Several universities and more than 20 companies have been hit with malware whose creators are using several layers of subterfuge to camouflage their phishing attack by taking advantage of a few trusted brand names.
The new scam was uncovered by Comodo and eventually leads to an info stealer malware being installed. So far it has hit five university and 23 companies.
An attack begins with an email disguised as a FedEx email saying a package could not be delivered and asks the recipient/victim to click on a link and then print out a mailing label that can be brought to a local FedEx office enabling the package to be picked up. The next layer of obfuscation is in the link provided. The link appears to lead to a Google Drive account and even includes HTTPS and the word secure. Once the URL is clicked a malicious file labeled Lebalcopy.exe is downloaded.
“Actually, how can anyone know not to trust something with “google.com” in the address bar? But… the reality stings. For many, it's hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware.
Even though on the surface the attack is hard to spot there are indicators.
- the presence of .exe file in %temp% folder
- the presence of tmp.exe file in %temp% folder
- the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder
Once installed and active the info stealer removes private data from the victim's browser, including cookies and credentials and looks for information on the persons email and instant messaging apps. Other content removed is credentials for FTP sites the user has and also looks for cryptocurrency wallets.