DEEPGUARD F SECURE ISO
Interestingly, we also have seen a recent spam campaign delivering two types of attachments: A malicious office doc and ISO image file – both installs an AgentTesla infostealer.
We have seen campaigns using this technique delivering AgentTesla InfoStealer and NanoCore RAT. Though it does not produce the spikes in certain file types seen in the spam campaigns mentioned above, since July 2018 we’ve also noted an increasingly popular trend of attackers using disc image files to deliver malware. (Newly rising players) ISO and IMG: AgentTesla and NanoCore RAT
DEEPGUARD F SECURE FULL
The scam asks the victim to provide personal details such as full name, address, country/nationality, telephone/mobile number, occupation, age/gender, and private email address.
DEEPGUARD F SECURE PDF
The second-highest campaign that uses a PDF file attachment is a “Winner” scam from Google as shown below: A recent example from another campaign using the similar shortened URL is a phishing link targeting Bank of America. The link leads the victim to a shortened URL (x.co) from GoDaddy – a trick many other phishing campaigns have been using to steal banking credentials. When the PDF file is opened, it shows a link that leads the user to a “secure message” pretending to be from the American Express Business Card Customer Security Team. One of the highest spikes in the graph that used PDF is a phishing campaign targeting American Express during March. PDF files used for phishing targeting American Express On successful download and execution, the Trickbot sample starts execution and creates modules on the victim’s machine: The office doc attachments contain a malicious macro which downloads and executes the payload using bitsamin tool.
In March, there were also huge spikes in spam campaigns using DOC and XLSM files to deliver Trickbot – a modular banking trojan that is also capable of delivering other payloads we’ve been seeing before. If the payload is successfully downloaded and executed, it then encrypts the victim’s machine and displays a ransomware note: The ZIP contains a obfuscated JavaScript downloader, which executes a PowerShell script that downloads and executes the GandCrab ransomware binary. The files were designed to appear to be sending a photo to someone. In February and March, there were huge spam campaigns using ZIP files to deliver GandCrab ransomware. When we view the feeds as a time chart however, it’s clear that ZIPs, PDF, and MS office files such as DOC and XLSM file attachments were more commonly used in huge spam campaigns. To give some background or context, our spam feeds show that malware authors do use a variety of attachment types: We also noticed a new trend of disc image files (ISO and IMG) being used to spread malware, with a few small campaigns distributing AgentTesla InfoStealer and NanoCore RAT. In the same time period, we saw a similarly large campaign targeting American Express, and a ‘Winner’ scam, both using PDF file attachments. In February and March, we saw huge spam campaigns using ZIP files to send out GandCrab ransomware, and DOC and XLSM files to distribute Trickbot banking trojan. During our routine threat landscape monitoring in the last three months, we observed some interesting patterns about the attachment types that are being used in various campaigns.
Malware authors tend to prefer specific types of file attachments in their campaigns to distribute malicious content.
0 kommentar(er)
