New malicious spam campaign detected, delivering malware - including ransomware, banking Trojans, and backdoors - to victims in different geographic regions.
These campaigns are interesting because they all use similar domains and brands stolen from various government agencies, each linked specifically to the countries they are targeting to give a sense of local legitimacy and urgency to their messages.
Summary
They target IT, manufacturing, and healthcare service organizations that use these spoofed government agencies to convince users to read these emails and open their attachments.
Spam Campaign
Spam Campaign launched by organizations
In parallel, while the source of the campaigns is still being analyzed, some researchers from threats stated: "campaigns of spam are being launched and coordinated by a single criminal organization."
On United States, cybercriminals are sending e-mails pretending to be from the United States Postal Service (USPS), with a malicious Word document called 'USPS_Deliver.doc' attached.
Besides describing the attachment as urgent, the text also misleads the user into thinking that the document is encrypted and must be opened to be read.
As you might expect, opening the document enables a malicious macro that installs the Trojan IceID banker on the victim's computer and tries to steal his online banking credentials.
In the Spam campaign aimed at Germany the threat actors disguise themselves as the Bundeszentralamt fur Steuern, the German Ministry of Finance. In this case the actors are using a commercially licensed software tool, Cobalt Strike.
This tool emulates the type of backdoor structure used by the penetration tool, Metasploit.
Once again, the threat actor tries to convince the recipient that the attached malicious document is legitimate and important, and that the only way to view it is to enable the content.
In the Spam campaign directed at Italy The authors represent the Italian Revenue Agency, Agenzia Delle Entrate. In this campaign, they pretend that the email and attached letter are about new tax and revenue guidelines that businesses and consumers need to follow and recommend that they open the attachment - which, of course, is malicious.
Unsuspecting Users
Masquerading as a government agency is especially effective in tricking unsuspecting users into opening malicious attachments. In this unusual campaign, bad actors developed elaborate messages, similar websites, and other content for various agencies in different countries.
Note that they then use targeted strategies to ensure that the individuals included in a Spam campaign are from the respective countries, although some cross-references should not report victims because the agencies of each campaign are unique.
Stay alert
Users should be suspicious when they see emails from government agencies, as they usually only use traditional postal systems to interact with citizens.
Be cautious in your environment with cyber security well positioned in institutions such as, NSS Labs
Pay special attention to information supposedly about tax refunds, as governments almost never send this kind of sensitive communication by email, certainly not in Brazil.
Know that cybercriminals are smart, however, they know that these social engineering tactics work because many of their victims are unaware of these communication policies.
As always, be careful and never open an unexpected attachment. If in doubt, the best course of action is to call the agency directly to confirm that the email is legitimate.
Mitigations
O FortiGuard Labs has the following detections for dealing with these spam campaigns.
Web filtering
The Labs FortiGuard classified all domains related to the e-mails of phishing identified in this report as spam URLs / malicious sites in our category.
FortiMail
FortiMail identifies and blocks such socially engineered spam campaigns with the following AV signatures:
- VBA / Agent.5751! Tr.dldr
- VBA / Agent.68D6! Tr.dldr
- VBA / Agent.QHD! Tr
- VBA / Agent.UB! Tr
Original Matter in English here.
