Researchers have uncovered a sophisticated phishing scam that targets participants of the World Agricultural Cycling Competition (WACC). The campaign is designed to mimic the official WACC website in order to deceive users into downloading malicious software. The phishing site, hosted at “wacc[.]photo,” closely imitates the legitimate WACC website, making it challenging for users to distinguish between the real site and the fraudulent one.
The World Agricultural Cycling Competition, an annual event held in France that merges the agriculture and sports industries, has become a prime target for scammers due to its popularity. The attackers behind the scam meticulously replicated the genuine WACC site with minor modifications to trick users into downloading malicious files. The phishing campaign was launched shortly after the WACC concluded in June 2024, taking advantage of the event’s recent conclusion to lure stakeholders and participants.
According to Cyble Research and Intelligence Labs (CRIL), the deceptive site entices users to download a ZIP file containing event photos. However, instead of images, the file contains three shortcut files (.lnk) disguised as image files. When executed, these shortcuts initiate a complex infection chain that leads to the deployment of a Havoc Command and Control (C2) framework. The Havoc C2 attempts to connect with an Azure Front Door domain and establishes a connection with the actual Command and Control server to facilitate further malicious activities by the attacker.
The phishing site also includes an open directory with various malware payloads, suggesting that the attacker may be swapping out payloads to target victims more effectively. This, combined with the sophisticated nature of the Havoc C2 framework, indicates a well-prepared and strategic approach by the threat actor.
The technical breakdown of the scam reveals that when a user downloads a ZIP file from the fraudulent site, three shortcut files (.lnk) disguised as .jpg images are executed. These shortcuts run a PowerShell script that downloads and displays legitimate JPG files from the phishing site while secretly installing a malicious DLL file named “KB.DLL” into the “AppData\Local” directory. The DLL serves as a loader for obfuscated shellcode that connects to a Command and Control server.
Recommendations for protection against phishing scams like the WACC phishing campaign include verifying website legitimacy, conducting regular cybersecurity education sessions, restricting PowerShell execution, and using advanced endpoint protection solutions to detect and block malicious files. Monitoring network traffic is also crucial to detect unusual patterns that may indicate malicious activity.
In conclusion, the WACC phishing scam highlights the importance of vigilance and cybersecurity measures to protect against sophisticated phishing attacks targeting large-scale events. By implementing these recommendations, organizations and individuals can reduce the risk of falling victim to similar scams in the future.