Security researchers have uncovered a new phishing scam that tricks users into opening a malicious Excel document claiming to provide their HIV test results. Phishing campaigns have seen a huge increase in the past year as the scammers behind them have started using new tactics to trick users into falling for their schemes. This time, however, they may have gone too far as Proofpoint researchers observed scammers sending phishing emails with malicious Excel spreadsheets claiming to be HIT test results from Vanderbilt University patients. . While those who are more vigilant may notice that the name of the university is misspelled in the email contact as "Vanderbit", most users probably won't because the rest of the email phishing email appears to come directly from of the University.
Malicious Excel file
All phishing emails sent to the campaign contain an attachment called "TestResults.xlsb" that requires users to "turn content on" to see their test results. If a user chooses to activate the content, malicious macros are executed that download and install the Koadic penetration test and post-exploit toolkit. Thanks to Koadic, attackers can gain full control over the infected computer and from there they can execute any command they want to download additional malware or steal files from the machine. In a blog post, Sherrod DeGrippo, senior director of threat detection and research at Proofpoint, provided additional insight into how cybercriminals are now using health-related lures to lure users into falling for it. phishing scam in a blog post, which reads: "This latest campaign reminds us that health-related lures haven't started and won't stop with the recent coronavirus-style lures we've seen. It's a consistent tactic because attackers recognize The Health-Related “Fear Factor” Utility We encourage users to treat health-related emails with care, especially those that claim to contain sensitive health information by safely using secure email portals, e.g. phone or in person. If you receive an email that says it contains sensitive health information, do not open any attachments. Instead, go directly to your healthcare provider's patient portal, call your doctor, or book an appointment to directly confirm any medical diagnosis or t-test result." Via BleepingComputer