A new sophisticated phishing tactic has been identified that involves a malicious actor gaining access to an email account, monitoring a conversation thread, and then inserting malware in a reply to an ongoing discussion.
The scam is a variation of a Business Email Compromise (BEC) attack. BEC attacks typically involve using a compromised email account to send messages to accounts or payroll employees to get them to make fraudulent bank transfers to accounts controlled by the attacker.
In this case, the aim is to install a banking Trojan called Ursnif. Ursnif is one of the most commonly used banking Trojans and is a variant of Gozi malware. Ursnif steals information through web injection but also downloads and installs the Tor client and connects to the Tor network for communication with its C2 servers. One installed, the malware searches for and steals email credentials, cookies and certificates.
The attacks have so far been concentrated in Europe and North America, mainly on organizations in the energy sector, financial services, and education, although the attacks are far from confined to those regions and verticals.
In order to conduct this campaign, the attacker has to first gain access to an email account, which could be achieved through a standard phishing scam or purchasing breached credentials through darknet marketplaces.
In contrast to most phishing scams which involve an out-of-the-blue message, this attack method is likely to have a much higher success rate as the messages are part of an ongoing conversation. Since the messages come from within an organization and are sent from a real account and involve no spoofing of email addresses, they can be difficult to identify.
Identifying a fake response to an ongoing conversation requires vigilance on the part of employees. There are likely to be discrepancies in the emails, such as a change in the language used in the emails, odd replies that are more general than would be expected and out of keeping with the conversation, changes to email signatures or, in the case of one campaign in Canada, a sudden change from French to English.
The scam was uncovered by researchers at Trend Micro who note a similarity with a campaign identified by the Cisco Talos team that spread Gozi malware and involved computers that had previously been hijacked and were part of the Dark Cloud botnet. Trend Micro suggests that the latest campaigns could be an evolution of the group’s attack method.
The campaign uses Word attachments containing malicious PowerShell code which downloads the latest version of Ursnif. Trend Micro believes the messages are sent from the US and notes that the malware will only run on Windows Vista and above and will not infect users in China or Russia.
The campaign shows how sophisticated phishing attacks are becoming, and that the standard cybersecurity best practice of never opening attachments or clicking links in emails from unknown senders is not sufficient to prevent malware from being installed.