Cybercriminals are trying to deliver backdoor malware to US-based organizations by tricking them to sign fake non-disclosure agreements (NDA), experts have warned.
A new report from security researchers Check Point outlined how in the campaign, the miscreants pose as a US-based company, looking for partners, suppliers, and similar.
Often, they buy abandoned or dormant domains with legitimate business histories to appear authentic. After that, they reach out to potential victims, not via email (as is standard practice) but through their “Contact Us” forms or other communication channels provided on the website.
When the victims get back to their inquiry, it’s usually via email, which opens the doors to deliver the malware.
However, the attackers don’t do it immediately. Instead, they build rapport with the victims, going back and forth for weeks until, at one point, they ask their victims to sign an attached NDA.
The archive contains a couple of documents, including clean PDF and DOCX files to throw the victims off, and a malicious .lnk file that triggers a PowerShell-based loader.
This loader ultimately deploys a backdoor called MixShell, which is a custom in-memory implant featuring a DNS based command and control (C2) and enhanced persistence mechanisms.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Check Point did not discuss the number of potential victims, but it did say that they are in the dozens, varying in size, geography, and industries.
The majority (around 80%) are located in the United States, with Singapore, Japan, and Switzerland, also having a notable number of victims. The companies are mostly in industrial manufacturing, hardware & semiconductors, consumer goods & services, and biotech & pharma.
“This distribution suggests that the attacker seeks entry points across wealthy operational and supply chain-critical industries instead of focusing on a specific vertical,” Check Point argues.
The researchers couldn’t confidently attribute the campaign to any known threat actor, but said that there is evidence pointing to the TransferLoader campaign, and a cybercriminal cluster tracked as UNK_GreenSec.
Via The Record
https://wol.com/hackers-are-using-fake-ndas-to-hit-us-manufacturers-in-major-new-phishing-scam/
What's your reaction?
You may also like
-
![Canada places further sanctions on Russia over Moldova interference claims]()
Canada places further sanctions on Russia over Moldova interference claims
-
![Canada, India name new high commissioners in step toward ‘deepening’ ties]()
Canada, India name new high commissioners in step toward ‘deepening’ ties
-
![Brawl breaks out in Mexican Senate after debate on drug cartels]()
Brawl breaks out in Mexican Senate after debate on drug cartels
-
![GWM Hi4 Series: Globally Launched with a Revitalized Look, Empowering Hybrid 4WD Technology with Millennia-Old Wisdom]()
GWM Hi4 Series: Globally Launched with a Revitalized Look, Empowering Hybrid 4WD Technology with Millennia-Old Wisdom
-
![UK, France, Germany start process to put sanctions back on Iran]()
UK, France, Germany start process to put sanctions back on Iran
-
![Massive Russian strike on Ukrainian capital kills 15, hurts 48]()
Massive Russian strike on Ukrainian capital kills 15, hurts 48
Comments
0 comment