It seems that threats aimed at companies in the field of cybersecurity continue to be present, especially in the field of spyware. For this reason, ESET has been analyzing a campaign, which has Spanish companies among its main objectives. This is not something isolated, given that these threats have been recurring periodically in recent times.
Orders and invoices used as bait
As on previous occasions, cybercriminals mainly target their malicious emails. administration or sales departments of companies, knowing that they are the ones who tend to receive this type of email more frequently from customers and suppliers and, therefore, are more likely to open any file or link that is attached to them.
In addition, the vast majority of these emails are sent from company accounts that have been previously compromised, so, as they are a legitimate sender, antispam filters do not usually block them when checking their headers, although they can detect and eliminate them. malicious attachments. In the recently analyzed emails, it is observed how most of them follow a similar pattern in their writing. Also, there are no notable language glitches, which makes them even more credible.
As ESET assures, a high number of emails of this type received during this last week coincide with another Formbook spyware campaign, which has been sending emails of these characteristics to the inboxes of thousands of companies around the world for the past several weeks.
The purpose of this type of malware is usually mainly to theft of credentials stored in applications such as internet browsers, mail clients, FTP clients and VPNs. Once these credentials are obtained, criminals can take other actions, such as sending emails from victims ‘mailboxes, accessing organizations’ online services, or accessing their internal networks to steal confidential information and infect devices with ransomware.
Recent trends of infostealers in Spain
This propagation campaign of “information thieves” or infostealers (spyware is a part of the category) is just the latest in a long series of threats that have been taking place for months. According to the data collected by ESET telemetry and presented in its last quarterly report, Spain was the country most affected by these threats during the period, with 9.2% of the total threats detected corresponding to this category, followed by Turkey (6, 2%) and Japan (6%).
ESET experts also warn that after studying in detail the malware of the infostealer category detected in Spain between May and September 2021, it is observed how the MSIL / Spy.Agent families (more specifically its AES variant, also known as Agent Tesla) and Win / Formbook have dominated detections, with around 75% of total detections falling within this category.
This shows that cybercriminals are achieving their goal, infecting systems and stealing credentials Spanish companies, especially SMEs, but also some large companies. It is, according to ESET, a worrying trend that shows, once again, the lack of investment and awareness in cybersecurity in the business fabric of our country.
Furthermore, although antispam filters may fail to pass emails sent from legitimate senders, the same does not happen with malicious files attached to these emails. In several of the samples received and sent for analysis by the organization’s cybersecurity experts, the attached file (which usually contains an executable compressed in a RAR file) has been removed by the security solution installed on the mail server, which shows the need for several layers of security.