Cybersecurity researchers have uncovered a novel focused malspam operation deploying password-stealing malware.
The marketing campaign was found by Sophos X-Ops and described in an advisory revealed as we speak.
In keeping with the report, the attackers employed social engineering techniques, using emailed complaints about service points or requests for info to determine belief with their targets earlier than sending malicious hyperlinks.
The methodology mirrors a beforehand uncovered marketing campaign main as much as the US federal tax submitting deadline in April 2023.
Sophos researchers Andrew Brandt and Sean Gallagher defined that the attackers’ social engineering techniques coated a broad spectrum, starting from complaints about alleged violent incidents or theft throughout a visitor’s keep to requests for info on accommodating company with particular wants.
As soon as the resort responded to the preliminary inquiry, the risk actors despatched follow-up messages containing purported documentation or proof, which contained a malware payload hidden in a password-protected archive file.
The attackers shared the information from public cloud storage providers, corresponding to Google Drive, utilizing passwords like “123456” to allow victims to open the archives.
Notably, the malware payloads had been designed to evade detection. They’re giant information exceeding 600 MB in dimension, with many of the content material being space-filler zeroes.
Moreover, the malware was signed with code-validation certificates, a few of that are new, obtained through the marketing campaign, whereas others seem pretend.
The malware, recognized as Redline Stealer or Vidar Stealer variants, linked to a Telegram channel for command-and-control functions. It exfiltrated knowledge, together with desktop screenshots and browser info, with out establishing persistence on the host machine.
Learn extra on this malware: RedLine Stealer Malware Deployed Through ScrubCrypt Evasion Device
Sophos X-Ops mentioned they’ve retrieved over 50 distinctive samples from cloud storage linked to this marketing campaign, and indicators of compromise have been revealed on their GitHub repository.
“We’ve additionally reported the malicious hyperlinks to the varied cloud storage suppliers internet hosting the malware,” reads the advisory. “Most of these samples displayed few-to-no detections in Virustotal.”
