New phishing campaign uses screenshot to deliver malware
Proofpoint Threat Research researchers have discovered a new phishing campaign that employs screenshots to deliver malware payload to unsuspecting victims.
The attacker sends an email with a screenshot attached that, when opened, launches a macro that downloads and executes the malware. Because the emails are disguised as legitimate internal emails from the company’s IT department, the attackers appear to be targeting high-level executives.
The phishing emails are urgent in nature, requesting that the recipients review an attached document or report. The email instructs the recipient to access the document by clicking on a button or a link, which then downloads the malware onto the recipient’s device.
This campaign’s malware is a Remote Access Trojan (RAT), which allows the attacker to gain access to and control of the victim’s device. Keystrokes can be captured, screenshots taken, and sensitive data such as passwords, emails, and financial information stolen.
The use of screenshots in this campaign is a novel tactic that makes traditional email security solutions difficult to detect and block phishing emails. The attackers can easily avoid detection by using a legitimate screenshot from the targeted company, which makes the message appear more credible to the recipient.
The Screenshotter code is contained within an MSI package (SHA256: 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40). The package includes lumina.exe, an unmodified copy of IrfanView version 4.62, and app.js, the MSI package’s first file. It executes lumina.exe, which captures a screenshot of the desktop and saves it as a JPG, as well as index.js, the second file executed by the MSI package.
The sources for this piece include an article in SCMedia.
Whatch this news on our Youtube Channel: https://www.youtube.com/watch?v=gRtQZ3ljvrE