Crooks abuse website contact forms to deliver IcedID malware

[mood]

Crooks abuse website contact forms to deliver IcedID malware

 

Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

 

Security experts from Microsoft have uncovered a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

 

Threat actors behind the operation are using contact forms published on websites to deliver malicious links to enterprises using emails with fake legal threats. The emails attempt to trick recipients into clicking a link to review supposed evidence behind their allegations, but instead, they start the IcedID malware infection.

 

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

“Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.” reads the analysis published by Microsoft. “The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.”

 

The malicious emails tracked by the experts arrive in the recipient’s inbox from the contact form query appearing trustworthy as it was sent from trusted email marketing systems. The messages are originating from the recipient’s own contact form on their website, this means that appear as sent by an actual customer interaction or inquiry.

“As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.” continues Microsoft.

 

 

The messages composed by attackers include a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

 

Upon clicking the link, the recipient is redirected to a Google page that requires them to authenticate using their Google credentials, this trick allows to avoid detection.

 

Once the recipient will sign in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file which is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file). The payload is decrypted by using a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, in this way threat actors could remotely control the infected device.

 

 

Attackers also implemented a secondary attack chain, in case the sites.google.com page was not available users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file.

“This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.” concludes the report.

 

 

Source: Crooks abuse website contact forms to deliver IcedID malware

[aum]

Hackers Using Website's Contact Forms to Deliver IcedID Malware

 

 

Microsoft has warned organizations of a "unique" attack campaign that abuses contact forms published on websites to deliver malicious links to businesses via emails containing fake legal threats, in what's yet another instance of adversaries abusing legitimate infrastructure to mount evasive campaigns that bypass security protections.

 

"The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware," the company's threat intelligence team said in a write-up published last Friday.

 

IceID is a Windows-based banking trojan that's used for reconnaissance and exfiltration of banking credentials, alongside features that allow it to connect to a remote command-and-control (C2) server to deploy additional payloads such as ransomware and malware capable of performing hands-on-keyboard attacks, stealing credentials, and moving laterally across affected networks.

 

 

Microsoft researchers said the attackers might have used an automated tool to deliver the emails by abusing the enterprises' contact forms while circumventing CAPTCHA protections. The emails themselves employ legal threats to intimidate victims, claiming that the recipients "allegedly used their images or illustrations without their consent, and that legal action will be taken against them."

 

 

By invoking a sense of urgency, the idea is to lead the victim into revealing sensitive information, click a sketchy link, or open a malicious file. In this infection chain, it's a link to a sites.google.com page, which requires users to sign in with their Google credentials, following which a ZIP archive file is automatically downloaded.

 

The ZIP file contains a heavily obfuscated JavaScript file that downloads the IcedID malware. What's more, the malicious code has the capacity to download secondary implants like Cobalt Strike, potentially putting affected victims at further risk.

 

The novel intrusion route notwithstanding, the attacks are yet another sign of how threat actors constantly tweak their social engineering tactics to target companies with an intent to distribute malware while evading detection.

 

"The scenarios [...] offer a serious glimpse into how sophisticated attackers' techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID," the researchers said. "Their use of submission forms is notable because the emails don't have the typical marks of malicious messages and are seemingly legitimate."

 

Source