According to a new report, Proofpoint researchers say they have uncovered a campaign — from a relatively new group of hackers — targeting businesses in Germany, Italy, and the United States.
The new actor, tracked internally as TA2101, was observed between October 16th and November 12th of this year. During this time, TA2101 targeted various organizations with low-volume emails impersonating finance-related government entities to “deliver and install backdoor malware.”
For example, their campaign in Germany impersonated “Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails.”
“The lure states that a 2019 tax refund is due (“Benachrichtigung über die Steuerrückerstattung”) based on prior returns in the amount of several hundred euros (€694.00 in the observed sample) and that the recipient should submit a refund request (using an attached Microsoft Word document form) within three days for processing.”
Similarly, in Italy, the malicious actors impersonated Agenzia Entrate, the Italian Ministry of Taxation.
“The lure appears to be a notification of law enforcement activities (“aggiornamento: attivita di contrasto all’evasione”) and states that the recipient should open and read the enclosed document in order to avoid further tax assessment and penalties.”
And, in the United States, Proofpoint observed thousands of emails impersonating the United States Postal Service (USPS).
The campaigns, which were not customized for each organization, used malicious Word documents as the initial vector of compromise.
Once opened, the malicious Word attachment “executes a Microsoft Office macro that, in turn, executes a PowerShell script, which downloads and installs” one of the following payloads onto the victim’s systems:
- Maze Ransomware
- IcedID Banking Trojan
- Cobalt Strike backdoor
“Opening the Microsoft Word Document and enabling macros installs Maze ransomware on the user’s system, encrypting all of their files, and saves a ransom note resembling the following in TXT format in every directory.”
It’s worth noting, that TA2101 appears to be most interested in organizations in the IT, healthcare, and manufacturing sector.
And, though the emails are ‘low-volume’ the cyber crooks are going to great lengths to make them look convincing. As mentioned before, they are using stolen branding to impersonate legitimate government entities, as well as, lookalike domains and verbiage.
In a statement to The Hacker News, Threat Intelligence Lead at Proofpoint, Christopher Dawson said:
“Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies. To date, the group appears to have targeted organizations in Germany, Italy, and, most recently, the United States, delivering geo-targeted payloads with lures in local languages.”
“We will be watching this new actor closely, given their apparent global aspirations, well-crafted social engineering, and steadily increasing scale.”
To read the full report, click here.