Search This Blog

Showing posts with label spammers. Show all posts

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

SquirrelWaffle Adds a Spin of Fraud to Exchange Server Malspamming

 

Squirrelwaffle, ProxyLogon, and ProxyShell are being utilized against Microsoft Exchange Servers to conduct financial fraud via email hijacking. Sophos researchers revealed that a Microsoft Exchange Server that had not been fixed to safeguard it against a set of serious vulnerabilities identified last year was used to hijack email threads and disseminate malspam. 

On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that could be exploited to take over servers. At the time, Hafnium, an advanced persistent threat (APT) group, was constantly exploiting the bugs, and other APTs swiftly followed suit. Despite the fact that the ProxyLogon/ProxyShell flaws are now widely known, some servers remain unpatched and vulnerable to assaults. 

Sophos has described an instance that combined Microsoft Exchange Server vulnerabilities with Squirrelwaffle, a malware loader that was first discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign content tacked on to phishing emails are frequently used to spread the loader. Squirrelwaffle is frequently used to fetch and execute CobaltStrike beacons via a VBS script if an intended victim has permitted macros in the compromised documents. 

According to Sophos, the loader was used in the recent campaign once the Microsoft Exchange Server had been compromised. By hijacking existing email threads between employees, the server of an undisclosed organisation was utilised to "mass distribute" Squirrelwaffle to internal and external email addresses. 

Email Hijacking can take a variety of forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can disrupt communication channels. The spam campaign was utilized to disseminate Squirrelwaffle in this example, but attackers also extracted an email thread and used the internal knowledge contained within to execute financial fraud. Customer information was obtained, and a victim organization was chosen. The attackers generated email accounts using a domain to reply to the email thread outside of the server, using a technique known as typo-squatting to register a domain with a name that was very similar to the victim. 

Sophos explained, "To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department. In fact, the additional addresses were also created by the attacker under the typo-squatted domain." 

The attackers attempted for six days to divert a legitimate financial transaction to a bank account they owned. The money was about to be processed, and the victim escaped the attack only because a bank involved in the transaction realized the transfer was most likely fake. 

Matthew Everts, Sophos researcher commented, "This is a good reminder that patching alone isn't always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection."

PyPI and GitLab Witness Spam Attacks

 

The GitLab, a source code hosting website, and the Python Package Index (PyPI) portal both are flooded with advertisements for shady websites and assorted services by the spammers. However, both the attacks have no links to each other. 

The PyPI attack in which it is flooded with more than 10,000 listings is the biggest of the two attacks. The Python Package Index (PyPI) is a Python programming language software repository. PyPI allows the user to search and install Python community applications. To deliver their applications, package developers use PyPI. It also hosts tens of thousands of Python libraries. The fact that anybody can create entries in PyPI's website for Python Libraries, which were essentially used as massive SEO advertising for various shady pages, lately has been misused by the spammers. 

These pages typically featured a broth of search-engine-friendly keywords for different topics that varied from games to pornography and films to presents, and a compressed link at the bottom, mostly pointing to a platform attempting to receive data from the payments card. Though the PyPI team has accepted and affirmed that they are aware of the SEO spam flood. "Our admins are working to address the spam," stated Ewa Jodlowska, Executive Director of the Python Software Foundation. She further added, "By the nature of pypi.org, anyone can publish to it, so it is relatively common." 

Although the PyPI spam attack seems to have been going on for at least a month, another new attack has been found at GitLab, a website that allows developers and companies to host and sync the work on source code repositories. A danger that is still unidentified seems to spam the Issues Tracker for thousands of GitLab ventures that each prompted an e-mail to account owners with spam contents. Similar to PyPI spam, these comments have diverted users to shady websites. 

Certainly, GitLab was not prepared for any such attack since the e-mail infrastructure had slackened, interrupted, and queued legit e-mails according to an incident status report published by the company. They said, “We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues.” 

Spamming source code repository seems to be a new strategy for spamming communities, who have generically targeted their comments of shady links on websites, forums, and news portals in recent years. Although spam isn't an attractive attack vector, many businesses frequently struggle to protect servers, web applications and subdomains and often end up exploiting these services to host or actually participate in spam attacks.