Like many phishing threats, the email contains an attachment in the form of a Microsoft Word document, designed to deliver the payload. However, unlike most phishing emails containing malicious attachments, which use macros to avoid detection, this one uses an embedded object in the form of a Visual Basic Script that acts as a downloader for the malware.
"It is a Packager Shell Object. When content like a script is packaged as a Packager Shell Object, it can be opened and executed from within the Microsoft Office file in which it is embedded," says Kevin Epstein, VP of the threat operations center at Proofpoint.
In this instance, the emails sent in this cyberattack include a Microsoft World attachment named "info.doc", which contains an image requesting the user clicks on it to install Microsoft Silverlight in order to view the supposed content of the document.
However, upon closer examination of the image, researchers note that it reveals itself as not a link, but rather a Visual Basic Script file which contains code for keylogging malware which will run when clicked on.
Once installed on an infected system, the malware will log the keystrokes and sends the information to two hard-coded Gmail addresses.
While researchers haven't been able to specifically identify the keylogger being used in this attack, it's written in the Aultolt scripting language and uses tools including Lazagne password recovery to help gather credentials.
There's no indication of who is behind the attacks against the unnamed financial services firm, but researchers indicate the malicious software used was obtained from a public malware repository and uploaded from Estonia. According to Proofpoint, this indicates that the keylogger may have been used in attacks against similar institutions.
Researchers note that while the malware is basic compared to other exploits, the way the keylogger is being delivered to end users represents a shift from the tried and tested method of tricking them into enabling macros.