- The pirates contact companies via a website form “Contact us”
- They then speak with the victims for weeks before deploying malware
- The pirates attack with tailor -made drifts
Cybercriminals are trying to deliver malware as a stolen door to organizations based in the United States by encouraging them to sign non-disclosure agreements (NDA), experts warned.
A new report by Check Point safety researchers describes how in the campaign, the disbelievers appear as an American company, in search of partners, suppliers and similar.
Often, they buy abandoned or dormant areas with legitimate commercial stories to appear authentic. After that, they contact the potential victims, not by e-mail (as it is standard practice), but via their forms “contact us” or other communication channels provided on the website.
Fall mixing
When the victims return to their request, it is generally by e-mail, which opens the doors to deliver the malware.
However, the attackers do not do it immediately. Instead, they establish relations with the victims, going back and forth for weeks until, at one point, to ask their victims to sign an attached NDA.
The archive contains some documents, including clean PDF and DOCX files to eliminate victims, and a malicious .lnk file that triggers a charger based on PowerShell.
This charger finally deploys a stolen door called Mixshell, which is an implant in personalized memory with a control and control based on DNS (C2) and improved persistence mechanisms.
Check Point did not discuss the number of potential victims, but she said that they were in dozens, varying in size, geography and industries.
The majority (around 80%) are located in the United States, with Singapore, Japan and Switzerland, also having a significant number of victims. Companies are mainly in industrial manufacturing, equipment and semiconductors, consumer goods and consumer services and biotechnology and pharmaceuticals.
“This distribution suggests that the attacker is looking for entry points into industries of the operational and supply and supply chain instead of focusing on a specific vertical,” says Check Point.
The researchers could not attribute the campaign with confidence to a known threat actor, but said that there is evidence indicating the Transferloader campaign, and a cybercriminal cluster followed like UNK_GREENSEC.
Via The record
