A new phishing campaign that’s been touring Europe has now been hitting the United States with the goal of spreading a trojan onto computers, as detailed in a report released on Thursday by Proofpoint.

Phishing emails are one of the trickiest tactics employed by cybercriminals to try to lure potential victims into taking their bait. Masquerading as legitimate emails from actual organizations, such messages can often easily dupe people into clicking on the wrong link or opening the wrong file attachment, thereby being infected by malware.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

On Nov. 12, 2019, Proofpoint researchers observed thousands of emails trying to deploy malicious Microsoft Word attachments in the US, according to the report. The emails impersonated messages from the United States Postal Service and were part of a campaign to infect systems with the IcedID banking trojan.

Discovered in 2017 by IBM X-Force Research, IcedID typically targets banks, payment card providers, and other financial institutions in an attempt to steal user credentials.

Instead of targeting financial companies, the campaign found by Proofpoint was heavily directly at the healthcare industry. The emails discovered use the URL uspsdelivery-service.com, while the malicious Word documents contain a purported RSA SecurID key. Opening the Word document triggers a Microsoft Office macro that launches a PowerShell script, which then downloads and installs IcedID onto the computer.

The US is only the latest target in this new campaign, according to the report. In October and then again in November, Proofpoint observed the same threat actor, named internally as TA2101, aiming at businesses in Germany with emails impersonating the German Federal Ministry of Finance. Beyond the phony branding, the emails use .icu domains in the sender’s address.

In this case, the person behind the campaign chose to use Cobalt Strike. Commercially available as a licensed software tool typically used for penetration testing, Cobalt Strike has been coopted by cybercriminals to deploy malware.

Sent primarily to German IT services companies, the fraudulent email promises a 2019 tax refund, asking the recipient to open an attached Word document to submit a claim for the refund. Instead, opening the document launches an Office macro that executes a PowerShell script, which then downloads and installs Maze ransomware.

Later in October, Proofpoint found a similar campaign running in Italy. This time, the emails used branding from the Italian Ministry of Taxation but also with .icu domains in the sender’s address. As with the emails sent to US companies, these use purported RSA SecurID keys to lend an air of legitimacy.

The message states that the recipient should open and read the attached document to avoid tax assessment and penalties. But once again, opening the Word document triggers the Office macro that then loads a PowerShell script, which installs Maze ransomware.

Seasonal lures

Cybercriminals have used finance-related lures on a seasonal basis, typically deploying more tax-related phishing emails in time with the annual tax filing deadlines in different countries, according to the report.

Spotted in 2017, these campaigns used social engineering to help deliver banking Trojans and spread ransomware. In 2018, researchers at Proofpoint discovered phishing campaigns in the US with tax-related lures and IRS branding.

In its quest to track down malware, Proofpoint analyzes more than five billion email messages, hundreds of millions of social media posts, and more than 250 million malicious samples every day, the company said.

To identify and analyze the latest campaign described in the report, Proofpoint looked at different characteristics such as infrastructure, lure styles, and macro code. As a result, the company found that the actions did not overlap those of existing threat actors, indicating that this was a new group in play. Some evidence uncovered indicated that the actor is Russian-speaking.

“Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies,” Christopher Dawson, Threat Intelligence Lead for Proofpoint, said.

“To date, the group appears to have targeted organizations in Germany, Italy, and, most recently, the United States, delivering geotargeted payloads with lures in local languages,” Dawson added. “We will be watching this new actor closely, given their apparent global aspirations, well-crafted social engineering, and steadily increasing scale.”

How can organizations better protect themselves and their employees from this type of malware and ransomware? Dawson shared the following advice:

“As threat actors increasingly become more targeted in their attacks through social engineering, and continue to pursue individual users rather than infrastructure, it is critical that organizations shift their focus to an attacker’s view of their users and identify their most at-risk employees based on targeting frequency and severity of attacks, as well as their role, system access, and risk exposure,” Dawson said.

“This people-centric view will enable organizations to deploy the appropriate level of protection and mitigations for those users, devoting resources to where they are most needed,” Dawson added.

“Users should approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials. Layered defenses that leverage detection at the email gateway, the network edge, and the endpoint, combined with user education are critical for organizations looking to protect themselves from these threats.”

Image: iStockphoto/peshkov