phishing Attack Hijacks Email Thread to Inject Malicious URL

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new campaign delivering DarkGate and PikaBot that employs strategies similar to those employed in QakBot phishing attempts.

This operation sends out a large number of emails to a variety of industries, and because the malware transmitted has loader capabilities, recipients may be vulnerable to more complex threats such as reconnaissance malware and ransomware.

“These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Cofense Intelligence stated in a report shared with Cyber Security News.

Infection Chain 

The tactics, techniques, and procedures (TTPs) used in this campaign make it a high-level threat because they allow phishing emails to reach their targeted targets, and the malware they distribute has sophisticated capabilities.

A hijacked email thread is used at the start of the campaign to trick customers into visiting a malicious URL with further layers. This restricts access to the malicious payload to users who match certain criteria provided by the threat actors (location and web browser).

This URL downloads a ZIP archive containing a JS file known as a JS Dropper, a JavaScript program that connects to another URL to download and execute malware. At this point, the DarkGate or PikaBot malware has successfully infected a victim.

Infection chain used in the campaign

The most prominent feature of these malware families is their ability to deliver additional payloads once they are successfully planted on a user’s PC.

Advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious file the threat actors choose to install on a victim’s computer might be delivered via a successful DarkGate or PikaBot infection.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

“Threat actors disseminate the phishing emails through hijacked email threads that may be obtained from Microsoft ProxyLogon attacks (CVE-2021-26855). This is vulnerability on the Microsoft Exchange Server that allows threat actors to bypass authentication and impersonate admins”, researchers explain.

Figure 3: Real hijacked email thread example that delivered PikaBot (ATR 351964).
Real hijacked email thread that delivered PikaBot

The email’s malicious URL has a distinct pattern similar to those found in QakBot phishing attacks. Threat actors have added layers to these URLs to restrict access to the malicious file they are delivering, making them more sophisticated than your typical phishing URL.

Hence, employees should be aware that this kind of threat exists, as the campaign’s threat actors have skills that go beyond those of a typical phisher.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...