A newly uncovered hacking campaign is targeting employees in the insurance and retail industries with phishing emails, claiming to be from the Ministry of Justice, that infect the victim with information-stealing malware.
Uncovered by researchers at cybersecurity company Cofense, the phishing emails have the subject ‘Court’ and feature UK Ministry of Justice logos. They claim to provide information about ‘Your Subpoena’ and ask the victim to click a link because they’ve been ordered to attend a law court and have 14 days to comply. There’s no information about what the court case supposedly relates to.
If victims click through to the link, they’re directed to a cloud hosting provider which redirects them to a document containing Predator the Thief, a form of malware that’s commonly up for sale on underground hacking forums.
Predator the Thief can steal usernames, passwords, browser data and the contents of cryptocurrency wallets, as well as take photos using a webcam. The malware first emerged in July 2018.
The phishing emails use a number of layers to hide the malicious intention of the message from security software. The email contains a Google Docs link which, if clicked, automatically redirects the user to Microsoft OneDrive, which delivers a Microsoft Word document to the victim. As in many other phishing campaigns, the document asks users to enable macros; if they do, the malware is downloaded via PowerShell.
The malware then connects to a command-and-control server and provides the attacker with a gateway to the infected system and the ability to secretly steal data. When the cybercriminals decide they have gathered all the data they need, Predator the Thief self-destructs, cleaning up any evidence that it was there in the first place.
Shock tactics like telling a potential victim they have a court date is a regular trick used by cybercriminals, designed to scare people into clicking phishing links and downloading malware. However, there’s a prominent clue that all is not right with this message — and it’s not just the strange email address.
The message refers to a subpoena. The term is regularly used in the United States, but the UK court system hasn’t used ‘subpoena’ since 1999 when the relevant term was changed to ‘witness summons’.
The email’s phrasing, therefore, suggests that while the cybercriminals are using UK imagery in an attempt to dupe victims, they’re not familiar with the details of the local system.
To help protect against these kinds of attacks, researchers recommend that macros are disabled by default and that users are educated about the dangers of enabling them.