BleepingComputer reports that fake copyright infringement warnings using Yandex Forms are being leveraged for IcedID malware distribution.
Threat actors impersonating Zoho have sent BleepingComputer a copyright infringement complaint noting that the site has been using copyrighted images and that the proof of the violation could be checked through a Yandex Forms link, instead of Google Drive or Google Sites. Clicking the Yandex Forms link in the complaint would redirect to a webpage with a "File 'Stolen Images Evidence' is ready for download" message that would eventually result in the download of an ISO file with the "Stolen_ImagesEvidence.iso" filename.
Users double-clicking on the downloaded file will be shown a new drive letter with a "documents" folder and a random DLL file, with the folder being a Windows shortcut that would trigger the execution of a malicious DLL loader for IcedID upon double-clicking.
Individuals receiving copyright complaints have been advised to be more vigilant and leverage VirusTotal for suspicious file scanning.
Threat actors behind the campaign, which has a robust command-and-control infrastructure and extensively obfuscated PowerShell stagers, commence the attack with phishing emails sent to their targets' employees, with the messages including a ZIP attachment with a shortcut file that facilitates PowerShell script execution for malware deployment, according to a report from Securonix.