October 30, 2020
Abnormal Security
This week, Abnormal Security researchers have been tracking recent well-disguised attacks from a Russian criminal enterprise who are using the Emotet trojan to drop Ryuk ransomware and BazarLoader for financial gain. The FBI and DHS issued a warning of an impending attack using Ryuk earlier this week, noting that healthcare and the public sector are the intended targets. Abnormal has detected these attacks being launched to a broader array of industries and targets, and have identified similar messages, which we will detail below.
The attacks are bypassing traditional email security protections as the payloads are being placed within cloud-based Google Docs and Microsoft Word files.
Figure 1: Email lure impersonating external legal department
The request is from a purported external vendor about a financial remittance. However, the attacker spoofed the vendor’s legitimate domain, which failed authentication. This was done so the target would trust the content of the email and click the link. We also observed a mail rule change which forked the conversation to an impersonated domain. The sender’s IP originates from a VPN service based out of Pokrova, Russia.
Figure 2: Email lure impersonating external vendor about agreement cancellation
In this example, the attacker is impersonating a vendor, and is alerting the target about an end to an agreement. The attacker wants them to click on a Google Doc for compensation details.
Figure 3: The Google Doc link attempts to automatically download an Excel spreadsheet
In both cases, the email link leads to a page that automatically downloads a Microsoft Excel attachment that, when opened, will ask the user to “Enable Macros”.
The downloaded files contain VBA code that runs once “Enable Macros/Content” is selected. The VBA code will then launch a Powershell script which downloads a payload – a malicious executable file. With this, the attacker can do whatever they choose, typically downloading other malware or performing specific commands.
Figure 4: Email lure impersonating internal operations team
The email is impersonating an internal contact attempting to send a medical report to a coworker. The main email itself does not contain a lot of content but does include impersonated forwarded information below the request (not shown) to give the appearance of a legitimate thread.
Figure 5: Microsoft prompt for intended target to open link on desktop not mobile
If the user does not complete the task, a Microsoft Office prompt again asks them to view and edit the document by clicking “Enable Editing” and “Enable Content”.
Figure 6: Email lure impersonating internal HR department
The email is impersonating an internal contact attempting to send an HR survey to a coworker. The sending domain is not an official email address and the entity is being impersonated.
Figure 7: Employee survey on Google Drive that contains malware-infected links
The survey contains links to malware. The attacker is prompting the target to open the documents on desktops, not mobile devices, in order for the attack to carry out.
Figure 8: Microsoft Word doc with malware
In both cases, the link goes to a Microsoft Word document that asks the target to upgrade their edition to add new features by clicking Enable Editing and Enable Content. The result is running .exe files that infect the target with malware.
Based on the recent volume, these attacks are becoming more widespread. In each case, the threat actors are convincing the targets to take low consequence actions in order to execute the malware attacks. In hiding the malware within links and macros inside of Google Docs and Microsoft Word, the attackers are adding a layer of obfuscation to evade traditional email security protection.
Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.