More malicious attachments found by researchers

Attachments continue to be an effective way of delivering malware as long as employees miss vital clues. Two examples detailed by researchers at Fortinet demonstrate the latest techniques of threat actors that can be shown to staff as part of security awareness training.

The first is a Word document containing a malicious URL designed to entice victims to download a malware loader. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for stealing cryptocurrency on a victim’s computer and AgentTesla for harvesting sensitive information.

The example found by Fortinet is a financial document, but an attacker could use any tactic: A resume, a request for proposal, etc. Clicking on the Word document results in the display of a deliberately blurred image to convince the recipient there is a document to be seen if they also click on a counterfeit  but standard-looking reCAPTCHA challenge that says “I am not a robot.” That starts a process for loading the malware.

Screen shot of blurred document that shows up when a victim clicks on it
This blurred image and re:Captcha form pops up when document is clicked on. Image from Fortinet

RedLine Clipper, also known as ClipBanker, steals cryptocurrencies by manipulating the user’s system clipboard activities to substitute the destination wallet address with one belonging to the attacker. Due to the complexity of digital wallet addresses, users often copy and paste them during transactions.

Agent Tesla can log keystrokes, access the host’s clipboard, and conduct disk scans to uncover credentials and other valuable data. It transmits gathered information to a Command and Control (C2) server through several communication channels, including HTTP(S), SMTP, FTP, or even by dispatching it to a designated Telegram channel.

OriginBotnet has a range of capabilities including collecting sensitive data, establishing communications with its C2 server, and downloading additional files from the server to execute keylogging or password recovery functions on compromised computers.

The second example is a file the researchers obtained that they assume was an attachment because it purports to be a list of company officers. The email message might have claimed to be a corporate instruction for employees. The format of this attachment is a compressed .RAR file. Clicking on it reveals two components: A PDF named “Notice to Work-From-Home groups.” If a victim clicks on it, an image of an error message pops up that falsely indicates that the PDF document failed to load.

Screen shot of decoy error message
This error message is a diversion

This is actually a decoy, according to Fortinet, that is supposed to encourage the victim to click on the second file, “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe.” For staff who have good awareness training, this file’s .exe extension should be a warning that it not be clicked on. That assumes the full file name shows. However, the report notes, by default Windows doesn’t show full file names. The threat actor uses this knowledge in hopes of disguising the file so the victim will think it’s a PDF and not a file that executes.

The purpose of this file is to act as a dropper for several pieces of malware.

Cybersecurity experts say that employee awareness training is vital to a broad defence strategy. Including examples is one way to help them learn.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.