Cybercrime , Forensics , Fraud Management & Cybercrime

'Salfram' Email Campaign Spreads Malware to Businesses

Attackers Use Specialized Crypter to Hide Malicious Code
'Salfram' Email Campaign Spreads Malware to Businesses
Attackers sent initial messages through contact forms on a victim's website (Source: Cisco Talos)

A recently uncovered malicious email campaign is delivering to businesses multiple types of malware, including a Trojan designed to steal banking credentials and other financial information, according to a research report from Cisco Talos.

This email campaign, which started in January and remains active, also uses several techniques to evade detection and maximize its effectiveness, according to the report.

See Also: Account Takeover Fraud How to Protect Your Customers and Business

For example, the campaign uses a crypter that's designed to alter the malicious code to make it more difficult for security tools to detect. And the threat actors behind this campaign are taking advantage of legitimate hosting platforms, such as Google Drive, to obscure malicious files designed to deliver malware to compromised devices.

The Cisco Talos researchers noticed that the malware variants used in this campaign all contained the same string value in the code - the analysts called it Salfram - which enabled the researchers to track the attacks.

The emails are used to deliver several types of malware, including Gozi ISFB, ZLoader, SmokeLoader, Oski, AveMaria and malicious versions of Cobalt Strike - a legitimate penetration testing tool, according to the report. The malware includes Trojans designed to steal banking credentials.

"The diverse list of malware families being distributed by adversaries creates a variety of risks to organizations which should be considered by defenders who are responsible for security corporate environments," the report notes. "These campaigns and the refinement of the [tactics, techniques and procedures] being used will likely continue for the foreseeable future."

Email Campaign

The threat actors initially target organizations by leveraging the contact forms that are typically present on websites, the report notes.

In their initial emails submitted via those forms, the threat actors raise concerns about copyright violations related to certain images posted on the victim organization's website. The attackers then embed a URL within this message and urge the targeted victim to click on it, the report notes.

When the victim clicks this link, they are directed to a malicious Microsoft Word document that is hosted on Google Drive. When opened, this document enables macros that then download the malware to the compromised device, the researchers discovered.

"The use of a legitimate web platform for hosting the malicious content may provide another way for the attacker to evade various protections that may be deployed in environments that they are targeting," according to the report.

Over the course of the campaign, the types of malware used by the threat actors varies, but it appears the threat actors always add the same crypter into the payload to help obfuscate the malicious content and make analysis more difficult, the researchers say.

"The crypter used in these campaigns is undergoing active development and improvements to obfuscate the contents of malware payloads," the report notes.

Attacks Using Malware

Of the malware deployed in this malicious email campaign, ZLoader and Gozi ISFB are the most widely distributed, according to the report.

ZLoader, which is a descendant of Zeus banking malware, has been in use by cybercriminals since December 2019. The malware has been included in emails sent by various criminal groups that try to lure victims by using a variety of themes, including COVID-19 testing and pandemic-related scam prevention, according to security firm Proofpoint.

In May, Proofpoint tracked more than 100 campaigns that distributed ZLoader banking malware across the U.S., Canada, Germany, Poland and Australia (see: ZLoader Banking Malware Resurfaces).

Gozi ISFB, which is also known as Ursnif and Dreambot, is designed to steal passwords and credentials from victims - with a particular focus on the banking and financial sectors.

In August 2019, researchers at Fortinet uncovered a new variant of the Ursnif Trojan attempting to steal banking passwords and other credentials after being distributed through infected Microsoft Word documents (see: New Ursnif Variant Spreads Through Infected Word Documents).

In March 2019, security researchers at Cybereason discovered a variant of the Ursnif malware that targeted Japanese-speaking bank customers (see: Ursnif Banking Trojan Variant Steals More Than Financial Data).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.