New malware hijacks contact addresses to send phishing emails
A new Trojan horse malware gambit appears to be expanding into the healthcare sector, threatening to use an organization’s stored email addresses as a platform to send out seemingly legitimate phishing emails.
The innovative spear phishing emails are distributing Ursnif, a major banking Trojan. But the threat has been detected in multiple healthcare organizations and other industry sectors, says Jonathan Crowe of data security firm Barkly, which has issued an alert on a new attack.
“Ursnif is primarily known for targeting banks and finance, but lately it’s been expanding its reach,” Crowe says. “The nature of the email-hijacking of this attack also means any contacts a victim organization has stored in their email are at risk of being sent phishing emails with the malicious attachment, regardless of what industry they are in.”
For a healthcare organization, he adds, a successful infection can mean malicious emails being sent out to patients, partners and others, with the emails appearing as though they are coming directly from the healthcare organization.
For example, a patient may receive a reply to an email they sent to their doctor simply saying, “Please see attached and confirm.” Because the email appears to come from a healthcare organization with which the patient’s received treatment, “Who wouldn’t click on that attachment? It really elevates the risk of this attack,” Crowe says.
At this time, the new variant of Ursnif has a very low detection rate among security products, according to Crowe, and attackers are replying to active email chains to spread the infection. “In one case, a Barkly user received what appeared a response to emails they had been exchanging with contacts at another organization. The new email looked like it was coming from another contact at that organization, who was replying to the previous messages that had been sent.”
In another case, a user opened an attachment, which was a Word document named “Request.doc” and followed instructions to enable macros, but Ursnif waits to launch the macro until the document is closed, then attempts to execute a code to download a malicious payload. In this case, Barkly blocked the attack before infection.
“By preventing the user from being infected, Barkly also prevented them from being turned into a new delivery vehicle for additional attacks, this time sent from their email account to their email contacts,” Crowe says.
The latest version of Ursnif delivered in spear phishing emails deletes copies of itself once executed, making it tougher to detect and analyze. More information is available here.