Fake Moneycorp Confirmation Email Used to Distribute AveMaria Infostealer
Digital attackers used a fake confirmation email from foreign exchange and international service Moneycorp to infect recipients with the AveMaria infostealer.
A Thought-out Impersonation
In the beginning of June, the 秋葵视频色 | AppRiver team flagged what appeared to be a transfer confirmation email from Moneycorp.
Those responsible for creating the email attempted to add legitimacy to their attack by using spoofing techniques along with several instances of branding stolen from Moneycorp.
One of those instances displayed just half of the company鈥檚 logo. Such an omission might have raised someone鈥檚 suspicions.
Another instance appeared with the company鈥檚 contact information. The physical address was the same as the address listed for the company鈥檚 UK head office on Moneycorp鈥檚 website.
Even so, those who crafted the address line separated only the listed building and floor with a space. The rest didn鈥檛 have any spaces between them鈥攐nly commas.
A similar spacing discrepancy arose between the telephone number and fax number listed in the email鈥檚 signature.
Your Malware Transfer Has Been Successful
In the text of their attack email, the malicious actors informed the recipient that one of their customers had used Moneycorp to send them a payment. They went on to explain that the details of the attack were available in the 鈥渨ord file attached.鈥
The issue is that the email didn鈥檛 arrive with an attachment sporting the usual .DOC or .DOCX file extension. It arrived with .7Z, a file extension which designates use of the free and open-source 7-Zip file archiver.
Inside the Attack Campaign鈥檚 Payloads
Once opened, the .7Z attachment infected recipients with an information-stealing malware family known as AveMaria.
became the first to write about AveMaria鈥檚 activities in January 2019. At that time, its researchers observed malicious actors impersonating a supplier鈥檚 sales office to send out fake invoices and shipping order confirmations. Those emails delivered an Excel sheet that exploited to deliver the malware.
Two months later, revealed that it had witnessed an increase in AveMaria threat activity. The security firm specifically called out AveMaria鈥檚 handlers for using other threats鈥 delivery stages and fileless components to deliver their malware.
It was later that same year when revealed that it had spotted a spam campaign distributing AveMaria along with Negasteal or Agent Tesla, a threat of which the 秋葵视频色 | AppRiver team saw a lot in connection with the pandemic.
A Twist on the AveMaria Campaign
Troy Gill, manager of security research and senior security researcher at 秋葵视频色 | AppRiver, said that he鈥檚 seen spam campaigns distributing AveMaria in the past. But this one was a bit different.
鈥淭his version leveraged the UACMe software to defeat Windows user account control by abusing built-in Windows AutoElevate backdoor,鈥 he explained. 鈥淭his is mainly used by MSPs, sys admins, and security teams for privileged access management needs, but it can also serve as a path to privilege escalation for attackers.鈥
Defending Against Email-Borne Malware Attacks
The attack discussed above highlights the need for organizations to defend themselves against email-borne malware attacks. One of the ways they can do that is investing in an email security solution. Ideally, that tool should be capable of scanning incoming messages for malware signatures, campaign patterns, IP addresses, and other threat indicators. If that analysis happens in real time, organizations have the added benefit of legitimate correspondence reaching its intended business destination without delay.
Avoid an email-borne malware attack with the email threat protection tools of 秋葵视频色 | AppRiver.