Spear-Phishing Attack Directing Recipients to Download a Fake Windows Application Impersonating a Financial Institution
In a recent spear-phishing campaign, cyber actors impersonated a US- based financial institution’s brand in an attempt to get recipients to download a Windows application unaffiliated with the financial institution.
TLP:WHITE
Summary
In a recent spear-phishing campaign, cyber actors impersonated a US- based financial institution’s brand in an attempt to get recipients to download a Windows application unaffiliated with the financial institution. The unknown cyber actors tailored the campaign to spoof the financial institution through registered domains, email subjects, and an application, all appearing to be related to the institution.
Threat Overview
In February 2021, a US-based financial institution was notified of a spear-phishing attempt which impersonated the financial institution’s brand to target a renewable energy company. The phishing e-mail’s theme involved funding for a loan and instructed the recipient to download a Windows application to complete the loan process to receive more than $62 million. The fraudulent loan amount was in line with the victim’s business model. The phishing e-mail appeared to originate from a United Kingdom–based financial institution, stating the US financial institution’s loan to the victim was confirmed and could be accessed through an application which appeared to represent the US financial institution. The phishing e-mail included two .pdf files, one of which spoofed the name and likeness of the UK’s National Crime Agency and another which appeared to contain SWIFT information. The phishing e-mail also contained a link to download the application and a username and password for access.
As part of this spear-phishing campaign, the cyber actors also registered a fraudulent domain impersonating the US financial institution. This domain hosted the executable purporting to be the Windows application which the recipient received the link for in the original spoofed email.
The below indicators were observed in conjunction with this spear-phishing campaign. These suspicious activities/indicators should be observed in context and not individually.
The following files were attached to the spear-phishing e-mail:
Filename: Computer Feeder Message(Name Redacted).pdf |
MD5: 57865182db4f963cf9ea7709384dd750 |
SHA256: bd45ae2cbc302bd219d4c59469d1ebb1f8049f3bd025bd19eb4572176b5176f5 |
Filename: Swift Copy(Name Redacted).pdf |
MD5: fadcde66f6edf79442dce2be4f11ef60 |
SHA256: 375a0566bdfc04f8d24fae429a415434c679d3b5e7a7c97b8ddd5cea98e0aa0c |
The following file was downloaded if the recipient clicked on the malicious link in the spear- phishing e-mail:
Filename: (Name Redacted).exe |
MD5: 3d1111389aac89274f0eaf87c30732fe |
SHA256: e09ae3c1ff5489f300ec9ecfc76ffdab90b6dab07eff1a0edf38285ab1e2b801 |
The malicious .exe file downloaded from the link embedded in the spear-phishing e-mail calls out to the domain secureportal(.)online.
Recommendations
- Ensure anti-virus and anti-malware software are enabled and signature definitions are updated regularly in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed attacker tools delivered via spear-phishing.
- Deploy application control software to limit which applications and executable code can be run by users. Email attachments and files downloaded via links in emails often contain executable code. Application control software limits users to only execute applications and code allowed by the organization, rendering malicious executables delivered via spear-phishing unable to execute.
- Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make spear-phishing much more effective by enabling attackers to move laterally across a network, gain additional accesses, and access highly sensitive information.
- Be suspicious of unsolicited contact via email or social media from any individual you do not know personally.
- Be suspicious of unsolicited or unexpected email or social media messages enticing recipients to open an attached or hosted file.
- Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites.
- Ensure operating systems and applications are updated to the most current versions.
Administrative Note
This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE
information may be distributed without restriction.
Your Feedback Regarding this Product is Critical
Please take a few minutes to send us your feedback. Your feedback submission may be anonymous. We read each submission carefully, and your feedback will be extremely valuable to the FBI. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to these products. Feedback may be submitted online here: https://www.ic3.gov/PIFSurvey
TLP:WHITE