In the RFQ cyber-attack, attackers disguise harmful malware as a ‘Request For Quote’ (RFQ), in order to encourage recipients to download dangerous files. This attack is an impersonation of a ‘Request For Quote’ (RFQ) from a legitimate, outside organisation. The attack originates from the throwaway address - info@req-allparts.com, with the reply-to address - glennmauldin@zidnei.com.
RFQ attack
By using urgent language, the attacker attempts to coax the recipient to click on the link ‘Rfq 507890.pdf’, without examining it for malicious content. Clicking on the link does not download a PDF or bring the recipient to an external website, but rather forces a malware download.
The downloaded file from the malicious link is a compressed .GZ file, which enables it to circumvent certain malware detectors
The downloaded file from the malicious link is a compressed .GZ file, which enables it to circumvent certain malware detectors. Within the compressed file is a text file, which is full of malicious code, including spyware, such as a key-logger.
If the recipient allows this code to run, the attacker could record everything that the recipient enters into his or her computer, or possibly even take complete control of the recipient’s device.
Bypass existing email security
Many security systems can only detect malware, if it is attached to an email in an uncompressed form. Putting malware into a .ZIP folder or a .GZ archive can easily circumvent these security measures. Abnormal Security prevented this attack, by recognising a number of signals, which when combined, flagged the email as malicious.
Some of these signals are contained in the message body, such as the presence of suspicious wording. Others are contained in the message headers, such as the fact that the reply-to address for this email did not match to the sender address or any of the links in the email. It is much more difficult for an attacker to hide these kinds of signals, than it is to hide the malware.
Summary of attack:
- Platform: G Suite
- Mailboxes: 500 - 1,000
- Victims: Employees
- Payload: Malicious Link
- Technique: Impersonation