Email Attackers Using Fake USPS Notifications to Distribute Quasar RAT
Email attackers are sending out fake package notifications from the United States Postal Service (USPS) in an attempt to distribute the Quasar RAT.
A *Different* Package Will Arrive Today, and It鈥檚 NOT from the USPS
In the middle of December, 秋葵视频色 | AppRiver flagged an attack email that claimed to originate from the USPS.
The message informed the recipient that their package was in transit to the next USPS facility and that it would arrive later that day.
It then provided the recipient with a linked tracking number, 鈥953865786810209181864,鈥 along with embedded buttons for viewing the package鈥檚 tracking and delivery options.
Not surprisingly, there were a few issues with this email.
First, the tracking number included in the attack email didn鈥檛 link to a USPS package at the time of writing. A tracking attempt on the USPS website confirmed this to be the case.
That鈥檚 despite the fact that the tracking number met the format criteria for a legitimate USPS tracking number including a length of 20-22 characters and the absence of letters.
Second, those responsible for the attack campaign used stolen branding and spoofing techniques to try to disguise their email as a legitimate piece of USPS correspondence.
But looking into the sender email address revealed that the message hadn鈥檛 originated from a legitimate USPS email account. Indeed, this address appeared to be linked to a carpentry and woodworking company located in Germany.
It鈥檚 unclear whether someone had compromised an email account at that company and used it to conduct the email attack described above.
Quasar RAT: A Look Back at the Campaign鈥檚 Malware Payload
Clicking on the linked tracking number and/or the 鈥淭racking & Delivery Options鈥 button caused the campaign to drop the Quasar RAT on the recipient鈥檚 computer.
On December 18, 2018, the聽聽(CISA) published an alert in which it warned that it had observed Advanced Persistent Threat (APT) actors using Quasar, a legitimate open-source remote administration tool (RAT), to exploit targets鈥 networks.
Malicious actors seized upon Quasar for additional nefarious activities in the years that followed. In May 2019, for instance,聽聽reported that the Chinese-speaking digital espionage group APT10 had begun using two new malware loader variants. Both of those versions dropped a legitimate JVM-based implementation of a JavaScript engine (jjs.exe), driving the attack chain forward to drop PlugX and Quasar as its final payloads.
It was just a few months later when聽聽covered a phishing campaign that used fake resumes from job seekers to deliver the RAT.
Staying Safe This Holiday Season
This attack campaign highlights the need for organizations and users to protect themselves against malicious emails this holiday season. First, it鈥檚 critical that they use security awareness to remain vigilant against scammers who would seek to use packages as lures. COVID-19 and聽聽could cause some delays in the gifts we鈥檝e ordered. For the sake of our digital security, we need to accept the fact that we can鈥檛 control everything and that we could leave ourselves exposed by opening package-themed messages in a state of panic.
Second, it鈥檚 important that organizations supplement these human defenses with technology. They specifically need a solution that can analyze incoming messages for malware signatures, IP addresses, campaign patterns and other threat indicators. Such a tool should perform this analysis in real-time while allowing legitimate correspondence to reach their intended destination.