Security researchers have tracked down activities of a new group of financially-motivated hackers that are targeting several businesses and organizations in Germany, Italy, and the United States in an attempt to infect them with backdoor, banking Trojan, or ransomware malware.
Though the new malware campaigns are not customized for each organization, the threat actors appear to be more interested in businesses, IT services, manufacturing, and healthcare industries who possess critical data and can likely afford high ransom payouts.
According to a report ProofPoint shared with The Hacker News, the newly discovered threat actors are sending out low-volume emails impersonating finance-related government entities with tax assessment and refund lured emails to targeted organizations.
“Tax-themed Email Campaigns Target 2019 Filers, finance-related lures have been used seasonally with upticks in tax-related malware and phishing campaigns leading up to the annual tax filing deadlines in different geographies,” the researchers said.
New Malware Campaigns Spotted in the Wild
In almost all spear-phishing email campaigns researchers observed between October 16 and November 12 this year, the attackers used malicious Word document attachments as an initial vector to compromise the device.
Once opened, the malicious document executes a macro script to run malicious PowerShell commands, which then eventually downloads and installs one of the following payloads onto the victim’s system:
- Maze Ransomware,
- IcedID Banking Trojan,
- Cobalt Strike backdoor.
‘Opening the Microsoft Word Document and enabling macros installs Maze ransomware on the user’s system, encrypting all of their files, and saves a ransom note resembling the following in TXT format in every directory.’
Besides using social engineering, to make their spear-phishing emails more convincing, attackers are also using lookalike domains, verbiage, and stolen branding to impersonate:
- Bundeszentralamt fur Steuern, the German Federal Ministry of Finance,
- Agenzia Delle Entrate, the Italian Revenue Agency,
- 1&1 Internet AG, a German internet service provider,
- USPS, the United States Postal Service.
“Similar campaigns leveraging local gov. agencies were also observed in Germany and Italy. These social-engineered lures indicate that cybercriminals overall are becoming more convincing and sophisticated in their attacks.”
“Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies. To date, the group appears to have targeted organizations in Germany, Italy, and, most recently, the United States, delivering geo-targeted payloads with lures in local languages,” Christopher Dawson, Threat Intelligence Lead at Proofpoint, told The Hacker News.
“We will be watching this new actor closely, given their apparent global aspirations, well-crafted social engineering, and steadily increasing scale.”
How to Protect Email-Based Cyber Attacks?
Thought most of the tools and techniques used by this new group are neither new nor sophisticated; unfortunately, it’s still one of the most successful ways criminals penetrate an organization.
The best ways to protect your computer against such attacks are as simple as following basic online cybersecurity practices, such as:
- Disable macros from running in office files,
- Always keep a regular backup of your important data,
- Make sure you run one of the best antivirus software on your system,
- Don’t open email attachments from unknown or untrusted sources,
- Don’t click on the links from unknown sources.