Phishing Campaigns Spoof Government Agencies: ReportProofpoint Research Points to More Sophisticated Techniques
A newly discovered hacking group is using an array of sophisticated spoofing and social engineering techniques to imitate government agencies, including the U.S. Postal Service, in an effort to plant malware in victims' devices and networks via phishing campaigns, according to new research from security firm Proofpoint.
The researchers found that between Oct. 16 and Nov. 12, the hacking group used these techniques to spread malware across several sectors in the U.S. and Europe, including business and IT services, manufacturing facilities and healthcare organizations, the report finds.
The malware delivered to victims includes backdoor Trojans as well as certain strains of ransomware, the report notes. One ransom note that was discovered asked for 694 ($766), says Christopher Dawson, the threat intelligence lead at Proofpoint.
What makes this campaign of particular interest is the group's ability to spoof government agency domains and craft sophisticated phishing emails using legitimate logos and designs.
As with any effective phishing campaign, the attackers injected a sense of urgency into the emails, including messages to victims that they need to open documents to avoid tax penalties or to view tax refunds with a deadline for processing, Proofpoint notes.
"Although these campaigns from today’s research are small in volume, currently, they are significant for their well-crafted social engineering, their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies," Dawson tells Information Security Media Group.
Dawson adds some of the phishing emails had been blocked, but others may have gotten through, so the exact scope of this campaign, and whether any money was stolen or ransomed, remains unclear.
Proofpoint says it first came across this campaign on Oct. 16, when the hacking group sent phishing emails to victims that appeared to come from the German Federal Ministry of Finance, saying that a tax refund is due.
That phishing email, which used legitimate-looking ministry logos and artwork, contained an attached malicious Microsoft Word document. If opened, the document enabled certain macros on the targeted device, which then executed a PowerShell command, according to Proofpoint. This then delivered a version of the Maze ransomware.
In this case, the hacking group used legitimate commercial software called Cobalt Strike as part of the attack. This tool, normally used for penetration testing, emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool, according to the researchers.
Other criminal groups, such as the Cobalt Group, have used this type of commercial software in schemes, including stealing money from banks and ATMs (see: Tracking the Cobalt Cybercriminal Group).
A few days after this malicious campaign hit Germany, similar emails were sent to targets in Italy that claimed to originate with the Italian Ministry of Taxation, Proofpoint researchers say. These emails used logos for an RSA SecurID key, which is used by these government agencies to ensure that the message is secured and encrypted. The secure key logo, like other parts of the phishing email, were fake, according to Proofpoint.
After the incidents in Germany and Italy, the hackers moved on to targets in the U.S. in late October and early November, using the Postal Service logos and graphics and creating a new domain - uspsdelivery-service.com - to spoof the legitimate web address, Proofpoint researchers report.
In the U.S. campaign, Proofpoint researchers found that a malicious Microsoft Word attachment, with a purported RSA SecurID key, was used by the same hacking group. Instead of ransomware, this campaign installed the IcedID banking Trojan on victims' devices.
The researchers also note that most of the U.S. targets were in the healthcare industry.
Dawson suggests that organizations and government agencies use authentication protocols, such as Domain-based Message Authentication, Reporting and Conformance, or DMARC, to protect legitimate domains from attack. This works by helping to determine the authenticity of an email message.
Links to Previous Attacks
Although not much is known about the hacking group behind these campaigns, the Proofpoint researchers were able to tie some of the tools and techniques used over the last two months to a similar campaign that spread a strain of ransomware called Buran.
"Proofpoint researchers linked the actor behind these campaigns to a 2018 Buran ransomware campaign based on similarities in infrastructure, lure style, and other tactics, techniques and procedures through which we track threat actors," Dawson says.
Earlier this month, security firm McAfee published a detailed analysis of Buran, which researchers describe as a new strain of ransomware that is being offered as a service to cybercriminals (see: New Ransomware-as-a-Service Offered at Deep Discount: Report ).