Saturday, October 16, 2021

Attackers abusing website’s contact form to deliver malware

Must Read

Attackers Targeting Unpatched Exchange Servers With DearCry Ransomware

Ransomware attackers are now targeting Exchange servers that haven’t received the patches that Microsoft released last week.According to the...

Attacks Maybe about to Make even more Harmful and Tumultuous

Cybercriminals continue to be successfully running ransomware campaigns while requiring higher ransoms than ever - and things might be...

Hacker leaks data of MeetMindful dating site

The data belongs to the MeetMindful dating site and includes everything from real names to Facebook account tokens and...

Microsoft is warning businesses to beware of cybercriminals using company website contact forms to deliver the IcedID info-stealing banking trojan in email with Google URLs to employees.

“The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware,” the company’s threat intelligence team said in a write-up published last Friday.

Company website ‘contact us’ forms are an open doorway on the internet and criminals have recently started using them to reach workers who receive contact requests from the public. 

Crooks are using social engineering to exploit workers’ efforts to do their jobs.

IcedID is a modular banking trojan first spotted in 2017 and updated to also deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware.

To further increase their attacks’ efficiency, the threat actors threaten their targets with legal action for copyright infringements to pressure them into clicking embedded links directing them to IcedID payloads.

Microsoft considered the threat serious enough to report the attacks to Google’s security teams to warn them that cybercriminals are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. The attackers appear to have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human. 

The attackers use language that applies pressure on the employee to respond, the idea is to lead the victim into revealing sensitive information, click a sketchy link, or open a malicious file. In this infection chain, it’s a link to a sites.google.com page, which requires users to sign in with their Google credentials, following which a ZIP archive file is automatically downloaded.

The ZIP file contains a heavily obfuscated JavaScript file that downloads the IcedID malware. What’s more, the malicious code can download secondary implants like Cobalt Strike, potentially putting affected victims at further risk.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This