According to an article by the Cybersecurity and Infrastructure Security Agency (CISA), there has been a recent phishing email campaign trying to deploy malware onto victims' devices. This malware will allow the malicious actor to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected devices.
This campaign works by sending out emails containing a Microsoft Word document. This document will have an application macro hidden within it to deploy the malware onto the victim's device. This malicious macro code can change font color from light gray to black (to trick victims into enabling content), check whether the Windows operating system is 32 or 64-bit, and construct and execute a command line to download additional files.
Once the malware is installed onto the victim's device, the malicious actor has many different techniques available to exploit the targeted system. Among these are:
Collect user information from the infected device, for example their IP addresses, username and file data.
Create shortcuts named Anti virus service.lnk in an attempt to hide as a legitimate file.
Capture keystrokes.
Take a snapshot of the current processes state of the user's machine.
Use PowerShell to download and execute different versions of the malware.
Execute arbitrary code on the infected device.
Delete files.
Gather the operating system version, architecture information, connected drives, hostname, and the computer name. Also has been able to get a snapshot of the current system state of the targets machine.
Download and execute files on the victim's machine.
Take screenshots of the victim's machine.
Steal data from the victim's clipboard.
Drop a Windows shortcut into the victim's startup folder and/or just onto the machine.
Steal profile credential information from Firefox, Chrome, and Opera.
For more information on what the malware can do, a link to the article can be found below. The article also lists some tips for victims and administrators to strengthen their security.
Maintain up-to-date antivirus software.
Keep your operating system up to date.
If possible either disable file and printer sharing services. If you have to have this enabled, use strong passwords or Active Directory authentication.
Do not add victims to the local administrator group unless required.
Keep and enforce strong passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
Make sure you have your firewall up to date and enabled.
Disable unnecessary services on workstations and servers.
Scan for and remove suspicious email attachments.
Exercise caution when using removable media, for example USBs and CDs.
Scan any file that you download before using it.
If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please do not download any attachments from a suspicious email as that could put your device at risk. Please forward the message (with the email headers) to security@umbc.edu.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
For more information on this topic, please check out:
https://us-cert.cisa.gov/ncas/alerts/aa20-227a
To read more articles published by DOIT visit: