Register now for better personalized quote!

These hackers pretend to poach, recruit rival bank staff in new cyberattacks

Apr, 12, 2022 Hi-network.com

Hackers are pretending to poach bank staff in a wave of attacks against the African financial sector.

Recommends

The best ethical hacking certifications

Becoming a certified ethical hacker can lead to a rewarding career. Here are our recommendations for the top certifications.

Read now

In recent weeks, the threat actors have been spotted using recruitment emails and messages to entice individuals considering moving from their current employment to rival financial companies.

However, the emails don't contain genuine job offers: instead, they contain malicious surprises.

On Tuesday, the threat research team at HP Wolf Security said the campaign specifically targets individuals already working in the African banking sector. Phishing emails are disguised under the names of rival banks through typosquatting and ask the potential victim if they are interested in new job opportunities.

The 'recruiter' also uses a reply-to typosquatted address to appear more legitimate. If an individual is reeled in, the attacker sends an HTML attachment, Fiche de dossiers.htm (translation: file sheet/card), a Base64 encoded ISO file.

If the victim tries to open the file, the content is decoded and shown as a web downloader prompt, in a technique known as HTML Smuggling.

"When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system," the researchers said. "This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies."

The ISO contains a VBS script, which, when double-clicked, triggers the creation of a registry key on the impacted system for persistence, the execution of PowerShell scripts, and the deployment of GuLoader.

GuLoader is a loader for serving victims RemcosRAT malware. RemcosRAT is a commercially-available Remote Access Trojan (RAT) available on a cheap subscription basis to cybercriminals.

The Windows malware can perform keylogging, take screenshots, conduct surveillance through PC cameras and microphones, steal operating system data and personal files, harvest browser activity, and download further malicious payloads.

By targeting individuals already in the banking sector, it is possible that the cyberattackers are trying to obtain access to commercial bank networks, whether through corporate machines or personal devices when employees are working remotely.

"The attacker might take advantage of the employee's position in the bank since they would have access to their corporate email account," the researchers noted. "[They might] move laterally with the goal of compromising domain controllers to deploy ransomware. They might also steal sensitive/protected data that could be used to extort the target."

See also

  • New banking Trojan SharkBot makes waves across Europe, US
  • COVID-19, WFH prompts spike in cyberattacks against banks, insurers
  • Almost 100,000 new mobile banking Trojan strains detected in 2021

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.