In the last weeks, security researchers managed to track down a new group of financially-motivated hackers that are targeting several businesses and organizations in Germany, Italy, and the United States. At the end of a successful cyberattack, the infected company or VIP user usually ends up with a backdoor, a banking Trojan, or ransomware malware in their systems.
The malware campaign concept:
The new malware campaigns are not customized for each organization, researchers say; instead, hackers appear to be more interested in businesses, IT services, manufacturing, and healthcare industries who possess critical data and can likely afford high ransom payouts.
Malware campaign analysis:
A cybersecurity report shows that the newly discovered hacker group is sending out low-volume emails impersonating finance-related government entities with tax assessment and refund lured emails to targeted organizations.
New malware discovered in these campaigns:
In almost all spear-phishing email campaigns hackers used malicious Word document attachments as an initial vector to compromise the device.
If a victim opens a file like this, the malicious document executes a macro script to run malicious PowerShell commands, that infects the system with the following payloads:
IcedID Banking Trojan,
Cobalt Strike backdoor.
From those 3, Maze ransomware is the most dangerous one because it encrypts all of your files.
During this campaign the hackers impersonated the fallowing trusted entities:
Bundeszentralamt fur Steuern, the German Federal Ministry of Finance,
Agenzia Delle Entrate, the Italian Revenue Agency,
1&1 Internet AG, a German internet service provider,
USPS, the United States Postal Service.
Protection guide against email-based cyberattacks
Here are the best ways to protect your computer against such attacks:
Disable macros from running in office files
Always keep a backup of your important data
Run one of the best antivirus software on your system
Don’t open email attachments from unknown or untrusted sources,
Don’t open links from unknown sources.
Even if these campaigns are small in volume, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies.
By now, the group appears to have targeted companies in Germany, Italy, and, most recently, the United States.