A new sophisticated phishing method has been identified that includes a malevolent actor gaining access to an electronic mail account, observing a conversation thread, and then putting in malware in response to a continuing discussion.
The cheat is a variation of a Business Email Compromise (BEC) attack. BEC attacks usually involve using a compromised electronic mail account to transmit messages to accounts or payroll workers to get them to make fake bank transfers to accounts managed by the attacker.
In this instance, the aim is to fit a banking Trojan named Ursnif. Ursnif is among the most commonly used banking Trojans and is a variation of Gozi malware. Ursnif not only steals information via web injection but also downloads and fits the Tor client and links to the Tor network for communication with its C2 servers. Once installed, the malware hunts for and steals electronic mail identifications, cookies and credentials.
The attacks have so far been focused in Europe and North America, chiefly on companies in the power sector, fiscal services, and education, even though the attacks are far from confined to those regions and verticals.
In order to carry out this campaign, the attacker has to first gain access to an electronic mail account, which might be accomplished through a normal phishing cheat or buying breached identifications through darknet marketplaces.
Contrary to most phishing scams which include an out-of-the-blue message, this attack method is expected to have a much higher success ratio because the messages are part of a continuing conversation. As the messages come from inside a company and are transmitted from a real account and involve no deceiving of electronic mail addresses, they can be difficult to identify.
Identifying a fake reply to a continuing conversation needs watchfulness on the part of workers. There are likely to be differences in the electronic mails, such as a modification in the language used in the electronic mails, strange replies that are more general than would be expected and out of keeping with the chat, changes to electronic mail signatures or, in the case of one campaign in Canada, an abrupt change from French to English.
The scam was disclosed by scientists at Trend Micro who noted a similarity with a campaign identified by the Cisco Talos team that spread Gozi malware and involved computers that had earlier been hijacked and were part of the Dark Cloud botnet. Trend Micro proposes that the latest campaigns might be a growth of the group’s attack method.
The campaign utilizes Word attachments having malevolent PowerShell code which downloads the latest type of Ursnif. Trend Micro considers the messages are dispatched from the US and notes that the malware will only run on Windows Vista and above and will not infect users in China or Russia.
The campaign demonstrates how advanced phishing attacks are becoming, and that the usual cybersecurity best practice of never opening attachments or clicking links in electronic mails from strange senders is not adequate to avoid malware from being installed.