New malicious spam campaign detected, delivering malware - including ransomware, banking Trojans and backdoors - to victims in different geographical regions.
These campaigns are interesting because they all use similar domains and stolen brands from various government agencies, each linked specifically to the countries they target to give their messages a sense of local legitimacy and urgency.
Summary
They target IT services, manufacturing and healthcare organizations that use these fake government agencies to convince users to read these emails and open their attachments.
Spam campaign
Spam campaign launched by organizations
In parallel, while the source of the campaigns is still being analyzed, some researchers from threats said: "campaigns of spam are being launched and coordinated by a single criminal organization."
In United StatesAs a result, cybercriminals are sending emails pretending to be from the United States Postal Service (USPS), with a malicious Word document called 'USPS_Deliver.doc' attached.
As well as describing the attachment as urgent, the text also misleads the user into thinking that the document is encrypted and must be opened in order to be read.
As you might expect, opening the document enables a malicious macro that installs the Trojan IceID on the victim's computer and tries to steal their online banking credentials.
In the Spam campaign aimed at Germany The authors of the threats are disguising themselves as the Bundeszentralamt fur Steuern, the German Ministry of Finance. In this case, the actors are using a commercially licensed software tool, Cobalt Strike.
This tool emulates the type of backdoor structure used by the penetration tool, Metasploit.
Once again, the threat actor tries to convince the recipient that the attached malicious document is legitimate and important, and that the only way to view it is to enable the content.
In the spam campaign directed at Italy The authors represent the Italian Revenue Agency, Agenzia Delle Entrate. In this campaign, they pretend that the email and attached letter are about new tax and revenue guidelines that businesses and consumers need to follow and recommend that they open the attachment - which, of course, is malicious.
Unsuspecting users
Masquerading as a government agency is especially effective at tricking unsuspecting users into opening malicious attachments. In this unusual campaign, the bad actors developed elaborate messages, similar websites and other content for various agencies in different countries.
Note that they then use targeted strategies to ensure that the individuals included in a Spam campaign are from the respective countries, although some crossings should not report victims, as the agencies of each campaign are unique.
Stay alert
Users should be suspicious when they see emails from government agencies, as they generally only use traditional postal systems to interact with citizens.
Take precautions in your environment with cyber security well positioned in institutions such as, NSS Labs
Pay special attention to information supposedly about tax refunds, since governments almost never send this kind of sensitive communication by email, certainly not in Brazil.
Be aware that cybercriminals are intelligent, yet they know that these social engineering tactics work because many of their victims are unaware of these communication policies.
As always, be careful and never open an unexpected attachment. If in doubt, the best course of action is to call the agency directly to confirm that the email is legitimate.
Mitigations
O FortiGuard Labs has the following detections to deal with these spam campaigns.
Web filtering
The laboratories FortiGuard classified all the domains related to emails from phishing identified in this report as spam URLs / malicious sites in our category.
FortiMail
FortiMail identifies and blocks these social engineering spam campaigns with the following AV signatures:
- VBA / Agent.5751! Tr.dldr
- VBA / Agent.68D6! Tr.dldr
- VBA / Agent.QHD! Tr
- VBA / Agent.UB! Tr
Original Story in English here.
