Jump to content

This phishing email uses an unexpected trick to infect PCs with keylogger malware


Batu69

Recommended Posts

Rather than using macros, this malware uses Visual Basic Script to avoid detection.

silverlight-1-fake-email.png

The lure comes in the form of a Packager Shell Object.

 

Cybercriminals are targeting a US major financial services provider with malicious emails containing the tools required to install information collecting keylogging software onto the infected systems.

 

Keylogging enables hackers to see everything that's typed using the keyboard of an infected machine, something which can be exploited to steal information, personal information, and login credentials.

 

Cybersecurity researchers at Proofpoint note that the attack is very narrow in scope, targeting users in just a single US-based financial services and insurance organisation with malicious emails. Naturally, banks are a high-profile target for cybercriminals who not only see money as a lucrative target, but also view financial institutions as a treasure trove of data to exploit.

 

Like many phishing threats, the email contains an attachment in the form of a Microsoft Word document, designed to deliver the payload. However, unlike most phishing emails containing malicious attachments, which use macros to avoid detection, this one uses an embedded object in the form of a Visual Basic Script that acts as a downloader for the malware.

 

"It is a Packager Shell Object. When content like a script is packaged as a Packager Shell Object, it can be opened and executed from within the Microsoft Office file in which it is embedded," says Kevin Epstein, VP of the threat operations center at Proofpoint.

 

In this instance, the emails sent in this cyberattack include a Microsoft World attachment named "info.doc", which contains an image requesting the user clicks on it to install Microsoft Silverlight in order to view the supposed content of the document.

 

However, upon closer examination of the image, researchers note that it reveals itself as not a link, but rather a Visual Basic Script file which contains code for keylogging malware which will run when clicked on.

 

Once installed on an infected system, the malware will log the keystrokes and sends the information to two hard-coded Gmail addresses.

While researchers haven't been able to specifically identify the keylogger being used in this attack, it's written in the Aultolt scripting language and uses tools including Lazagne password recovery to help gather credentials.

 

There's no indication of who is behind the attacks against the unnamed financial services firm, but researchers indicate the malicious software used was obtained from a public malware repository and uploaded from Estonia. According to Proofpoint, this indicates that the keylogger may have been used in attacks against similar institutions.

 

Researchers note that while the malware is basic compared to other exploits, the way the keylogger is being delivered to end users represents a shift from the tried and tested method of tricking them into enabling macros.

 

While Microsoft Office applications can block macros by default, this threat indicates that cyberattacks are very much active in developing new ways to deliver their malicious payloads.

 

Article source

 

Link to comment
Share on other sites


  • Replies 2
  • Views 948
  • Created
  • Last Reply

I simply never click on email attachments unless its from someone I know. And even then I ask for confirmation from the person if he/she actually sent it.

And even that is not a guarantee of safety. Several years ago a friend of mine sent me an attachment consisting of a funny slide show made with Office.

Many people passed it on seeing how funny it was. Luckily the malware it contained wasn't a life destroying monster and I quickly spotted it by making regular scans of my machine.

 

Link to comment
Share on other sites


I don't allow any email attachments, they are automatically removed before the email reaches the addressees email box.  I have setup an ftp server so that anyone who needs to send any documents to one of my 20,000 users can upload it to our server where it is scanned and examined before allowing a user to access it.  Internal document attachments are allowed but are automatically scanned before they are uploaded to the server, which means they have been checked twice. Non corporate users who don't have a security officer to protect them should never open an attachment, matter of fact, there are a number of emails they should never open, but being the idiots they are, they continually violate every security edict that has been published in the last 20 years.  And for these fools I have no sympathy.   On my personal email accounts, such as gmail, etc, I never open an attachment.  Friends know better than to send me an email with an attachment, that I won't open it.  Instead we use our dropbox accounts to share things since dropbox can be opened in a VM or a sandbox and the system is protected.  For the record, I have not used an installed AV/Malware program on my personal computers since 2000 and have never had an infection of any type.  I use the capabilities built in to Windows to block software from running from locations that malware is typically downloaded to and run from, and other locations I deem a security problem.  I run a standalone scan of my systems weekly and have never found anything.  I use various scanners, such as combofix, kaspersky disk, and others to scan the systems.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...