A new malicious email campaign has been discovered to deliver multiple types of malware. One of these malware include a financial trojan designed to steal banking information and other credentials based on the latest cybersecurity research. The email campaign, which can be traced to have started in January this year, remains active. The campaign also uses several evasive techniques to avoid detection and to maximize the cyber attack’s effectiveness.
One of the evasive techniques this email campaign use is by deploying a crypter. The crypter is designed to alter the malware’s malicious code hence making the malware more difficult to get detected by security scanners. Experts observed that threat actors behind this email campaign takes advantage of legitimate hosting platforms such as Google Drive to conceal malicious files and scripts that are design to deliver the malware to their target devices.
Cybersecurity researchers took note that all the malware variants used in this campaign contained a similar line of a string value in the codes – Salfram. This enabled people in the cybersecurity to track the cyber-attack movement.
The emails on the Salfram campaign are embedded with scripts to deliver several types of malware, including Cobalt Strike – a known penetration testing tool, AveMaria, Gozi ISFB, ZLoader, Oski, and other malicious versions of SmokeLoader. This financial malware includes trojans that are known to steal banking information and credentials.
The Salfram Email Campaign
Initially, the organizations are targeted by the threat actors after filling up a contact form that can be seen on a typical website as per the report notes. The email that the victims will receive after submission will contain notice and raised concerns regarding copyright violations to an image that has been uploaded on the organization’s website.
The threat actors then embed a URL within the email message while urging the recipient to click on the link so they can clear the copyright violation. When the victim clicks on the link, they will be redirected to a malicious Microsoft Word file, which is hosted on a trusted domain such as Google Drive. Upon opening the Word document, it will enable macros that will then download the malware into the compromised device.
Throughout the campaign, the types of malware being used by the attackers vary. Still, it is observed that the threat actors always use the same crypter into the payload to conceal the malicious contents making analysis of security scanner difficult for them to detect.