Skip to content ↓ | Skip to navigation ↓

Digital fraudsters launched a new phishing campaign that used subpoena-themed emails to deliver information-stealing malware.

Detected by Cofense, the campaign targeted employees of insurance and retail companies with phishing emails informing them that they had been subpoenaed. The emails instructed recipients to click on a link so that they could learn more about the case. Unbeknownst to those recipients who complied, the link used trusted services like Google Docs and Microsoft OneDrive to initiate the campaign’s infection chain.

Following a series of redirects, the campaign delivered recipients to a Microsoft Word document containing malicious macros. Those macros downloaded a sample of Predator the Thief upon execution.

The phishing campaign’s infection chain (Source: Cofense)

In their analysis of the payload, Cofense found that Predator the Thief exhibited all of the usual capabilities of information-stealing malware. The security firm found that the threat stood out, however, for its range of web browsers from which it could steal email credentials, cryptocurrency data and other information.

Researchers discovered that the malware further distinguished itself by deliberately attempting to conceal its presence after sending information stolen from the infected computer to its command-and-control (C&C) server. As noted in Cofense’s research:

Once the information is gathered and the sample has successfully exfiltrated the data to the C2, the binary then cleans up parts of the infection and self-terminates. This infection clean-up process makes it much harder for endpoint forensic investigations that do not leverage verbose event logs and an endpoint detection system.

This campaign highlights the importance of organizations taking steps to protect their data against a successful phishing attack and infostealer infection. One of the best ways they can do this is by using security awareness training to educate their employees about the most common types of phishing attacks. This resource can help guide their training sessions going forward.