A phishing campaign preying upon the interest of those affected by president Donald Trump’s illness continues to circulate and fool recipients.
Here’s what we know:
Researchers at cyber security firm ProofPoint spotted this particular phishing campaign, noting that it had several different email subjects, these included:
- “Recent materials pertaining to the president’s illness”
- “Newest information about the president’s condition”
- “Newest info pertaining to president’s illness”
The email (pictured below) purports to contain “insider information”:
Image credit: Proofpoint
The fact the “attached document” is actually a link leading to an external URL a big alarm bell and any internet user with sufficient security awareness training would be able to spot this immediately.
Unfortunately, the majority of internet users do not have sufficient cyber security training.
The “attached document” leads to a Google document when clicked, stating that the file is safe and ready to be downloaded, which it shortly prompts the victim to do.
Image credit: Proofpoint
When the download link is subsequently pressed, a BazarLoader executable is downloaded rather than the expected file containing information about the president’s wellbeing.
BazarLoader is a simplistic trojan, favoured for it’s obfuscation layer which allows it to inject it’s sibling backdoor component “BazarBackdoor” into a legitimate windows process.
This allows hackers access to the system at a later date. Attackers are then able to easily encrypt files for ransom or they could redirect traffic on the Wi-Fi-connected devices and use it to commit various crimes.
It appears the BazarLoader and BazarBackdoor combo were used to deploy the Ryuk ransomware, the same used to bring the UHS hospitals to a standstill. Read our article about it here.
Ryuk ransomware has in the past been linked to a Russian group of hackers naming themselves Wizard Spider, one of many gangs of threat actors targeting organisations worldwide with malicious email-borne attacks.
Could everybody in your organisation spot the alarm bells for attacks such as these for when this group strikes again? Find out in our Free Click Prone® Test now.