Phishing: hackers have found a new technique to trap you even better

Proofpoint computer security researchers have detected a new phishing campaign launched by hackers working for the Iranian government. These operators have come up with a new trick to trick users into downloading malicious attachments.

Credits: Pixabay

Phishing, or phishing in the language of Molière, remains one of the techniques most used by hackers to access user data. Recent examples are not lacking, such as this large-scale phishing campaign on Outlook capable of circumventing double authentication.

Another example at the end of July 2022, where a team specializing in cybersecurity detected a phishing campaign that exploited a virus within the Windows calculator. However, we have just learned this Wednesday, September 14, 2022 that Proofpoint’s computer security experts have discovered a new phishing campaign.

According to them, we find at the origin of this operation the actors of the TA453 group, pirates who would be linked to the Iranian Islamic Revolutionary Guard Corps. The technique at the center of this campaign is none other than the “sock-puppeting”. In short, hackers hold email conversations while including their victims in a blind copy. The goal? Trick them into downloading attachments containing malicious files.

A new kind of phishing campaign

But let’s see the procedure in detail: hackers create multiple fake email accounts, by stealing the identity of scientists, executives or company directors. They then send an email to an accomplice, slipping the victim into a hidden copy. The conversation then continues, and the hackers make sure to broach sensitive subjects to arouse the victim’s curiosity.

From his point of view, the victim thinks he is caught in the middle of an email thread that is not intended for him. After a few days of discussion, an attachment is sent to the other participants. If the victim downloads and runs it on their terminal, she gets a .DOCX file full of dangerous macros.

Read also: hackers steal millions of euros by targeting peer-to-peer sales sites

The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as username, list of running processes as well as the user’s public IP from and then exfiltrate this information using the Telegram API”, explain the researchers.

What particularly worries Proofpoint is that all the emails used in this attack are created on the main email providers, such as Gmail, Outlook and Hotmail. So beware if you suddenly find yourself in an email conversation held by strangers.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *