DNS Spoofing: When the Web’s Roadmap Leads You Astray
January 19, 2024
Outlook’s Achilles’ Heel: Hashed Passwords Exposed by Calendar Flaw
January 22, 2024
Remember that nagging feeling you get when an unexpected invoice pops up in your inbox? Well, brace yourself, because cybercriminals are exploiting that very sensation to spread malware in a resurgent phishing campaign orchestrated by the threat actor known as TA866.
The Bait: Invoices with a Bite
TA866’s latest scheme involves sending emails containing decoy PDF files disguised as invoices. These seemingly harmless documents often have generic names like “Document_[10 digits].pdf” and bear subjects like “Project achievements.” But lurking within these PDFs are malicious OneDrive URLs.
Clicking the URL triggers a multi-step infection chain:
- OneDrive URL: Clicking the link leads you to a OneDrive webpage hosting a malicious JavaScript file.
- JavaScript Download: The JavaScript, if executed, downloads and runs an MSI file disguised as a legitimate program.
- MSI/VBS Execution: The MSI file deploys a Visual Basic script (VBS) called WasabiSeed, which downloads and executes another MSI file.
- Screenshotter Takes the Stage: The second MSI file installs Screenshotter, a malware capable of capturing screenshots of your desktop at regular intervals and sending them back to the attacker’s server.
Why Screenshots? A Glimpse into Your World
By capturing screenshots, TA866 gains valuable insights into your system and activities. They might be looking for:
- Sensitive information: Login credentials, bank details, or internal documents displayed on your screen.
- Installed software: Identifying valuable applications or vulnerabilities to exploit further.
- Your browsing habits: Understanding your interests and tailoring future phishing attempts accordingly.
The Stakes: Beyond Screenshots
While screenshotting is alarming, it’s just the tip of the iceberg. WasabiSeed, the initial downloader, has been linked to other malicious activities in the past, including:
- Data exfiltration: Stealing sensitive files from your device.
- Lateral movement: Spreading within your network to infect other systems.
- Additional malware deployment: Downloading and installing even more harmful software.
Staying Invoice-ible: How to Avoid the Hook
Don’t let a fake invoice become your digital downfall. Here are some tips to stay safe:
- Scrutinize email senders: Be wary of unexpected invoices, especially from unfamiliar senders.
- Hover, don’t click: Hover over links to see their actual destination before clicking. OneDrive URLs embedded in invoices should raise red flags.
- Think before you download: Never download or open attachments from suspicious emails, even if they appear legitimate.
- Keep software updated: Ensure your operating system, antivirus, and other security software are up-to-date with the latest patches.
- Report suspicious activity: If you receive a suspicious invoice email, report it to your IT department or security vendor.
Remember, cybercriminals are constantly evolving their tactics. Staying informed and vigilant is key to protecting yourself from evolving threats like TA866’s invoice phishing campaign.
Stay safe out there!
#cybersecurity #phishing #malware #TA866 #WasabiSeed #Screenshotter #invoice #datasecurity #infosec
