As we previously noted, the campaign components include information about the targets, such as their email address and company logo. This campaign’s primary goal is to harvest usernames, passwords, and-in its more recent iteration-other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. Only when these segments are put together and properly decoded does the malicious intent show. In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Instead, they reside in various open directories and are called by encoded scripts. Some of these code segments are not even present in the attachment itself. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments. The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving. During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |