Microsoft recently warned organizations of a new unique attack campaign that abuses contact forms found on websites to deliver financial malware to businesses through email that poses as email of legal threats. This new campaign is another trick of adversaries to abuse business infrastructures to evade and bypass installed security protection systems.
The emails aim to instruct the recipients to click on the attached link to review the “supposed evidence” behind the allegations. Still, instead, it will lead the victim to download IcedID, and information-stealing malware.
IcedID trojan is a financial malware on a Windows platform used to conduct reconnaissance and banking credential exfiltration alongside other hefty features that will connect the compromised system to a remote C2 command-and-control server. This will allow the malware operators to additional payloads such as ransomware and malware variants capable of other dubious tools such as a hands-on-keyboard attack, credential stealing, and moving across lateral affected networks.
Microsoft researchers revealed that the attackers could have used a custom tool to automate the email delivery by abusing the target’s enterprise contact forms while evading CAPTCHA protection filters. The emails aim to communicate legal threats and to intimidate their victims, claiming to take legal actions as the next step against their victim for “allegedly using images or illustrations without their consent, and that legal actions will be taken against them”
Invoking such a sense of urgency can lead victims into revealing sensitive information, click a suspicious link, or open a malicious attachment file. This discovered infection chain uses a link to a sites.google.com page that requires the victim to log in with their Google credentials and automatically download a ZIP archive file after they sign in.
The downloaded ZIP file contains an obfuscated JavaScript file that downloads the financial malware.
Further analysis of the JS file revealed that the malicious code can also download other malware variants such as Cobalt Strike, putting potential victims at further risk.
This new campaign scheme is yet another evidence of how threat actors constantly update and tweak their social engineering tactics against targeted companies, with the intent to distribute dangerous malware while employing evasion on detection. The form is notable because such emails don’t have the typical characteristics of malicious content and are highly legitimate-looking.