Although the approach remains the same, this new type of attack is more evasive, and exfiltrates more data
A new wave of phishing attacks featuring an advanced, stealthy technique to exfiltrate a wide range of sensitive information has been discovered.
A typical attack begins with a phishing email encouraging the recipient to open an attached purchase order. The attachment contains an ISO disc image file. Inside that is an HTML application file that in turn downloads and executes a series of malicious payloads by virtue of not being limited by the security features of a web browser.
The final payload is an infostealer (in this case an obfuscated and encrypted Python script that cleans up after its operations and then deletes itself), which goes through various levels of decoding and decrypting to get to the final code. The infostealer can collect, ZIP and exfiltrate a wide range of sensitive data to a remote email account, including but is not limited to:
- PDF files and directories
- browser data such as session cookies and saved credit card details
- bitcoin-related extensions
- web browsing histories (and MasterKeys of Chrome, Edge, Yandex, and Brave browsers)
The stolen data is subsequently transmitted to a remote email account as a zipped attachment.
According to the researchers from Barracuda who discovered this trend, it is unusual to see infostealers designed to collect and exfiltrate such a wide range of information. Said its Manager/Threat Analyst Saravanan Mohan: “Most phishing attacks are associated with data theft, but here we are looking at an attack designed for extensive data exfiltration. Some (of the stolen data) can potentially be leveraged in further malicious activity, such as lateral movement or financial fraud.”
While the stealth techniques and extent of data theft are unusual and sophisticated, the procedures for protection against such attacks remain standard: continual education of employees on phishing awareness and cyber hygiene; effective email scanning solutions to weed out suspicious communications; and best practices in network cybersecurity.