Cybercriminals are constantly changing tactics and lures in their phishing campaigns, so it is no surprise to see a new technique being used by affiliates of the Lockbit ransomware-as-a-service operation. A campaign has been identified by researchers at AhnLab in Korea that attempts to deliver a malware loader named Bumblebee, which in turn is used to deliver the LockBit 2.0 ransomware payload.
Various lures are used in phishing campaigns for delivering malware loaders, with this campaign using a warning about a copyright violation due to the unauthorized use of images on the company’s website. As is common in phishing emails, the emails contain a threat should no action be taken – legal action. Emails that deliver malware loaders either use attached files or contain links to files hosted online. The problem with attaching files to emails is they can be detected by email security solutions. To get around this, links are often included. In this case, the campaign uses the latter, and to further evade detection, the linked file is a password-protected archive. This is a common trick used in malware delivery via email to prevent the file from being detected as malicious by security solutions, which are unable to open the file and examine the contents. The recipient of the message is provided with the password to open the file in the message body.
The password-protected zip file contains a file that masquerades as a PDF file, which the user is required to open to obtain further information about the copyright violation. However, a double file extension is used, and the attached file is actually an executable file, which will deliver the Bumblebee loader, and thereafter, LockBit 2.0 ransomware.
These types of phishing attacks are all too common. Believable lures are used to trick people into taking the requested action, a threat is included should no action be taken, and multiple measures are used to evade security solutions. Any warning about a copyright violation must be taken seriously but as with most phishing emails, there are red flags in this email that suggest this is a scam. Security-aware employees should be able to recognize the red flags and while they may not be able to confirm the malicious nature of the email, they should report such messages to their IT department or security team for further investigation. However, in order to be able to identify those red flags, employees should be provided with security awareness training.
Through regular training employees will learn the signs of phishing emails, can be conditioned to always report the emails to their security team, and can be kept abreast of the latest tactics used in phishing emails for malware delivery. It is also recommended to conduct phishing simulations to test whether employees are being fooled by phishing attempts. If employees fail phishing simulations it could indicate issues with the training course that need to be addressed, or that certain employees need to be provided with additional training. Through regular security awareness training and phishing simulations, businesses can create a human firewall capable of detecting phishing attempts that bypass the organization’s email and web security defenses.
TitanHQ can provide assistance in this regard through the SafeTitan Security Awareness Training and Phishing Simulation Platform – Further information on the solution can be found here.