Recently, Cofense security researchers have discovered a new one hacking a campaign targeting employees of insurance companies and retail industries. The hackers they send phishing emails to employees and claim to come from the Ministry of Justice. In fact, they infect the victim's computer with malware designed to steal information.
Researchers say phishing emails have the theme "Court"And bear the logo of the United Kingdom Department of Justice. The emails indicate that the recipient must attend court as a witness (subpoena) and ask for it to open a link to see more details as the court orders the matter to be resolved within 14 days. However, they are not specific information on the subject of judicial proceedings.
Opening the link leads to a cloud hosting provider who in turn leads their user to a document containing the "Predator The Thief», A malware commonly found in underground hacking Forums.
Predator the Thief is a malware that enables it theft usernames, passwords, browser data and content from cryptocurrency wallets. It can also take pictures using a webcam. Predator the Thief first appeared in July on 2018.
Hackers have taken care of that phishing emails to hide their malicious intent from security software. The email contains a link to Google Docs, which automatically redirects the user to Microsoft OneDrive, which in turn delivers one Microsoft Word document to the victim. The document asks the victim to enable macros. If the user obeys, it is done malware download via PowerShell.
Next, Predator the Thief is connected to one command-and-control server and provides the hacker with a gateway to the infected system. So attackers can steal data secretly. After gathering all the data that hackers want, malware self-destruct and so it leaves no trace.
Like most phishing attacks, hackers have used a serious issue (court case) to force victims to open the malicious link. However, there is an indication that something is wrong.
The phishing email mentions the word "subpoena". This term is commonly used in the United States. The email is supposed to come from the UK Department of Justice. The English judiciary, however, has not used the term "subpoena" since 1999. Since then, only the term "witness summons" has been used.
This shows that the perpetrators are trying to deceive them users using British logos but in reality they are not familiar with the country's judicial system.
Users have to be many careful by enabling macros and being constantly updated about them risks and threats to cyberspacein order to be suspicious and to recognize suspicious activity.