DFi’s CERT (CERT-DFi) has detected an increase in phishing attacks among several of its customers. These campaigns are accelerating day by day and target all sectors of activity. We strongly recommend that users are made aware of this threat to avoid the compromise of the company.
CERT-DFi has found during the analysis of several cases that the initial vector that is the gateway into the system seems to be always the same. The attackers use a phishing attack aimed at convincing the user to open a malicious attachment.
The initial email with the malicious attachment consists of a conversation history that is intended to resemble a real conversation between several people in the target company as closely as possible.
The analyzed emails consist of the following elements:
- The subject line is always an « Email Forwarding » type response. It therefore contains the term « RE: » simulating a past conversation.
- In some cases the characters of the conversation are not correctly displayed
- The conversation used in the body of the « Transferred » email is very close to reality and includes very real actors at the company
- The attached file is always a « ZIP » format archive containing a malicious Excel file.
- The naming of the attachment seems to follow the following naming convention:
- A word followed by a separator character, followed by multiple numbers:
In all cases analyzed, the « ZIP » archive contained an Excel file in « xls » format.
It is important to note that it is quite possible that the attackers are using other types of archives and file types from the Microsoft Office suite.
The Excel file consists of a single Excel sheet simulating a fake DocuSign document:
The single Excel sheet contains the method for the attacker to convince the user to enable code execution in Excel by clicking on the yellow banner:
The simple « click » on this button triggers the execution of malicious code is compromises the user’s machine with a malware named Qakbot.
Qakbot is classified as a banking Trojan. The malware is very sophisticated as the footprint left on the system is almost zero. Some of the things this modular malware does is to perform the following actions:
- Fingerprinting the infected system (User, resource, …)
- Collection of cookies from web browsers
- Use of VNC in memory to interact with the infected machine
- Recovering user’s emails
- Modifying user interactions with web browsers
- Recovering user logins and passwords
- Using the infected machine to perform attacks and/or transfer data
Qakbot also allows for the injection of other malware families such as ransomware.
We recommend taking the following preventive actions into consideration:
- Awareness of this threat to your company’s employees
- Awareness-raising among your company’s employees at regular intervals by conducting phishing simulations
- Have security solutions that allow for protection of users’ machines (Ex: EDR-type antivirus, multi-factor authentication, hardening of operating systems, …)
- Have security solutions allowing a perimeter protection of your company (Ex: firewall, antispam, …)