A prolific spam campaign is attempting to infect victims with one of two infamous trojan malware families – and those behind it appear to be attempting to compromise any enterprise target they can.
Uncovered by researchers at Netskope, the campaign began in April this year and is based around generic phishing emails claiming to be about an invoice which ask the user to open an ISO disk image file to get more information.
It's this ISO file that delivers the malicious payload to the victim – one of either LokiBot or Nanocore. Both malware families provide attackers with backdoors onto infected Windows PCs and the ability to steal data, as well as enabling additional payloads to be installed. Nanocore is particularly dangerous as it captures clipboard data and keystrokes.
SEE: 10 tips for new cybersecurity pros (free PDF)
Researchers say they've identified 10 variants of the campaign, using different ISO images and emails.
By using the ISO disk image format, the attackers are looking to take advantage of what's quite an uncommon file format and therefore one that's often whitelisted by email security providers.
The images are mostly within the size range of 1MB to 2MB, but contained within them is an embedded executable file which unleashes the actual malware payload.
While many trojan malware campaigns are becoming increasingly well-targeted, with attackers deploying bespoke payloads attached to specially crafted phishing lures, this campaign shows that commercial malware attached to basic phishing emails still remain a threat to organisations.
That's especially the case for employees in departments who regularly need to open messages from unknown senders.
"Looking at the email body and unusual file attachment, it seems that the attackers were particularly interested in targeting corporate users specifically in the finance and billing departments. This attribution points to the fact that the attackers were definitely financially motivated," Abhinav Singh, cloud security researcher at Netskope, told ZDNet.
"Stay vigilant towards any email that might look suspicious and remember to be careful when dealing with attachments, especially those coming from untrusted sources," he added.
MORE ON CYBERCRIME
- Phishing alert: Hacking gang turns to new tactics in malware campaign
- We invited professional hackers to attack us: Here's what happened CNET
- Malware and botnets: Why Emotet is dominating the malicious threat landscape in 2019
- More than 3B fake emails sent daily as phishing attacks persist TechRepublic
- This data-stealing malware has returned with new attacks and nasty upgraded features