Proofpoint revealed that the recent phishing scheme was designed to exploit the trust between the compromised sender and potential targets. The fraudulent email used a business-to-business sales lure, presenting an order form and a company backgrounder to deceive recipients. Moreover, the email contained URLs that appeared to lead to a legitimate INDIC Electronics website ending in [.]com. However, these URLs actually directed individuals to a fake domain named “indicelectronics[.]net”, which housed a zip archive purportedly containing an Excel spreadsheet (XLS) and two PDF files.
The cybercriminals behind this scheme took additional steps to make the malicious emails appear genuine to even the most skeptical users and potentially bypass security software. The XLS file was disguised as a shortcut file (LNK) with a double extension (filename[.]xls[.]lnk), while both PDF files were crafted as polyglots. One of the PDF files was attached with an HTML application (HTA), while the other had a zip archive appended to it.
Upon opening the email attachment, the LNK file utilized cmd[.]exe to kickstart the process, followed by the execution of the PDF/HTA polyglot file using mshta[.]exe. This process involved the mshta[.]exe software scanning through the file until it located the HTA header, where it then launched the content from that point onward. The HTA script served as an orchestrator, providing instructions for cmd[.]exe to extract the executable and URL file from the second PDF. Ultimately, the executable sought out the Sosano backdoor hidden within the zip file.
This sophisticated phishing attack demonstrated a high level of technical expertise and a clear intent to infiltrate organizations by deploying malicious software to compromise systems and steal sensitive information. Proofpoint emphasized the importance of remaining vigilant against such deceptive tactics and implementing robust cybersecurity measures to protect against email-based threats.
The incident serves as a stark reminder of the evolving nature of cyber threats and the need for organizations to continuously enhance their security practices to combat sophisticated attacks. As cybercriminals become more adept at crafting convincing social engineering tactics, it is essential for individuals and businesses to exercise caution when interacting with emails, especially those containing attachments or links.
By staying informed about the latest trends in cybercrime and investing in effective security solutions, organizations can mitigate the risk of falling victim to phishing attacks and other malicious activities. As the digital landscape continues to evolve, proactive cybersecurity measures are crucial in safeguarding sensitive data and preventing potentially devastating breaches.